ctfd-solve-webhook-plugin is a CTFd plugin for calling a webhook when a challenge is solved. HTTP GET requests are used.
In addition, the repository provides predefined webhooks which can be set up separately and called from the CTFd plugin.
| Identifier | Purpose |
|---|---|
mattermost |
Sends Mattermost messages to a specified channel. |
They can be changed either by setting up some environment variables or using the plugin webpage which is available after installing the plugin. The latter can be accessed by clicking the "Plugins" button in the admin panel and selecting "Solve Webhook" from the dropdown list.
The configuration is composed of the following aspects:
| Description | Environment variable | Type | Scope | Mandatory | UI editable |
|---|---|---|---|---|---|
| URL of the webhook | SOLVE_WEBHOOK_URL |
String representing a URL | CTFd plugin | Yes | Yes |
| Maximum number of players for which the webhook is called | SOLVE_WEBHOOK_LIMIT |
String representing an integer | CTFd plugin | No | Yes |
| Boolean indicating if the Mattermost sender is a user (with incoming webhooks) or a bot | MATTERMOST_WEBHOOK_IS_BOT |
0 (false) or 1 (true) |
Mattermost webhook | Yes | No |
| Mtttermost bot token | MATTERMOST_WEKHOOK_BOT_TOKEN |
String | Mattermost webhook | If a bot is used | No |
| Mattermost API Posts URL (if bot) or incoming webhook URL | MATTERMOST_WEBHOOK_URL |
String representing a URL | Mattermost webhook | Yes | No |
| Mattermost channel ID in which the messages will be sent | MATTERMOST_WEBHOOK_CHANNEL |
String | Mattermost webhook | Yes | No |
| Mattermost username from which the messages will be sent | MATTERMOST_WEBHOOK_USERNAME |
String | Mattermost webhook | No | No |
| Icon accompanying each Mattermost message | MATTERMOST_WEBHOOK_ICON_EMOJI |
String | Mattermost webhook | No | No |
| Custom authentication token for the Mattermost webhook | MATTERMOST_WEBHOOK_AUTH_TOKEN |
String | Mattermost webhook | Yes | No |
All approaches described below require the repository to be cloned locally.
- Change the configuration aspects in
docker-compose.yaml. At leastSOLVE_WEBHOOK_URLshould be populated with a URL, as it is empty by default. - Run
docker-compose --profile ctfd up --build --detachfrom the root of this repository. - Optionally, you can see the logs of all services by using
docker-compose logs --follow.
- Copy the entire
solve-webhook-pluginfolder in<ctfd_installation_path>/CTFd/plugins/, where<ctfd_installation_path>is the path in which you have installed CTFd. - If you have privileges on the system in which the CTFd instance is installed, set up the environment variables . Otherwise, access the
- Change the configuration aspects specific to the webhook in
docker-compose.yaml. - Run
docker-compose --profile <webhook_id> up --build --detachfrom the root of this repository, where<webhook_id>is the identifier of the plugin as mentioned in the above table.
- Enter the
webhooks/<webhook_id>folder, where<webhook_id>is the identifier of the plugin, as mentioned in the above table. - Change the value of each
ENV. Use the above table with configuration aspects to understand what values should be set. - Use the
Dockerfileand accompanying file from the folder in your usual process for setting up the infrastructure.
The requests that the webhooks receive are defined in a Swagger file, swagger.yaml. To visualize it, you can use an online editor or Visual Studio Code extension.
At the moment, the single way to authenticate the plugin to a webhook is by leveraging the GET parameters.
For example, if you are creating a custom webhook (hosted at <your_url>), populate SOLVE_WEBHOOK_URL with <your_url>/?token=<auth_token> and implement a logic in the webhook to verify if the token parameter is set and has the value <auth_token>.