nakiami / mellivora Goto Github PK
View Code? Open in Web Editor NEWMellivora is a CTF engine written in PHP
License: GNU General Public License v3.0
Mellivora is a CTF engine written in PHP
License: GNU General Public License v3.0
Don't display the hints for the questions by default and allow the deduction of points if a hint is displayed.
It would be a good to have partial/full grading depending on time of answer submission so that the first answer gets full credit, second gets 90% credit, third places gets 75% credit and everyone else gets 50% credit. The percentages should be configurable in the Manage menus. This would help prevent ties.
See if the site design can be improved
If there are multiple correct submissions for the same challenge for the same user, the user will get extra points for them. For example, if they have 3 answers marked correct for the same 50 point question, they will get 150 points instead of the 50 points they should get.
Repro:
Answer a challenge incorrectly twice. Manually mark both submissions correct. View the scores, and the individual score page. The user got double points for the challenge.
Just wanted to say a huge thank you for developing this. You're awesome for making it easy to set up, run, and host CTFs. That and almost two years of using it to teach hundreds of ITsec students.
Plus I recently saw it in use at Bsides Conference CTF. Well done.
Sorry for the misplacement of this, couldn't find the appropriate twitter acc.
Kudos!
GFW is blocked us all in China.
Just like reCAPTCHA,jQuery.
i replace the CDN http://libs.baidu.com/jquery/1.9.1/jquery.min.js
but the reCAPTCHA.. only rewritten with another Service Provider
Just say the problem that I met..
i will try to solve it : )
btw, thx for your CTF engine.
Hello,
I found two issues in the pager( ) function of the layout.inc.php file. I wanted to fix them myself ("DIY!"), and make my first pull request on Github, but each time, I encountered problems when modifying and replacing the file.
... which, when we keep clicking on the Next button, leads to a very very long URI.
Steps to reproduce:
Expected result:
"Success" notification.
Actual result:
No notification. Upon logging out, old password works, new password does not.
This is made more problematic by not being able to disable 2FA from the user interface, and therefore having to disable 2FA via MySQL commands, then change the pw, then re-enable 2FA.
Hey,
There is a logic bug in allowed_email()
that prevents email rules from actually being enforced.
If email does not match any rule then email will be allowed because $allowedEmail
is initialized to true
.
Needs some client side and (and server side?) validation on date inputs
Also a date picker would be nice
Warning: get_browser(): browscap ini directive not set in /.../mellivora/include/general.inc.php on line 157
mellivora.sql
Line 84: code
varchar(10) unsigned NOT NULL,
varchar should not be unsigned? Errors out in MySQL on import.
A disabled user can still make submissions. They cannot login, but they can still see the challenges and get points.
Repro:
Expected: User cannot make submissions since their account is not enabled.
Actual: User can make submissions.
how's add challenges? if possible please give me a little bit about the basis of the data on it! thank you
Most forms would benefit from some limits on content (for example, you can create a completely blank category)
Site exceptions store and record user credentials. Moderators can then see the list...Any possibility of a 'Clear Exceptions' functionality?
If there are multiple correct submissions to the same challenge by the same user, a persistent misleading SQL exception occurs. This does not happen for multiple incorrect submissions. The exception occurs while rendering the Challenges page, while attempting to render the challenge that has multiple correct submissions. The exception causes the user to be unable to view challenges in the same category that happen after the one with multiple correct submissions.
Exception text:
SQLSTATE[HY000]: General error: 2014 Cannot execute queries while other unbuffered queries are active. Consider using PDOStatement::fetchAll(). Alternatively, if your code is only ever going to run against mysql, you may enable query buffering by settin
Exception Trace:
0 /var/www/mellivora/include/db.inc.php(179): PDOStatement->fetchAll(2) #1 /var/www/mellivora/include/db.inc.php(158): db_query('? SELECT? ...', Array, true) #2 /var/www/mellivora/htdocs/challenges.php(131): db_query_fetch_all('? SELECT? ...', Array) #3 {main}
Repro:
There are multiple ways that this can occur.
Fix:
Not sure yet. It should be easy to reproduce but I haven't looked at the code yet.
I noticed in a recent cleanup the SSL options were removed; is this functionality implemented elsewhere or for the user to input manually?
I recently did an "do-release-upgrade" on a Ubuntu 14.04 box with working mellivora installed and running. After the upgrade complete it was not working. I had issues then with php and MySQL not working when tyring to go to the website I had setup. After the update I had to reinstall php which installed php7.0 vs php5 , and then enable php7.0 in apache2 with a2enmod php7.0. After that the I was still having an error with mbstring and apache, which then I installed php7.0-mbstring things starting to work at least for showing the pages, but I got an MySQL error on the main page saying it cant connect to the Database. I then installed php-mysql and it started to work again.
I started to do some testing and now I am getting errors when I try to add a new challenge
[Mon Aug 22 10:34:04.146537 2016] [:error] [pid 4889] [client 192.168.153.131:47370] PDOException: SQLSTATE[HY000]: General error: 1366 Incorrect integer value: '' for column 'points' at row 1 in /var/www/mellivora/include/db.inc.php:41\nStack trace:\n#0 /var/www/mellivora/include/db.inc.php(41): PDOStatement->execute(Array)\n#1 /var/www/mellivora/htdocs/admin/actions/new_challenge.php(34): db_insert('challenges', Array)\n#2 {main}, referer: http://192.168.153.131/admin/new_challenge.php?category=8
It looks like some validation checking happening and it is failing if you don't fill in everything in the form. If you enter items into all the text boxes it seems to work fine. I checked the database and it does have the default values listed, but it seems like there is some validation checking going on.
To fix the issue I edited the php code in the new_challenge.php to match the "defaults" expected in the DB. After doing that it works ok.
I would like to suggest that you add a default value page for category and challenges on the manage page. This way you could also set some of the values like available from and until for questions. It also would fill in the page with defaults when you load it too.
Thanks for all the work on mellivora also.
l
There is no 'Relies on' field in 'new challenge' page. So, 'relies_on' field did not have default value and creating new challenge without that field produce error because of there is no default value for this field and value for this field was not provide.
We were trying to translate the interface to Spanish but there are some issues that imply rewriting too much code making updates being crazy. Although we have translated the whole interface to Spanish, we feel it would be interesting to upload those texts onto some sort of .xml files to let the language be selected by the user in their profile page for instance. Is anyone working on something similar?
Is there a way to allow multiply correct answers for a question? I would like to ask something like what windows program allows you to get the network address of a windows box at a command prompt? Then I would allow ipconfig, ipconfig.exe for the answers.
thanks
Once a user has logged in, they should be taken to the challenges page. There should be some help information instructing them what to do.
Feature request or its already present?
Manage to enable / disable registration.
Thanks...
In reference to issue #41, I get the same SQL exception if I have multiple ungraded answers as well. I have added the limit 1 to both subqueries (for ungraded as well as correct) and the error goes away. This seems like a bandaid though rather than a real solution.
Our business goal is to actually allow, somehow, multiple correct answers. For instance, "List all of the URLs where you found the correct answer to the challenge." For that sort of answer, there needs to be more than one correct answer, especially with social engineering research, and allowing multiple answers for partial credit (maybe 10 points for the question if you get all 10 URLs and 1 point for each valid answer) would be great.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.