pbrucla / cyber-instancer Goto Github PK

add some sort of captcha to prevent users from spamming starting challenges. If interested, ping me or jason and we can get you added to the lactf recaptcha account

Need to add an API endpoint that deletes the session token from Redis.

Related to #21

Homepage right now is just an svg - need to update to be more responsive and not have a scrollbar. Does not need to be anything fancy, just maybe update page to have no scrolling or something.

When a timer for a challenge expires, the number simply becomes negative and keeps decreasing, with some funky rounding issues as well.

Test the ability for the kube cluster to be in a multi-node setup temporarily

Right now, almost everything is ephemeral, and as such, if something happens, we won't know what happened. As such, we need proper logging for:

• All login events: failed login, successful login with details
• Challenge status updates: challenge deployed, extended, cancelled, and for per-team challenges, include the exact challenge details

This will allow for challenges to have randomized passwords, paths, etc. Have a config file define env variables to place a random value for each challenge different per instance, and also pass this value to the frontend for displaying to the user as e.g. ssh password.

If a challenge takes more than like a second to boot up, the user is given the connection details before it is fully booted up. Instead, this should wait to give the connection details for a duration specified per-challenge to give some time for it to boot up (similarly to tryhackme)

Also, add API data for the timestamp that the challenge can display its connection data.

Ratelimit:

• logins per IP address per unit time
• registrations per IP address per unit time
• deployments per account per unit time
• deployments per IP address per unit time

Ratelimiting should have an option to use cloudflare's appropriate headers, and must take into account both IPv4 and IPv6 addresses (note that IPv6 ratelimiting should be done at the /64 block level, NOT individual IPv6 address level).

setup custom error pages for traefik so users aren't confronted with a super generic no-format "404 not found" text or similar

Admin API should have for user management:

• List active users
• View a user's actively deployed challenge
• Revoke a team's login session
• Invalidate a team's login token
• Ban a user from logging in

Display team username on login screen. This requires:

• Updated login token system to store team info
• Updating login screen on the cyber instancer

Add config toggle for "rctf mode":

• disable and hide register page
• Hide username/email capabilities on profile
• Hide/do not generate login urls inside of the instancer

support logging in via google for ucla students to remove account signup friction and also add protection on signing up for accounts

API error handling is not very good right now - for example, there is no difference between "unable to create challenge right now because it is shutting down" and "unable to create challenge because cache got corrupted" or something actually serious

• List and view all running challenge instances, both shared and per-team
• Start/stop challenge instances

• Allow extending a challenge deployment by a certain amount of time
• Add a frontend button to do so

We need some sort of docs to make onboarding for both devs and challenge writers easier and more streamlined beyond the 50 page readme.md that's there right now. Some docs are available at ACM Drive > 2022-23 > Cyber > Reference Docs > Cyber Instancer

Admin API for challenge management should implement:

• List all challenges
• Get challenge original json config
• Edit challenge json config - note that extra care may be needed to ensure this does not break already deployed challenges
• Add new/delete challenges (already implemented)