update

Author: breadchris

client/src/App.tsx

@@ -22,6 +22,7 @@ import {Competitions} from "@/routes/build/Competitions";
 import {Toaster} from "react-hot-toast";
 import {Deploy} from "@/routes/Deploy";
 import {Computer} from "@/routes/Computer";
+import {Chat} from "@/routes/Chat";
 
 interface Props {}
 
@@ -108,6 +109,14 @@ function App() {
 			showWhenAdmin: false,
 			hideWhenUnauthed: true,
 		},
+		{
+			label: "Chat",
+			to: "/chat",
+			Component: Chat,
+			showWhenAuthed: true,
+			showWhenAdmin: false,
+			hideWhenUnauthed: true,
+		},
 		{
 			label: "View Writeup",
 			to: "/view/:name",

client/src/routes/Chat.tsx

@@ -0,0 +1,7 @@
+import React, {useEffect, useState} from 'react';
+
+export const Chat = () => {
+    return (
+        <iframe src="https://kiwiirc.com/nextclient/#irc://irc.freenode.net/#mcpshsf" className={"w-full h-screen"}></iframe>
+    );
+}

client/src/routes/Computer.tsx

@@ -1,16 +1,17 @@
 import { xctf } from '@/service';
 import React, {useEffect, useState} from 'react';
 import toast from "react-hot-toast";
+import {GetComputerResponse} from "@/rpc/xctf/xctf_pb";
 
 export const Computer = () => {
-    const [comp, setComp] = useState<string|undefined>(undefined);
+    const [comp, setComp] = useState<GetComputerResponse|undefined>(undefined);
     useEffect(() => {
         void loadComputer();
     }, []);
     const loadComputer = async () => {
         try {
             const res = await xctf.getComputer({});
-            setComp(res.url);
+            setComp(res);
         } catch (e: any) {
             toast.error(e.toString());
         }
@@ -20,7 +21,14 @@ export const Computer = () => {
     }
     return (
         <div>
-            <iframe className={"h-screen w-full"} src={comp} />
+            {comp.loading ? (
+                <div className={"flex flex-col text-center"}>
+                    <div className="loading loading-spinner loading-lg"></div>
+                    <span>Setting up computer...</span>
+                </div>
+            ) : (
+                <iframe className={"h-screen w-full"} src={comp.url} />
+            )}
         </div>
     );
 }

client/src/rpc/xctf/xctf_connect.ts

@@ -3,7 +3,7 @@
 /* eslint-disable */
 // @ts-nocheck
 
-import { ChallengeTypeResponse, CurrentUserRequest, CurrentUserResponse, DeleteChallengeRequest, Empty, ExportChallengeResponse, ForgotPasswordRequest, GetAllChallengesRequest, GetAllChallengesResponse, GetCommentsRequest, GetCommentsResponse, GetComputerRequest, GetComputerResponse, GetDiscoveredEvidenceRequest, GetDiscoveredEvidenceResponse, GetHomePageRequest, GetHomePageResponse, GetTeamsProgressRequest, GetTeamsProgressResponse, GetUserGraphRequest, GetUserGraphResponse, GetUserWriteupResponse, GetWriteupRequest, GetWriteupResponse, ImportChallengeRequest, ImportChallengeResponse, LoginRequest, LoginResponse, ReaddirRequest, ReaddirResponse, RegisterRequest, RegisterResponse, RemoveRequest, RemoveResponse, SetHomePageRequest, SignedURLRequest, SignedURLResponse, SubmitCommentRequest, SubmitEvidenceConnectionRequest, SubmitEvidenceConnectionResponse, SubmitEvidenceReportRequest, SubmitEvidenceRequest, SubmitEvidenceResponse, SubmitFlagRequest, SubmitFlagResponse, SubmitGradeRequest, SubmitWriteupRequest, UpsertChallengeRequest } from "./xctf_pb.js";
+import { ChallengeTypeResponse, CurrentUserRequest, CurrentUserResponse, DeleteChallengeRequest, Empty, ExportChallengeResponse, ForgotPasswordRequest, GetAllChallengesRequest, GetAllChallengesResponse, GetCommentsRequest, GetCommentsResponse, GetComputerRequest, GetComputerResponse, GetDiscoveredEvidenceRequest, GetDiscoveredEvidenceResponse, GetHomePageRequest, GetHomePageResponse, GetTeamsProgressRequest, GetTeamsProgressResponse, GetUserGraphRequest, GetUserGraphResponse, GetUserWriteupResponse, GetWriteupRequest, GetWriteupResponse, ImportChallengeRequest, ImportChallengeResponse, LoginRequest, LoginResponse, ReaddirRequest, ReaddirResponse, RegisterRequest, RegisterResponse, RemoveRequest, RemoveResponse, SetComputerRequest, SetHomePageRequest, SignedURLRequest, SignedURLResponse, SubmitCommentRequest, SubmitEvidenceConnectionRequest, SubmitEvidenceConnectionResponse, SubmitEvidenceReportRequest, SubmitEvidenceRequest, SubmitEvidenceResponse, SubmitFlagRequest, SubmitFlagResponse, SubmitGradeRequest, SubmitWriteupRequest, UpsertChallengeRequest } from "./xctf_pb.js";
 import { MethodKind } from "@bufbuild/protobuf";
 import { Competition, CompetitionList, Node } from "../chalgen/graph_pb.js";
 
@@ -283,6 +283,15 @@ export const Admin = {
       O: GetUserGraphResponse,
       kind: MethodKind.Unary,
     },
+    /**
+     * @generated from rpc xctf.Admin.SetComputer
+     */
+    setComputer: {
+      name: "SetComputer",
+      I: SetComputerRequest,
+      O: Empty,
+      kind: MethodKind.Unary,
+    },
     /**
      * @generated from rpc xctf.Admin.ExportChallenge
      */

client/src/rpc/xctf/xctf_pb.ts

@@ -7,6 +7,49 @@ import type { BinaryReadOptions, FieldList, JsonReadOptions, JsonValue, PartialM
 import { DescriptorProto, EnumDescriptorProto, Message, proto3, protoInt64 } from "@bufbuild/protobuf";
 import { Node } from "../chalgen/graph_pb.js";
 
+/**
+ * @generated from message xctf.SetComputerRequest
+ */
+export class SetComputerRequest extends Message<SetComputerRequest> {
+  /**
+   * @generated from field: string id = 1;
+   */
+  id = "";
+
+  /**
+   * @generated from field: string password = 2;
+   */
+  password = "";
+
+  constructor(data?: PartialMessage<SetComputerRequest>) {
+    super();
+    proto3.util.initPartial(data, this);
+  }
+
+  static readonly runtime: typeof proto3 = proto3;
+  static readonly typeName = "xctf.SetComputerRequest";
+  static readonly fields: FieldList = proto3.util.newFieldList(() => [
+    { no: 1, name: "id", kind: "scalar", T: 9 /* ScalarType.STRING */ },
+    { no: 2, name: "password", kind: "scalar", T: 9 /* ScalarType.STRING */ },
+  ]);
+
+  static fromBinary(bytes: Uint8Array, options?: Partial<BinaryReadOptions>): SetComputerRequest {
+    return new SetComputerRequest().fromBinary(bytes, options);
+  }
+
+  static fromJson(jsonValue: JsonValue, options?: Partial<JsonReadOptions>): SetComputerRequest {
+    return new SetComputerRequest().fromJson(jsonValue, options);
+  }
+
+  static fromJsonString(jsonString: string, options?: Partial<JsonReadOptions>): SetComputerRequest {
+    return new SetComputerRequest().fromJsonString(jsonString, options);
+  }
+
+  static equals(a: SetComputerRequest | PlainMessage<SetComputerRequest> | undefined, b: SetComputerRequest | PlainMessage<SetComputerRequest> | undefined): boolean {
+    return proto3.util.equals(SetComputerRequest, a, b);
+  }
+}
+
 /**
  * @generated from message xctf.GetComputerRequest
  */
@@ -47,6 +90,11 @@ export class GetComputerResponse extends Message<GetComputerResponse> {
    */
   url = "";
 
+  /**
+   * @generated from field: bool loading = 2;
+   */
+  loading = false;
+
   constructor(data?: PartialMessage<GetComputerResponse>) {
     super();
     proto3.util.initPartial(data, this);
@@ -56,6 +104,7 @@ export class GetComputerResponse extends Message<GetComputerResponse> {
   static readonly typeName = "xctf.GetComputerResponse";
   static readonly fields: FieldList = proto3.util.newFieldList(() => [
     { no: 1, name: "url", kind: "scalar", T: 9 /* ScalarType.STRING */ },
+    { no: 2, name: "loading", kind: "scalar", T: 8 /* ScalarType.BOOL */ },
   ]);
 
   static fromBinary(bytes: Uint8Array, options?: Partial<BinaryReadOptions>): GetComputerResponse {

pkg/admin/service.go

@@ -10,6 +10,8 @@ import (
 	"github.com/xctf-io/xctf/pkg/gen/chalgen"
 	"github.com/xctf-io/xctf/pkg/gen/xctf"
 	"github.com/xctf-io/xctf/pkg/gen/xctf/xctfconnect"
+	"gorm.io/gorm"
+	"strconv"
 
 	"github.com/xctf-io/xctf/pkg/models"
 	"gorm.io/gorm/clause"
@@ -29,6 +31,26 @@ func NewAdmin(db *db.Service, b *bucket.Builder) *Admin {
 
 var _ xctfconnect.AdminHandler = &Admin{}
 
+func (s *Admin) SetComputer(ctx context.Context, c *connect.Request[xctf.SetComputerRequest]) (*connect.Response[xctf.Empty], error) {
+	var user models.User
+	parsedId, err := strconv.Atoi(c.Msg.Id)
+	if err != nil {
+		return nil, err
+	}
+	resp := s.db.DB.Where(&models.User{Model: gorm.Model{
+		ID: uint(parsedId),
+	}}).First(&user)
+	if resp.Error != nil {
+		return nil, resp.Error
+	}
+	user.ComputerPassword = c.Msg.Password
+	resp = s.db.DB.Save(&user)
+	if resp.Error != nil {
+		return nil, resp.Error
+	}
+	return connect.NewResponse(&xctf.Empty{}), nil
+}
+
 func (s *Admin) ImportChallenge(ctx context.Context, c *connect.Request[xctf.ImportChallengeRequest]) (*connect.Response[xctf.ImportChallengeResponse], error) {
 	options := protoyaml.UnmarshalOptions{
 		Path: "chal.yaml",

pkg/backend/backend.go

@@ -30,6 +30,7 @@ type Backend struct {
 	h       *chals.Handler
 	openai  *openai.Agent
 	b       *bucket.Builder
+	c       chals.Config
 }
 
 var _ xctfconnect.BackendHandler = (*Backend)(nil)
@@ -40,13 +41,15 @@ func NewBackend(
 	h *chals.Handler,
 	openai *openai.Agent,
 	b *bucket.Builder,
+	c chals.Config,
 ) *Backend {
 	return &Backend{
 		s:       s,
 		manager: manager,
 		h:       h,
 		openai:  openai,
 		b:       b,
+		c:       c,
 	}
 }
 
@@ -372,12 +375,26 @@ func (b *Backend) CurrentUser(ctx context.Context, request *connect.Request[xctf
 }
 
 func (b *Backend) GetComputer(ctx context.Context, c *connect.Request[xctf.GetComputerRequest]) (*connect.Response[xctf.GetComputerResponse], error) {
-	_, _, err := b.manager.GetUserFromSession(ctx)
+	uid, _, err := b.manager.GetUserFromSession(ctx)
 	if err != nil {
 		return nil, err
 	}
+
+	u := models.User{}
+	res := b.s.DB.Where(models.User{Model: gorm.Model{ID: uid}}).First(&u)
+	if res.Error != nil {
+		return nil, res.Error
+	}
+	if u.ComputerPassword == "" {
+		return connect.NewResponse(&xctf.GetComputerResponse{
+			Loading: true,
+		}), nil
+	}
+	// TODO breadchris configure domain
+	// TODO breadchris auto deploy computer
 	return connect.NewResponse(&xctf.GetComputerResponse{
-		Url: "https://shells.mcpshsf.com/1/vnc_lite.html?path=/1/websockify&password=MrIhxjrh4Fkftmnl",
+		Url:     fmt.Sprintf("https://shells.mcpshsf.com/%d/vnc_lite.html?path=/%d/websockify&password=%s", uid, uid, u.ComputerPassword),
+		Loading: false,
 	}), nil
 }
 
@@ -491,7 +508,7 @@ func (b *Backend) GetHomePage(
 		if node.Meta.Entrypoint {
 			entrypoints = append(entrypoints, &xctf.Entrypoint{
 				Name:  node.Meta.Name,
-				Route: chals.ChalURL(true, id, node.Meta.Id, ""),
+				Route: chals.ChalURL(b.c.Scheme, id, node.Meta.Id, ""),
 			})
 		}
 	}

pkg/chals/chals.go

@@ -59,15 +59,11 @@ func init() {
 }
 
 // TODO breadchris base url should be configured from the environment?
-func ChalURL(isHttps bool, compId, chalID, host string) string {
+func ChalURL(scheme, compId, chalID, host string) string {
 	path := fmt.Sprintf("/play/%s/%s", compId, chalID)
 	if host == "" {
 		return path
 	}
-	scheme := "http"
-	if isHttps {
-		scheme = "https"
-	}
 	u := url.URL{
 		// TODO breadchris check if the original request was https
 		Scheme: scheme,
@@ -147,10 +143,9 @@ func (s *Handler) Handle() (string, http.Handler) {
 
 		// TODO breadchris find dependencies of referenced challenge and build those
 		challenges := map[string]string{}
-		isHttps := r.TLS != nil
 		for _, n := range graph.Nodes {
 			view := ""
-			chalURL := ChalURL(isHttps, compId, n.Meta.Id, r.Host)
+			chalURL := ChalURL(s.c.Scheme, compId, n.Meta.Id, r.Host)
 			switch u := n.Challenge.(type) {
 			case *chalgen.Node_Base:
 				switch t := u.Base.Type.(type) {
@@ -355,16 +350,25 @@ func (s *Handler) Handle() (string, http.Handler) {
 						}
 						if p == "tracker/login" {
 							password := r.FormValue("password")
+							if sess.NextAttempt.After(time.Now()) {
+								http.Error(w, "You must wait 1 minute before trying again", http.StatusBadRequest)
+								return
+							}
 							for _, app := range t.Phone.Apps {
 								switch t := app.Type.(type) {
 								case *chalgen.App_Tracker:
 									if t.Tracker.Password == password {
 										// TODO breadchris set message that user is logged in
 										sess.TrackerAuthed = true
+										sess.NextAttempt = time.Now()
 										s.manager.SetChalState(r.Context(), chalId, sess)
 									}
 								}
 							}
+							if !sess.TrackerAuthed {
+								sess.NextAttempt = time.Now().Add(1 * time.Minute)
+								s.manager.SetChalState(r.Context(), chalId, sess)
+							}
 						}
 						for _, app := range t.Phone.Apps {
 							app.Url, err = templChals(app.Url)
@@ -377,6 +381,7 @@ func (s *Handler) Handle() (string, http.Handler) {
 							Flag:          n.Meta.Flag,
 							TrackerLogin:  templ.URL(baseURL + "/tracker/login"),
 							TrackerAuthed: sess.TrackerAuthed,
+							NextAttempt:   sess.NextAttempt,
 						}, t.Phone)), templ.WithErrorHandler(func(r *http.Request, err error) http.Handler {
 							slog.Error("failed to template phone", "err", err)
 							return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

pkg/chals/config.go

@@ -4,11 +4,13 @@ import "go.uber.org/config"
 
 type Config struct {
 	PythonPluginURL string `yaml:"python_plugin_url"`
+	Scheme          string `yaml:"scheme"`
 }
 
 func NewDefaultConfig() Config {
 	return Config{
 		PythonPluginURL: "localhost:50051",
+		Scheme:          "https",
 	}
 }
 

pkg/chals/tmpl/phone.templ

@@ -10,6 +10,7 @@ type PhoneState struct {
   Flag string
   TrackerLogin templ.SafeURL
   TrackerAuthed bool
+  NextAttempt time.Time
 }
 
 script openApp(id string) {
@@ -49,13 +50,17 @@ templ App(state PhoneState, i int, a *chalgen.App) {
           </div>
         } else {
           <p>enter your fingerprint</p>
-          <form class="space-y-2" method="POST" action={state.TrackerLogin}>
-              <label class="input input-bordered flex items-center gap-2">
-                <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" fill="currentColor" class="w-4 h-4 opacity-70"><path fill-rule="evenodd" d="M14 6a4 4 0 0 1-4.899 3.899l-1.955 1.955a.5.5 0 0 1-.353.146H5v1.5a.5.5 0 0 1-.5.5h-2a.5.5 0 0 1-.5-.5v-2.293a.5.5 0 0 1 .146-.353l3.955-3.955A4 4 0 1 1 14 6Zm-4-2a.75.75 0 0 0 0 1.5.5.5 0 0 1 .5.5.75.75 0 0 0 1.5 0 2 2 0 0 0-2-2Z" clip-rule="evenodd" /></svg>
-                <input type="password" name="password" class="grow" />
-              </label>
-              <button type="submit" class="btn">login</button>
-          </form>
+          if state.NextAttempt.After(time.Now()) {
+            <p>next attempt in {fmt.Sprintf("%f", state.NextAttempt.Sub(time.Now()).Seconds())} seconds</p>
+          } else {
+              <form class="space-y-2" method="POST" action={state.TrackerLogin}>
+                  <label class="input input-bordered flex items-center gap-2">
+                    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" fill="currentColor" class="w-4 h-4 opacity-70"><path fill-rule="evenodd" d="M14 6a4 4 0 0 1-4.899 3.899l-1.955 1.955a.5.5 0 0 1-.353.146H5v1.5a.5.5 0 0 1-.5.5h-2a.5.5 0 0 1-.5-.5v-2.293a.5.5 0 0 1 .146-.353l3.955-3.955A4 4 0 1 1 14 6Zm-4-2a.75.75 0 0 0 0 1.5.5.5 0 0 1 .5.5.75.75 0 0 0 1.5 0 2 2 0 0 0-2-2Z" clip-rule="evenodd" /></svg>
+                    <input type="password" name="password" class="grow" />
+                  </label>
+                  <button type="submit" class="btn">login</button>
+              </form>
+          }
         }
       default:
         if a.Html != "" {