So you want to play a CTF with WrongSecrets? This is the place to read up all about it. Our CTF setup makes use of the Juice Shop CTF CLI extension, which you can read all about at here.
The difference between Juiceshop and WrongSecrets, is that WrongSecrets is more of a secrets-hunter game. Thiss means that your contestants will try to find the CTF key soon after a few challenges. That is why we should separate out the actual container for which the CTF scores are generated, from the container where the challenges live in.
You can see this practice already here in our repository: Our standard Dockerfile does not contain any CTF entries, our Heroku Dockerfile.web does contain them. So make sure you host your actual scoring Dockerfile.web at a place where your contestants cannot enter the container ( image) in order to extract the CTF key.
There are 3 flavors of CTF to be setup: Docker/Heroku, K8S, Cloud based.
When doing a Docker or Heroku based CTF, you can follow
the instructions in the readme.
If you want to use your own CTF key, you can build a container with the following
arguments CTF_ENABLED=true,HINTS_ENABLED=false,CTF_KEY=<YOURNEWKEYHERE>. Just make sure you provide the same key
to juice-shop-ctf when you run it.
Want to make it a little more exciting? Override the Dockerfile with your preferred values, so that copying from online hosted solutions no longer works!
TODO as #OWASP#372
TODO as #OWASP#372