Hello,

I love the inquirer interface when I want to manually setup a ctf event.
But in an automated context, it could be useful to have a juice-shop-ctf cli accepting all parameters as flags:

juice-shop-ctf-flags --juiceShopUrl https://juice-shop.herokuapp.com --ctfKey https://raw.githubusercontent.com/bkimminich/juice-shop/master/ctf.key --insertHints 0 --insertHintUrls 0
# eventually choose the output
juice-shop-ctf-flags --juiceShopUrl https://juice-shop.herokuapp.com --ctfKey https://raw.githubusercontent.com/bkimminich/juice-shop/master/ctf.key --insertHints 0 --insertHintUrls 0 -o out.zip

I think I can propose a PR if the idea seems okay.

• In accordance with juice-shop/juice-shop#305 add an additional question INSERT a hint along with each CTFd Challenge? that takes the hints from the webapps API
• Warn in CLI when choosing YES for hints but the Juice Shop instance to retrieve the challenges from has hints disabled
• Make sure that the default Juice Shop instance on Heroku is launched with hints enabled

Failed to fetch country mapping from API! end of the stream or a document separator is expected at line 32, column 55:
... ption" content="OWASP Juice Shop: Probably the most modern and s ...

Hi there,
For juice box installation in RTB, when I am importing xml file. It is giving a database error.
I am running mysql database & latest RTB.

Version 10 of Node.js (code name Dubnium) has been released! 🎊

To see what happens to your code in Node.js 10, Greenkeeper has created a branch with the following changes:

• Added the new Node.js version to your .travis.yml
• The engines config in 1 of your package.json files was too ambiguous to be updated automatically

If you’re interested in upgrading this repo to Node.js 10, you can open a PR with these changes. Please note that this issue is just intended as a friendly reminder and the PR as a possible starting point for getting your code running on Node.js 10.

Your Greenkeeper Bot 🌴

Hi would it be possible for a docker arm build for juice-shop? It would make for an easy roll out for small ctf's.

I'd be very interested in adding JuiceShop support for RootTheBox. Would I start by creating a generator js file? I expect this would create an file that would be read by the CTF import, which in our case is an xml file. Is that how it works?

Also would be good if you happen to have a sample export that I can use as a guideline.

With latest CTFd, Juice Shop and juice-shop-ctf installed, CTFd reports the following error after importing the file:

KeyError("There is no item named 'db/alembic_version.json' in the archive",)

After that the CTFd instance is unusable.

DockerHub will no longer provide autobuilds for their free tier users. As the Juice Shop main repo is already building images successfully on GitHub (see https://github.com/bkimminich/juice-shop/blob/master/.github/workflows/ci.yml#L188-L231 and https://github.com/bkimminich/juice-shop/blob/master/.github/workflows/release.yml#L56-L88) it shouldn't be too hard to set Docker builds up similarly for this repository.

Version 11.7.1 of nyc was just published.

This version is covered by your current version range and after updating it in your project the build failed.

nyc is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

🐛 Bug report

Description

At least in CTFd the payload as part of the "Bonus Payload" challenge description is this

<iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&amp;color=%23ff5500&amp;auto_play=true&amp;hide_related=false&amp;show_comments=true&amp;show_user=true&amp;show_reposts=false&amp;show_teaser=true&quot;&gt;&lt;/iframe>

where on the Juice Shop score board it is actually

<iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true"></iframe>

Copy/paste of the payload from CTFd doesn't work, which might be confusing/frustrating to users.

CTFd 1.0.2 introduced a file-based export/import feature:

CTFd now has the ability to export and import data. This lets you save your CTFs as zip files and redeploy them again and again.

Given its format is already stable, it would make sense to generate such a file instead of SQL statements.

User Story

As a CTF event organizer
I want to have a command line client to set up CTFd for OWASP Juice Shop
so that I can have the whole environment creation process automated (including the now manual step 5)

MVP

Implement exactly the HTML page feature set as a node.js CLI app, e.g. in a wizard style with similar defaults, for example like this:

npm i -g juice-shop-ctf
juice-shop-ctf

Generate INSERT statements for CTFd with the OWASP Juice Shop challenges
-------------------------------------------------------------------------------------
1. Juice Shop URL to retrieve challenges (https://juice-shop.herokuapp.com)
localhost:3000 <Enter>
2. Path or URL to ctf.key file (https://raw.githubusercontent.com/bkimminich/juice-shop/master/ctf.key)
c:\github\juice-shop\ctf.key <Enter>
3. DELETE all CTFd Challenges before INSERTs? (Y/n)
<Enter for "Yes" default>
4. SELECT all CTFd Challenges after INSERTs? (Y/n)
N <Enter>
SQL statements are generated...................Done!
--> c:\github\juice-shop-ctf\ctfd-inserts.sql
5. Display CTFd setup step-by-step guide? (y/N)
<Enter for "No" default>

Ideas

• Use https://github.com/mysqljs/mysql or a similar library to connect to the CTFd DB and execute the INSERTs instead of leaving this a manualy copy-paste-execute job
• Download, installation and launching of the CTFd server in the tool
• Offer a dedicated docker-compose.yml which launches a fully OWASP Juice-Shop-ready CTFd server

The generated INSERT statements still use the challenges.flags column while the application expects the flags in the new keys table that is associated with challenges.

The script generating the INSERTs needs to be migrated to the latest CTFd schema version. See https://github.com/CTFd/CTFd/releases/tag/1.0.1

The dependency yargs was updated from 13.2.2 to 13.2.4.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

yargs is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Your Greenkeeper Bot 🌴

https://github.com/facebook/fbctf/wiki/FAQ states that FBCTF can also export an entire game:

Through the FBCTF Platform:

Click the Controls tab under the Game Admin panel.
Click Export Full Game to export your event.
Click Import Full Game to import your saved event.

It would be nice to be able to choose if challenges for CTFd or FBCTF should be created. This might be the final select-option question in the tool, e.g. For what framework do you want to create the data? with CTFd and FBCTF as options.

Note: This change would impact juice-shop/juice-shop#403 because hardcoding the Juice Shop to CTFd would not be a good approach any more. It would need to be configurable or might just invalidate that issue.

Hi, I tried to use CTFd and imported the challenges created.
Now the statistics show that there are 47 challenges, however: when i try to look at the challenges using admin/challs or ...
Then i get a loading screen, while the docker logs of CTFd give:
ctfd_1 | * Loaded module, <module 'CTFd.plugins.keys' from '/opt/CTFd/CTFd/plugins/keys/__init__.pyc'> ctfd_1 | /usr/local/lib/python2.7/site-packages/sqlalchemy/dialects/mysql/reflection.py:56: SAWarning: Unknown schema content: u' CONSTRAINT ``CONSTRAINT_1`` CHECK (hidden in (0,1))' ctfd_1 | util.warn("Unknown schema content: %r" % line)

🐛 Bug report

Description

When attempting to generate a zip file with hints based on a juice shop instance that doesn't have hints enabled (for example one running in CTF mode) the error message displayed shows the wrong configuration value that needs updated.

See the screenshot below for further information:

The message that showChallengeHints: true in its config should be showHints: true as this value was updated in release 10.0.0. to be challenges.showHints.

Steps to reproduce

• Download the latest juice-shop docker container
• Run the following command to run the container in ctf mode:

docker run -d -e "NODE_ENV=ctf" -p 3000:3000 bkimminich/juice-shop

• Run the juice-shop-ctf CLI
• For the Juice Shop URL add the following:

http://localhost:3000

• Note the error message displayed

It looks like there are only two references that need updated:
Here
And here

I'm happy to fire up a pull request if you'd like!

Hi,

I received an error when attempting to run juice-shop-ctf.

$ npm -v
6.1.0

$ npm install -g juice-shop-ctf-cli
/usr/local/bin/juice-shop-ctf -> /usr/local/lib/node_modules/juice-shop-ctf-cli/bin/juice-shop-ctf.js

• [email protected]
  updated 1 package in 23.276s

$ juice-shop-ctf
/usr/local/lib/node_modules/juice-shop-ctf-cli/index.js:33
const juiceShopCtfCli = async () => {
^

SyntaxError: Unexpected token (
at createScript (vm.js:56:10)
at Object.runInThisContext (vm.js:97:10)
at Module._compile (module.js:542:28)
at Object.Module._extensions..js (module.js:579:10)
at Module.load (module.js:487:32)
at tryModuleLoad (module.js:446:12)
at Function.Module._load (module.js:438:3)
at Module.require (module.js:497:17)
at require (internal/module.js:20:19)
at Object. (/usr/local/lib/node_modules/juice-shop-ctf-cli/bin/juice-shop-ctf.js:2:25)

Once completed send PR to https://github.com/apsdehal/awesome-ctf. Will probably require a new category for Docker or self-hosted CTFs as it does not fit into the Websites category which requires to be always online.

Version 5.0.1 of mocha was just published.

This version is covered by your current version range and after updating it in your project the build failed.

mocha is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

🐛 Bug report

Description

Accessing challenges from http://juice-shop.herokuapp.com/ results in an Application Error. The details are not specific, unfortunately. It appears this Heroku app has crashed.

Is this a regression?

Yes, this has worked before. Earliest I can tell this was broken is 3/19/21, but I don't know how long before that date the application was not responding.

🔬 Minimal Reproduction

Access this URL: http://juice-shop.herokuapp.com/

Currently the export always includes the challenges which are (currently) disabled in the docker containers due to segmentation faults. When creating configs for ctf which are run primarily in docker containers these have to be removed by hand.

To fix this there should be an option to remove these challenges from the exports.
If we anticipate that the currently disabled challenges get reenabled soon, this would probably not be worth the effort.

🐛 Bug report

Description

The e2e test suite fails when demo.owasp-juice.shop is offline as it tries to pull challenges from it.

Is this a regression?

No.

🔬 Minimal Reproduction

Run npm run e2e

🔥 Exception or Error

🌳 Your Environment

Additional Information

Possible fix that would also improve overall performance is running a Juice Shop locally before running the suite and using it to retrieve the challenges.

Version 0.8.1 of stryker-javascript-mutator was just published.

This version is covered by your current version range and after updating it in your project the build failed.

stryker-javascript-mutator is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

Extended CLI Questions

✅ Juice Shop URL to retrieve challenges?
✅ Secret key <or> URL to ctf.key file?

• SQL statements output target? (select from: File, Console, SQLite)
• (only if SQLite was selected) Location of CTFd SQLite database? ({workdir}/CTFd/ctfd.db)

✅ DELETE all CTFd Challenges before INSERT statements?
✅ SELECT all CTFd Challenges after INSERT statements?

Process extensions

• Test connection to SQLite database (fail CLI if file not found, locked or otherwise corrupt)
• Programmatically connect to SQLite db and execute & commit generated statements (fail CLI on any error)
• Implement output to console as alternative to file

User Story

As a user who upgraded from CTFd 2.x to CTFd 3.x at some point
I want a compatible generator for OWASP Juice Shop challenges
so that I can use juice-shop-ctf-cli again to pre-populate CTFd

Recommended Approach

• Copy the existing ctfd.js as ctfd3.js
• Update ctfd3.js to match the new backup format of CTFd 3.x
• Check with CTFd team how many users are still on 2.x and then either add 3.x as additional framework or replace 2.x with 3.x generator

☝️ Greenkeeper’s updated Terms of Service will come into effect on April 6th, 2018.

Version 0.6.0 of stryker-javascript-mutator was just published.

This version is covered by your current version range and after updating it in your project the build failed.

stryker-javascript-mutator is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

🐛 Bug report

Description

When I follow the instructions here, select the backup file and click the "Import" button in CTFd, it stuck at "Upload Process", and when I refresh the page, I get an "Internal Server Error".

Here is the log from CTFd:

Failed to disable foreign key checks. Continuing.
INFO  [alembic.runtime.migration] Context impl SQLiteImpl.
INFO  [alembic.runtime.migration] Will assume non-transactional DDL.
ERROR [root] Error: Can't locate revision identified by '4d3c1b59d011'
[2023-08-24 09:10:50 +0000] [1] [INFO] Handling signal: winch
[2023-08-24 09:10:50 +0000] [1] [INFO] Handling signal: winch

I've tried to restart the CTFd docker container as described in #57 but then I cannot login to the admin panel because it says username or password wrong, and there is no challenges.

Is this a regression?

I don't know, I'm new to juice-shop.

🔬 Minimal Reproduction

First run juice-shop with the following command.

$ sudo docker run --rm -it -p 3000:3000 --env NODE_ENV=ctf --env CTF_KEY=abcdefg bkimminich/juice-shop

> [email protected] start /juice-shop
> node build/app

info: All dependencies in ./package.json are satisfied (OK)
info: Chatbot training data botDefaultTrainingData.json validated (OK)
info: Detected Node.js version v14.18.2 (OK)
info: Detected OS linux (OK)
info: Detected CPU x64 (OK)
info: Configuration ctf validated (OK)
info: Required file server.js is present (OK)
info: Required file index.html is present (OK)
info: Required file styles.css is present (OK)
info: Required file main.js is present (OK)
info: Required file tutorial.js is present (OK)
info: Required file polyfills.js is present (OK)
info: Required file runtime.js is present (OK)
info: Required file vendor.js is present (OK)
info: Port 3000 is available (OK)
info: Server listening on port 3000

And then generate the backup archive.

$ sudo docker run --rm -it -v ./juice-shop:/data bkimminich/juice-shop-ctf

Generate OWASP Juice Shop challenge archive for setting up CTFd, FBCTF or RootTheBox score server
? CTF framework to generate data for? CTFd
? Juice Shop URL to retrieve challenges? http://192.168.224.129:3000
? Secret key <or> URL to ctf.key file? abcdefg
? Insert a text hint along with each challenge? No text hints
? Insert a hint URL along with each challenge? No hint URLs
? Insert a code snippet as hint for each challenge? No hint snippets

Backup archive written to /data/OWASP_Juice_Shop.2023-08-24.CTFd.zip

After the import you will have to set up the CTF name and administrator credentials again!

For a step-by-step guide to import the ZIP-archive into CTFd, please refer to
https://pwning.owasp-juice.shop/part1/ctf.html#running-ctfd

Then import the generated zip archive in CTFd admin panel.

🌳 Your Environment

juice-shop: 13.0.2
CTFd: 3.6.0
Docker: 24.0.5

I think that having a way to specify specific flags would be a nice feature especially when I am doing this in a middle or high school where I want to be able to remember the flags easier or relate them to what we are learning. Also, custom lengths for flags would be nice. Sometimes I just want to have 5 character flags as opposed to the really long ones that are the default.

🐛 Bug report

Description

the problem is easy and not for CTF Extension I think that it is a bug on JuiceShop itself.
The Api Snippets give this out file Json with threes bad entries and I try it more 5 times and it's the same.

In juiceShopUrl + '/snippets'

{
"challenges": [
"directoryListingChallenge",
"accessLogDisclosureChallenge",
"resetPasswordMortyChallenge",
"changeProductChallenge",
"registerAdminChallenge",
"exposedMetricsChallenge",
"fileWriteChallenge",
"loginAdminChallenge",
"loginBenderChallenge",
"loginJimChallenge",
"unionSqlInjectionChallenge",
"dbSchemaChallenge",
"noSqlReviewsChallenge",
"forgedReviewChallenge",
"noSqlCommandChallenge",
"nippet",
"start",
".*/",
"redirectCryptoCurrencyChallenge",
"redirectChallenge",
"adminSectionChallenge",
"scoreBoardChallenge",
"tokenSaleChallenge",
"resetPasswordBjoernOwaspChallenge",
"resetPasswordBjoernChallenge",
"resetPasswordJimChallenge",
"resetPasswordBenderChallenge",
"resetPasswordUvoginChallenge",
"passwordRepeatChallenge",
"restfulXssChallenge",
"localXssChallenge",
"xssBonusChallenge"
]
}

This is not good :
"nippet",
"start",
".*/",

🔬 Minimal Reproduction

im generate OWASP JUICE and Finish

and im upload to CTFD import wth console or web warning Error Key

`root@ubuntu:/home/owasp# juice-shop-ctf

Generate OWASP Juice Shop challenge archive for setting up CTFd (>=1.1.0) or FBCTF score server
? CTF framework to generate data for? CTFd
? Juice Shop URL to retrieve challenges? http://192.168.43.108:3000/
? Secret key URL to ctf.key file? \x1e\xa9\xca\xef\x13s\x80B\x17\xac\xa1J\xd8-}\x1b\x05S\x0f\xb9\x16\x06\x15\xe3\xda\xa0\x8d]\xe8\xbcil
? Insert a text hint along with each challenge? Free text hints
? Insert a hint URL along with each challenge? Paid hint URLs

Backup archive written to /home/owasp/OWASP_Juice_Shop.2018-10-18.CTFd.zip

For a step-by-step guide to import the ZIP-archive into CTFd, please refer to
https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part1/ctf.html#running-ctfd
`

`python import.py /home/owasp/OWASP_Juice_Shop.2018-10-18.CTFd.zip

• Loaded module, <module 'CTFd.plugins.keys' from '/home/CTFd/CTFd/CTFd/plugins/keys/init.pyc'>
• Loaded module, <module 'CTFd.plugins.challenges' from '/home/CTFd/CTFd/CTFd/plugins/challenges/init.pyc'>
  Traceback (most recent call last):
  File "import.py", line 16, in
  import_ctf(sys.argv[1], segments=segments)
  File "/home/CTFd/CTFd/CTFd/utils/init.py", line 904, in import_ctf
  data = backup.open(path).read()
  File "/usr/lib/python2.7/zipfile.py", line 961, in open
  zinfo = self.getinfo(name)
  File "/usr/lib/python2.7/zipfile.py", line 909, in getinfo
  'There is no item named %r in the archive' % name)
  KeyError: "There is no item named 'db/config.json' in the archive"
  `

Please Problem Solution

Thanks

CTFd supports custom themes. It would be great to have one for OWASP Juice Shop!

General customization ideas

• similar color scheme as as the shop (Bootswatch slate)
• include the generic and/or CTF-variant logo (see #6)

Challenge selection visualization

• shelf with bottles and packs of juice (=challenge) in different colors (=category) and sizes (=price value), being "emptied" when solved
• Juice Shop logo in b/w split into jigsaw pieces where each represents a challenge, being colorized when solved

Please post ideas in the comments below!

JWT Issues Tier 2 and RCE Tier 2 for example both show None as value,

🐛 Bug report

Description

Running the docker container using docker run -ti --rm -v $(pwd):/data bkimminich/juice-shop-ctf:v10.0.1 results in an error:

sh: /juice-shop-ctf/bin/juice-shop-ctf.js: Permission denied

Manually running chmod +x /juice-shop-ctf/bin/juice-shop-ctf.js solves the problem.

Is this a regression?

Probably, but I didn't bisect it.

🔬 Minimal Reproduction

See below.

🔥 Exception or Error

$ docker run -ti --rm -v $(pwd):/data bkimminich/juice-shop-ctf:v10.0.1 /bin/sh
sh: /juice-shop-ctf/bin/juice-shop-ctf.js: Permission denied

🌳 Your Environment

v18.18.0
9.8.1

Additional Information

When the URL chosen to retrieve the challenges is a Juice Shop with hints configured off, then no matter if hints are selected they cannot be part of the export data.

A warning should be displayed in such cases at the end of the export process.

• Identify and list all breaking changes between CTFd 1.x and 2.x data models (https://github.com/CTFd/CTFd/blob/master/CHANGELOG.md)
• Add CTFd 2.x as a separate framework with its own generators (or shared where possible with 1.x)
• Rename CTFd framework option into CTFd 1.x
• Make CTFd 1.x the default selection and also map the old alias CTFd to it (for non-breaking change of existing config files - but with deprecation warning upon parsing)

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

Prerequisites

• The logo must be created as SVG
• An additional 2000x2400 PNG variant would be nice
• There should be as little additional colors added as possible

The original SVG logo can be found here for experimentation and as a foundation for potential designs:

• https://raw.githubusercontent.com/bkimminich/juice-shop/master/app/public/images/JuiceShop_Logo.svg

🚀 Feature request

Description

In a ctf setting it can be useful to have multiple flag strings for a task --> every team/instance can get its own unique flag.

Solution ideas

Overload the configuration option ctfKey.

🐛 Bug report

Description

Setting these values:

insertHints: paid
insertHintUrls: paid

doesn't result in a cost being assigned to hints.

Is this a regression?

N/A

🔬 Minimal Reproduction

ctfFramework: CTFd
juiceShopUrl: https://juice-shop.herokuapp.com
ctfKey: https://raw.githubusercontent.com/bkimminich/juice-shop/master/ctf.key
insertHints: paid
insertHintUrls: paid

🌳 Your Environment

debian 10
node 14

Additional Information

N/A

🐛 Bug report - Description

(En mode Docker) and ACI (Azure Container Instance)

On mode CTF (Yaml or Directly by Docker Run and ENV command) if you request JuiceShop URL / Challanges
For 5 times differents again I have not Hints ou HintsURL on Json file

I put just one example. Not All Json file it's the same for all another challenges.

{
  "id": 3,
  "key": "registerAdminChallenge",
  "name": "Admin Registration",
  "category": "Improper Input Validation",
  "tags": null,
  "description": "Register as a user with administrator privileges.",
  "difficulty": 3,
  "hint": null,
  "hintUrl": null,
  "mitigationUrl": "https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html",
  "solved": false,
  "disabledEnv": null,
  "tutorialOrder": null,
  "createdAt": "2021-09-13T17:07:58.516Z",
  "updatedAt": "2021-09-13T17:07:58.516Z"
},

You have a mitigationUrl with information but you don't manage it inside Juice-shop-ctf.

As a replacement for the current export generator, CTFd's new CSV import feature should be used: https://docs.ctfd.io/docs/imports/csv

This should be a much more stable approach than the current direct export, which is not even properly supported in CTFd Docker containers any longer.

Current asciinema video shows 5.x version with only CTFd and FBCTF selection options whereas new 6.x has CTFd 1.x, CTFd 2.x and FBCTF.

https://asciinema.org/a/197662

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.