improvements

Author: avipars

flags.py

@@ -6,6 +6,7 @@
             "This is a more revealing hint for stage 1.",
             "This is the most revealing hint for stage 1.",
         ],
+        "notes": "This is a note for stage 1",
     },
     2: {
         "flag": "flag{stage2}",
@@ -14,6 +15,8 @@
             "This is a more revealing hint for stage 2.",
             "This is the most revealing hint for stage 2.",
         ],
+        "notes": "This is a note for stage 2",
+
     },
     3: {"flag": "flag{stage3}", "hints": ["Almost there"]},
 }

hints/__init__.py

@@ -6,6 +6,7 @@
 
 
 def create_app():
+    print("Creating app")
     app = Flask(
         __name__,
         static_folder="static",
@@ -21,7 +22,8 @@ def create_app():
     app.config["REMEMBER_COOKIE_SECURE"] = True
     # ensure session cookie is secure
     app.config["SESSION_COOKIE_SECURE"] = True
-
+    app.config["SESSION_PERMANENT"] = True
+    app.config['PERMANENT_SESSION_LIFETIME'] = 60 #in seconds
     with app.app_context():
         from . import routes
 

hints/routes.py

@@ -2,6 +2,7 @@
 
 from flask import (Blueprint, flash, redirect, render_template,
                    request, session, url_for)
+from markupsafe import escape
 
 from flags import stages  # import everything from flags.py
 
@@ -20,26 +21,41 @@ def flags():
         session["submitted_flags"] = []
     if "current_stage" not in session:
         session["current_stage"] = 1
+    if "hint_index" not in session:
+        session["hint_index"] = 0
 
     current_stage = session["current_stage"]
     submitted_flags = session["submitted_flags"]
-    # need to verify that the user didn't try to skip stages or trick the
-    # system
+    hint_index = session["hint_index"]
+
+
+    # need to verify that the user didn't try to skip stages or trick the system
 
     if request.method == "POST":
         if "submit_flag" in request.form:
             submitted_flag = request.form.get("flag")
-            if submitted_flag == stages[current_stage]["flag"]:
+            submitted_flag = escape(submitted_flag.strip())
+            # make sure its ascii only and not invalid
+            if not submitted_flag.isascii():
+                flash("Invalid flag. Please try again.", "danger")
+                return redirect(url_for("ctf.flags"))
+            
+            if submitted_flag in submitted_flags:
+                flash("You already submitted this flag.", "info")
+            elif submitted_flag == stages[current_stage]["flag"]:
                 flash(f"Correct flag for Stage {current_stage}!", "success")
-                submitted_flags.append(submitted_flag)
-                session["submitted_flags"] = submitted_flags
+                if submitted_flag not in submitted_flags:
+                    submitted_flags.append(submitted_flag)
+                    session["submitted_flags"] = submitted_flags
+                    
                 if current_stage < len(stages):
                     current_stage += 1
                     hint_index = 0
                 elif current_stage == len(stages):
                     flash(
                         "You have completed all the stages. Congratulations!",
                         "success")
+                    return render_template("message.html", title="Congratulations!", message="You have completed all the stages of the CTF. ")
                     # if the user has completed all the stages, then flash a
                     # message
                 session["current_stage"] = current_stage
@@ -54,34 +70,51 @@ def flags():
                         current_stage = stage
                         hint_index = 0
                         found = True
+                          
+                        if submitted_flag not in submitted_flags:
+                            submitted_flags.append(submitted_flag)
+                            session["submitted_flags"] = submitted_flags
+                            
+                        # check if they got all the flags (even if they are out of order)
+                        if sorted(submitted_flags) == sorted([stage_data["flag"] for stage_data in stages.values()]):
+                            flash(
+                                "You have completed all the stages. Congratulations!",
+                                "success",
+                            )
+                            return render_template("message.html", title="Congratulations!", message="You have completed all the stages of the CTF. ")
+                            # if the user has completed all the stages, then flash a
+                            # message
                         break
                 # else:
                 if not found:
                     flash("Incorrect flag. Try again.", "danger")
 
         elif "reveal_hint" in request.form:
+            # hint_num = request.form.get("reveal_hint")
             if (
-                hint_index < len(stages[current_stage]["hints"]) - 1
+                hint_index < len(stages[current_stage]["hints"])
             ):  # if there are more hints to reveal
                 hint_index += 1
             else:
                 # if the user exhausted all the hints, have it show from the
                 # beginning
-                hint_index = 0
+                # hint_index = 0
                 # flash a message to the user
-                flash("No new hints :( Try harder!", "info")
+                flash("Exhausted all hints for this stage :( Try harder!", "warning")
                 # hide the button till they get to next stage
-
-    hints = stages[current_stage]["hints"][: hint_index + 1]
+    session["hint_index"] = hint_index
+    hints = stages[current_stage]["hints"][: hint_index]
+    notes = stages[current_stage].get("notes")
     return render_template(
-        "flags.html",
+        "flags.html",title=f"CTFlask - Stage {current_stage}",
         stage=current_stage,
         hints=hints,
         hint_index=hint_index,
         submitted_flags=submitted_flags,
-        num_hints=len(stages[current_stage]["hints"]),
+        num_hints=len(stages[current_stage]["hints"]),notes=notes
     )
 
+
 @bp.route("/", methods=["GET"])  # also for index
 @bp.route("/index", methods=["GET"])
 @bp.route("/home", methods=["GET"])
@@ -92,19 +125,20 @@ def index():
         session["submitted_flags"] = []
     if "current_stage" not in session:
         session["current_stage"] = 1
-
+    if "hint_index" not in session:
+        session["hint_index"] = 0
+        
     flash("Welcome to the CTF, please read the following:", "info")
     brief = """
-    This site is not required to solve the CTF challenge and is not a part of the CTF challenge itself, but a tool to help you keep track of your progress. The flags are not hidden on this site. You need to find them on your own. Good luck!
-
+    Using this site is not required to solve the CTF challenge and is not a part of the CTF challenge itself, but a tool to help you keep track of your progress. You need to find the flags on your own and not via this site itself. Good luck!
     \n
     Do not use this site for any illegal activities, please do not attack it in any way as it harms other users who are solving the CTF. The site collects logs for security purposes.
     \n
     """
-    # everwhere where is /n, replace with <br> for html
+    # everywhere where is /n, replace with <br> for html
     brief = brief.split("\n")
 
-    return render_template("index.html", summary=brief)
+    return render_template("index.html", summary=brief, title="CTFlask - Home")
 
 
 @bp.route("/restart", methods=["GET"])

hints/static/js/code.js

@@ -0,0 +1,5 @@
+if (window.history.replaceState) {
+
+    window.history.replaceState(null, null, window.location.href);
+    
+}

hints/templates/404.html

@@ -10,13 +10,16 @@
 {% endblock %}
 
 {% block content %}
-<h1 class="error">
+<h1 class="error col-md-12 text-center">
   {{ "404 Page Not Found" }}
 </h1>
 
 {% block body %}
-  <h2>Oops! Looks like the page doesn't exist anymore</h2> 
-  <a href="{{ url_for('ctf.index') }}">Click Here</a> to return to the Home Page
+<div class="col-md-12 text-center">
+  <h4 class="h4 mb-2">Oops! Looks like this page doesn't exist</h4> 
+  <p><a href="{{ url_for('ctf.index') }}">Click Here</a> to return to the Home Page</p>
+</div>
+
 {% endblock %}
 
 {% endblock %} 

hints/templates/flags.html

@@ -12,6 +12,11 @@
         <h1 class="text-center">CTF Platform</h1>
         <div class="mt-4">
             <h3>Stage {{ stage }}</h3>
+            <h5>Notes</h5>
+            {% if notes is defined and notes %}
+                <p>{{ notes }}</p>
+            {% endif %}
+
             <form method="POST">
                 <div class="form-group">
                     <label for="flag">Enter Flag:</label>
@@ -21,7 +26,7 @@ <h3>Stage {{ stage }}</h3>
             </form>
         </div>
         {% with messages = get_flashed_messages(with_categories=true) %}
-        {% if messages %}
+        {% if messages is defined and messages %}
           <div class="mt-4">
             {% for category, message in messages %}
               <div class="alert alert-{{ category }}" >{{ message }}</div>
@@ -30,8 +35,8 @@ <h3>Stage {{ stage }}</h3>
         {% endif %}
       {% endwith %}
         <div class="mt-4">
-            <h4>Hints:</h4>
-            {% if hints %}
+            <h4>Hints</h4>
+            {% if hints is defined and hints %}
                 <ul>
                     {% for hint in hints %}
                         <li>{{ hint }}</li>
@@ -42,7 +47,7 @@ <h4>Hints:</h4>
             {% endif %}
 
             <form method="POST">
-                <button type="submit" name="reveal_hint" class="btn btn-secondary">Reveal Next Hint</button>
+                <button type="input" name="reveal_hint" class="btn btn-secondary" value="d">Reveal Next Hint</button>
             </form>
 
             {#<!--             {% if hint_index < num_hints-1 %}
@@ -52,22 +57,23 @@ <h4>Hints:</h4>
                 </form>
             <!-- {% endif %} -->#}
         </div>
+
         <div class="mt-4">
-            <a href="{{ url_for('ctf.restart') }}" class="btn btn-danger">Restart Challenge</a>
-        </div>
-        <div class="sidebar">
-            <h4>Previously Entered Flags</h4>
-            {% if submitted_flags %}
+            <h4>Previously Submitted Flags</h4>
+            {% if submitted_flags is defined and submitted_flags %}
                 <ul>
                     {% for flag in submitted_flags %}
                         <li>{{ flag }}</li>
                     {% endfor %}
                 </ul>
             {% else %}
-                <p>No flags entered yet.</p>
+                <p>No flags submitted yet.</p>
             {% endif %}
         </div>
-
+        <div class="mt-4">
+            <a href="{{ url_for('ctf.restart') }}" class="btn btn-danger">Restart Challenge</a>
+        </div>
     </div>
+
     {% endblock %}
 

hints/templates/index.html

@@ -9,7 +9,7 @@
 {% endblock %}
 {% block content %}
 <div class="container mt-5">
-    <h1 class="text-center">CTF Platform</h1>
+    <h1 class="text-center">CTFlask</h1>
 
     {% with messages = get_flashed_messages(with_categories=true) %}
     {% if messages %}
@@ -23,7 +23,7 @@ <h1 class="text-center">CTF Platform</h1>
 
     <!-- give a brief summary of the challenge  -->
     <div class="mt-4">
-        <h3>Challenge Summary</h3>
+        <h3>Rules and Information</h3>
         {% for para in summary %}
             <p>{{para}}</p>
         {% endfor %}

hints/templates/layout.html

@@ -18,7 +18,8 @@
     <link rel="shortcut icon" href="{{ url_for('static', filename='favicons/favicon.ico') }}">
     <meta name="description" content="CTF Hints and Flag Site for the ColaCo Challenge">
     <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css">
-
+    <!-- js -->
+    <script src="{{ url_for('static', filename='js/code.js') }}"></script>
     {% endblock %}
 </head>
 

hints/templates/message.html

@@ -10,12 +10,16 @@
 
 {% block content %}
 
-<h1 class="error">
+<h1 class="error col-md-12 text-center">
   {{ title }}
 </h1>
 
 {% block body %}
-  <h2>  {{ message }}</h2> 
+<div class="col-md-12 text-center">
+
+  <h2 class="h2 mb-2">  {{ message }}</h2> 
+</div>
+
 {% endblock %}
 
 {% endblock %} 

requirements.txt

@@ -6,4 +6,5 @@ itsdangerous==2.2.0
 Jinja2==3.1.4
 MarkupSafe==2.1.5
 Werkzeug==3.0.3
+markupsafe
 gunicorn