AI and Cybersecurity: Creating Engaging CTF Challenges
This is for students that is passionate about making applications for CTFs and do not know where to start. (Or fellow security nerds that just wants to learn more!)
BLOG
5/10/20246 min read
As stated in the description of this blog, I want to share what services and solutions I am using to be able to host my tasks. I hope that this will reach out to eager students or fellow security researchers, wanting to host CTF tasks or other apps exposed to the internet in a not complex way.
To begin with, let us take a look at how the AI CTF tasks are hosted here on my main domain! Hostinger has made web hosting easy, and so is the designing of the website. It has simple "drag and drop" functions and a neat GUI to help me make it as pretty as I want it to be. I have not really used any of their AI functions as I like to do most of my work myself, but I guess it can be useful. But thanks to Hostinger for making hosting tasks as simple as it is! (´♡‿♡`)
The AIs
Hostinger and embedded javascript
Style and colours
(But I am not going to take too much credit for my work, the images are of course AI created with DALLE 3. I have intermediate knowledge about illustration and art, but not nearly as good enough to be pretty to watch)
Using Hostingers pre-made objects is nice for making simple blog posts and websites, but when you want to make something more advanced, you have to go over to something a little more complicated than drag & drop.. A concept that scared me for a while, until I realized that it is actually simple HTML, CSS and JS. (◐ω◑ )
The way the "embeded code" box works, its basically a tiny website you have on top of your website! (That is at least how I like to look at it). Here is a tiny embeded code box so you can try it out yourself!
I like to use VS code to design and create the logic for the front end, as it is easier to do simple tweaking and test live. I spend plenty of time making it look and feel nice, work with the size I want it to be on my website, and of course I kindly ask GPT every now and then to help me fill the knowledge gap I miss because I have only had basic programming at my university. This is a lot of fun and you learn a lot doing this. You also get absolute freedom to make fun and interesting apps for users to play around with! Like the wordlist generator tool Simulacra you can find on my website. (That is currently a work in progress).
I like to use VS code to design and create the logic for the front end, as it is easier to do simple tweaking and test live. I spend plenty of time making it look and feel nice, work with the size I want it to be on my website, and of course I kindly ask GPT every now and then to help me fill the knowledge gap I miss because I have only had basic programming at my university. This is a lot of fun and you learn a lot doing this. You also get absolute freedom to make fun and interesting apps for users to play around with! Like the wordlist generator tool Simulacra you can find on my website. (That is currently a work in progress).
Pythonanywhere is a wonderful tool created by Resolver systems. If you are comfortable with python and Flask, then this is a good tool to host your projects on the internet. I personally like using it to test demo projects, but mostly host API endpoints.
I orchestrate my applications with Flask blueprints, which makes it easy for me to get back to in the future and perform basic CRUD (Create, read, update and delete) operations. It is easy to implements new apps as I can simply copy another one and use it as a template, read the code as it is easy to find within the blueprints, update one by going to the corresponding file or delete one from blueprints.
You can make a free user and host apps, but I personally pay a little because I have a handful of processes that requires a little CPU power. Link to the website:
Pythonanywhere backend
Prompts and OpenAI APIs
Lets take a look at how the adorable and not the best secret keeper Roboraptor! And how she was works in the backend! Making AI applications is not too difficult. Its a typical case of "Once you have 1 working, you'll be able to set up plenty more" as you can use the first one as a base template.
There is a couple of things I had to consider when I was making her:
Token consumption. Hosting AI through OpenAIs API is not free, and having them waste tokens because of the lack of restrictions and poor prompting can be expensive. This needs to be specified on the backend to stop roboraptor from making too long replies, but also needs to be restricted on the user side to avoid them sending to large prompts. On the image next to this you can see a result where I let OpenAI consume as many tokens as it wanted... If the players bypassed my js frontend check, the Flask application would simply shave away anyting after the first 100 bytes.
Her personality. Personality, this is the funniest part as you can really dig into "character creation". When I made roboraptor, I wanted her to be curious, cute, but also hate humans, which would make an interesting dynamic when speaking to her. The Crypto bank employee is cold and hostile, and the Zero day broker replies in code to be "edgy".
The flag must be hidden in the prompt, and a golden rule is that the more context the AI has to deal with, the higher is the change of accidentally sharing the flag. So the total prompt must be small. In a previous AI CTF I made, I even split the flag up into multiple parts to make sure not everything got shared at once, but of course someone managed to trick it to print all parts of the flag within one prompt. ╮(╯∀╰)╭
Rate limiting. I trust that the players will be kind and not make my backend kneel because of a fuzzer... But I take no chances! I implemented a basic check on the front-end to make users only could send a new message each 5 second.
The functions itself are written as Python Flask code. If this is something you do not know too well, I highly recommend that you watch a couple of videos on how it works and write a basic application for yourself! It is not too difficult to learn and really enables you to make simple applications to play around with.
Example JSON hosted through an API:
When the backend API is done and it returns the reply generated by OpenAI, then simply fetch the result with Javascript and print the result for the user!
This is a basic overview of how the process works. If you want a more in depth info, feel free to send me a mail or a message on Linkedin! (ᵔ.ᵔ)
People I talk to about this is often worried about the cost of hosting their own AIs because of the running API cost. In total, the whole CTF did cost me 65 nok (Or 5.99 dollars), which is not too much considering the 8 000 + unique requests and the 1.2 million tokens that were used during the CTF. But of course I had a cap on 20 dollar activated just in case something went wrong.
