Hackathon

Introduction

Welcome to the Softrams Hackathon! The hackathon will be a Capture-The-Flag style event where you will have the opportunity to learn, experiment, and actually hack a vulnerable web application! The event will consist of a series of challenges to complete in any order you choose with the goal being to “capture the flag.” Challenges will give a flag to the user. Once a challenge is completed, points will be given based on the difficulty associated with each challenge. The goal of this challenge is to learn, understand, and challenge participants about web application security in a fun and exciting way.

Prerequisites

Prior to the initial Hackathon introduction meeting please ensure you have completed the prerequisite items below. Detailed instructions for each task are included on this confluence page.

Register for the Hackathon

• Visit the CTF platform:
  • Go to https://softrams.ctfd.io/ to access the challenges and scoreboard.
• Register or log in:
  • Follow the prompts to create a new account or log in if you already have one.

Installing Docker

Before you can run the Juice Shop Docker container for the CTF event, you need to have Docker installed on your computer. If you're new to Docker, it's a powerful tool that allows you to run applications in a controlled, software-defined environment.

• Visit the Docker website:
  • Go to Docker's official download page.
• Download Docker Desktop:
  • Choose the version for your operating system (Windows/MacOS). If you are on a Mac with an M1/M2 chip, make sure to download the version for Apple Silicon. See this Install Docker Desktop on Mac and select the Docker Desktop for Mac with Apple Silicon option.
• Install Docker Desktop:
  • Follow the installation instructions provided by Docker. This typically involves opening the downloaded installer and dragging the Docker application to your Applications folder on MacOS or running the installer on Windows.
    • Docker Install Instructions for Windows
    • Docker Install Instructions for Mac
• Verify the installation:
  • Open a terminal or command prompt and type docker --version to ensure Docker was installed correctly. You should see the Docker version number in the response.

Configuring the Docker Image

Pulling the Docker Image

Once Docker is installed, you can pull the Docker image for the Juice Shop.

• Open your terminal or command prompt.
• Pull the Docker image:
  • docker pull kston83/softramsjuiceshop:latest

Running the Docker Image

After pulling the image, you can run it on your local machine.

• Run the Docker container:
  • docker run -d -p 3000:3000 --name ctf-juice-shop kston83/softramsjuiceshop:latest

This command does the following:

• -d runs the container in detached mode (in the background).
• -p 3000:3000 maps port 3000 of the container to port 3000 on your local machine.
• Access the Juice Shop:
  • Open a web browser and navigate to http://localhost:3000. You should see the Juice Shop application running, ready for you to start the challenges.

Stopping the Docker Container

When you're done using the Juice Shop or wish to stop the Docker container:

• Open your terminal or command prompt.
• Stop the Docker container:
  • docker stop ctf-juice-shop
• (Optional) Remove the Docker container: If you no longer need the container and want to remove it from your system:
  • docker rm ctf-juice-shop

Getting Started

Once you have completed the prerequisites and have everything up and running head over to the challenges page to look at the list of available challenges. Your goal is to solve as many challenges as you can and achieve the top score! Challenge points are associated with the difficulty of the challenge. It is recommended to begin with the lower scoring challenges if you are new to web hacking. Challenges will have hints associated with them to help you along the way. Happy hacking!

Cheating

• Do not share flags - The goal of the hackathon is to learn about web application security. Sharing flags with others defeats this purpose entirely.
• Reading a solution before trying - OWASP Juice Shop is a popular web application with many write-ups and solutions available on the internet and within its own companion guide linked below. Solutions are okay to use but it is recommended you make an attempt at the challenge and only use these as a last resort.
• Source code - Juice Shop is supposed to be attacked in a "black box" manner. That means you cannot look into the source code to search for vulnerabilities. As the application tracks your successful attacks on its challenges, the code must contain checks to verify if you succeeded. These checks would give many solutions away immediately.

Resources

OWASP Top Ten

Getting Started with Burp Suite

OWASP Juice Shop Companion Guide

Recommended Tools

Browser

When hacking a web application a good internet browser is mandatory. The emphasis lies on good here, so you do not want to use Internet Explorer. Other than that it is up to your personal preference. Chrome and Firefox both work fine from the authors experience.

Browser Development Toolkits

When choosing a browser to work with you want to pick one with good integrated (or pluggable) developer tooling. Google Chrome and Mozilla Firefox both come with powerful built-in DevTools which you can open via the F12-key.

Penetration Testing Tools

You can solve all challenges just using a browser and the plugins/tools mentioned above. If you are new to web application hacking (or penetration testing in general) this is also the recommended set of tools to start with. In case you have experience with professional pentesting tools, you are free to use those! And you are completely free in your choice, so expensive commercial products are just as fine as open source tools.

Intercepting Proxies

An intercepting proxy is a software that is set up as man in the middle between your browser and the application you want to attack. It monitors and analyzes all the HTTP traffic and typically lets you tamper, replay and fuzz HTTP requests in various ways. These tools come with lots of attack patterns built in and offer active as well as passive attacks that can be scripted automatically or while you are surfing the target application.

Two popular options are OWASP ZAP and Burp Suite

Pentesting Linux Distributions

Instead of installing a tool such as ZAP or Burp on your computer, why not take it, add several hundred of other offensive security tools and put them all into a ready-to-use Linux distribution? Entering Kali Linux and similar toolboxes!

Collaboration

Conversation and collaboration are encouraged within the rules associated with the event. Softrams is utilizing Discord for collaboration for this event.

• Join the Discord here: Join the Softrams Security Discord Server!

Need Help?

If you require assistance please reach out in the Softrams Security Discord.