Unveiling Dojo v2: Our new CTF and realistic challenge-building framework

February 7, 2024

Welcome to a new era for our CTF training platform Dojo.

Designed for a broad spectrum of cybersecurity enthusiasts, from Bug Bounty hunters to CTF champions, the latest iteration of Dojo is set to enhance the experience of creating and engaging with security challenges. With extended support for popular server-side programming languages like PHP, Python and Java, Dojo is your indispensable partner for mastering cybersecurity skills.

What's new in Dojo v2?

We've rolled out a host of new features, designed to enhance your user experience and encourage greater participation:

  • Enhanced user interface: A user-friendly environment and easier navigation.
  • Account registration: A streamlined registration process for quicker access.
  • Expanded support for back-end vulnerabilities: Greater flexibility in crafting challenges.
  • Access to community-driven challenges: Engage with challenges created by the community.

Redefining the challenge experience

The Challenges section offers a more intuitive navigation system coupled with several useful new features.

You can now create challenges in a wider array of programming languages, including PHP, Python, Node.js and HTML, and choose the client-side rendering style that best suits your challenge. This flexibility is essential for designing realistic and engaging cybersecurity puzzles.

Mastering vulnerabilities through hands-on training

Our training section, accessible from the homepage, provides an in-depth exploration of various vulnerabilities. For instance, learn about Cross-Site Scripting (XSS) vulnerabilities, their underlying mechanics, and how different programming languages can influence their exploitation.

These practical exercises offer a hands-on approach to mastering the finding and exploitation of vulnerabilities. They also feature challenges that mimic common protection mechanisms.

Dojo: The perfect place to start!

Understanding how things work 'under the hood' is the most crucial aspect of hacking. Dojo offers a unique ability to see in real-time the effects of your actions and attempted attacks, allowing you to understand what you're trying to achieve rather than blindly attacking.

Combined with quick tips, clear explanations and code snippets, this makes Dojo an excellent launchpad for budding bug hunters.

Crafting your first challenge in Dojo v2

Creating a challenge is now more intuitive and flexible. Start by setting up custom configurations and secrets with our startup code feature. Steps:

1. Navigate to CHALLENGES on the Dojo page and click on CREATE A CHALLENGE.

2. Fill in the challenge details, select the runner and click on CREATE.

3. Customise your challenge on the new page with various options.


4. Write the code to your challenge in the CODE tab.

<?php
$saveCode = '/tmp/code.php';

$code = urldecode('$output');
file_put_contents($saveCode, $code);

include($saveCode);

?>


5. Fine-tune your filters and test their impact on inputs.

6. If you click on a filter in the WAF tab, you can modify the properties of that filter in the INSPECT tab.

7. Test inputs in real-time and enhance challenge complexity with your added filters.


8. Congratulations, you have just created your first Dojo challenge!

Solving your first challenge in Dojo v2

Let's start with our very first Dojo v2 challenge: Command injection in Python - CWE-78. In this challenge our goal is to escape the system command nslookup, which is running in the Python function os.poopen(...), and open the file flag.txt placed in the current folder.

We can see that our input is first URL-encoded by the WAF (Web application firewall). The input is then inserted into the Python variable hostname, which is filtered one more time by using a short blacklist. The blacklist will stop the code and print [x] That's malicious! if our input contains any of the following characters : ;, | or $.

Now that we have a good understanding of how the code works and what filters are in place, we can start solving the challenge.

However, you are welcome to solve the challenge yourself without a walk-through and return to this article when you have solved it.

To test the WAF, we can simply make an input containing any of the characters the WAF is looking for and see the result:

Now we will instead use a valid value that the application expects to receive from the client:

The blacklist prevents us in various ways from escaping the nslookup system command in the Python function os.popen() - but that doesn't mean it's completely safe. We can bypass the blacklist and WAF by specifying the values &&, which allows a Unix system (Linux system in this case) to first execute the nslookup command and then execute our inject system command. We will run the system command ls -an to see if we can see the flag file in the folder we're located in.

Success! We were able to execute our own system command using && and we can see that the file flag.txt is within the same folder we are currently working in. Now we open the flag and solve the challenge!

Congrats! You have just earned your first flag and successfully solved the challenge "Command injection in Python -CWE-78".

Monthly DOJO challenges: A chance to shine

Every month, YesWeHack releases a new CTF-type challenge. This allows you to elevate your skills, compete with peers and earn rewards! Here's what you can expect when you manage to solve a Dojo challenge and submit a report:

Moreover, each challenge is an opportunity to showcase your skills and learn new ones!

Conclusion

The new Dojo platform offers a much better experience when creating challenges thanks to the new user interface and ability to choose from a wider range of programming languages, as well as the client-side rendering mode.

It therefore provides the opportunity to create more interesting challenges and a superior user experience for both creator and participants. The limitations are almost as good as gone and nothing will now stop you from creating even better challenges. We look forward to seeing the challenges that will now be created by the community.

If you are interested in creating your own monthly challenge for our hunters to tackle, feel free to contact us. We would love to hear your idea!