Connecting to Hosted CTFd Challenges

Background

Our infrastructure automatically encrypts all communication to a challenge service and uses well known ports (23, 80, and 443).

Because typical tools like netcat provide no forms of encryption, you will need to use a seperate tool to connect to TCP based challenges on our infrastructure. However, if the underlying application is a web server, you can simply open the URL in a browser and it will work seamlessly (e.g. https://demo-challenge.chals.io).

If you wish to use netcat, you can also “Request a TCP Port” for your Hosted CTFd challenge by following the instructions here.


How to Connect

Below is a summary of the various ways that we recommend connecting.

snicat

We recommend using our snicat (sc) tool. Installation instructions are provided at the aforementioned link and snicat can be downloaded for Mac, Linux, and Windows.

snicat is designed to be very similar to netcat whilst providing vanity urls and encrypted connections.

For example:

❯ sc demo-challenge.chals.io
(connected to demo-challenge.chals.io:443 and reading from stdin)
...

You do not have to provide any information besides the domain name.

netcat

If your challenge service has a TCP port allocated, you can directly connect to it using software like netcat or PuTTY if you’re using Windows.

For netcat you can do something like:

❯ nc server.cloud.chals.io 45678
...

For PuTTY, you can configure PuTTY to use “Raw” mode under “Connection Type” and then provide the hostname and port. For example:

  • Hostname: server.cloud.chals.io
  • Port: 45678

pwntools

In addition, the very popular pwntools already supports connecting to SNI based services. You can use the remote function and provide the sni parameter as shown below:

from pwn import *

remote("demo-challenge.chals.io", 443, ssl=True, sni="demo-challenge.chals.io")

snicat proxy

snicat also has the ability to act as a reverse proxy to the underlying SNI server. For example:

❯ sc -bind 0.0.0.0:12345 demo-challenge.chals.io
[listening] demo-challenge.chals.io:443 <= 0.0.0.0:12345

At this point the local port 12345 is now listening and forwarding connections to demo-challenge.chals.io. Users can then connect to the 12345 port with netcat:

nc localhost 12345
[connect] localhost:57087 => demo-challenge.chals.io:443

netcat proxy

Instead of providing a direct connection to a challenge, we’ve created a fallback proxy service that allows netcat to connect to challenge service without having to request a TCP port. If you must use netcat, connect to cloud.chals.io on port 23 and then enter in the target hostname.

❯ nc cloud.chals.io 23
Host: demo-challenge.chals.io
...

openssl

You can also use openssl to connect to an SNI service as described in the snicat README. It is a little wordy but it’ll work in a pinch.

For example:

openssl s_client -connect demo-challenge.chals.io:443 -servername demo-challenge.chals.io -quiet

snicat (python)

We’re also providing a simple Python port of snicat. It’s designed to have no external dependencies and be simple to audit and read. It’s a single file that’s less than 50 lines!

For example:

python3 snicat.py demo-challenge.chals.io 443
...