NKCyber Cybersword

Themed Description:

Join Barty the Cyber Knight as he tries to earn the mystical CyberSword through a series of fun online challenges! This competition is intended for students who are looking to have a hands-on experience with Python programming, hacking, and cybersecurity. Students will need a laptop or desktop machine with an updated browser and an internet connection.

Neutral Description:

CyberSword is a friendly, online cybersecurity competition for high schoolers. Students will complete a series of fun challenges and gain hands-on experience with Python programming, SQL, and cybersecurity. Students will need a laptop or desktop machine with an updated browser and an internet connection.

Getting Started

Important

This repo uses git submodules. Remember to clone with --recursive:

git clone git@github.com:nkcyber/cybersword.git --recursive

To get started with this project, install the CTFd CLI and run ctf init to initalze your project information.

See administration.md for more information.

Important Dates

We hope to use this project at least at the following events.

TSA

February 9th, 2024

Technology Student Association (TSA) Open to students enrolled in or who have completed technology and education courses, TSA’s membership includes more than 300,000 middle and high school students across the United States.

TechOlympics

February 17-18th, 2024

https://www.techolympics.org/

Procter and Gamble Global Headquarters (13 min drive)

STLP24 State Championship

March 27th, 2024 (Link to important dates)

Rupp Arena, Lexington Kentucky (1 hr drive south)

About

This project uses the CTFd CLI for challenge management.

Resources

Service Deployment

Note that automatic challenge deployment is not available in the free version, which we're using.

As such, we have to take a more involved approach to challenge service deployment.

---

TO DO

• Important:

  • Fix bad user experience with AI lab
  • Modify installation script to support cgroups configuration
  • Write test suite to check that ai lab & code runner are set up correctly

• Services:

  • how to sync files and images in CTFd?
    • use nkcyber logo in index page and whatnot
  • create introduction page in CTFd explaining goals and how to submit flags.

• Create challenges:

  • 3d call to action - Barty needs your help!
  • Sensitive Data Exposure: API backend
  • API you can manipulate (access=false)
  • encryption method that's not an encryption method
  • IDOR
  • flag commented out in webpage
  • developer tools
  • Teach web exploits:
    • https://owasp.org/Top10/A01_2021-Broken_Access_Control/
    • Automatically Incrementing IDs in URL allowing to resource discovery
  • how to teach binary decompilation in a browser?
  • embed a flag in a JWT (easy to make!)
  • teach people that PDFs can phone home
  • how to teach buffer overflow in a browser?
  • how to teach timing attack in a browser?
    • use judge0 scripting environment
    • prerequisite: binary search in python

• Story:

  • this has been dropped for practical reasons.
  • We are writing an excuse plot
    • So you want to write an excuse plot (advice)
  • Where did barty come from?
  • Key point: Because we did the "CyberShield" compeition in the past. We're doing the CyberSword competition now.
    • What's the lore for the CyberSword
      • It's a sign of cybersecurity proficiency.
  • Why do we have to complete challenges to earn the cyber sword?
  • Things that the story should have:
    • I like the idea of a mideval knight not knowing anything about cybersecurity.
      • Therefore, the user has to support him in his efforts.
    • I like the idea of a mideval knight just wandering around northern kentucky.

State clear goal in "bookends" for each subject: - You don't have to know anything now - When you're done, you'll either win or know what you don't know

---

Timing information

See docs/timing.md.