switch to direct ctfd communication for the dojo command

Author: zardus

docker-compose.yml

@@ -159,24 +159,10 @@ services:
         condition: service_started
       cache:
         condition: service_started
-      dojo-socket:
-        condition: service_started
-
-  dojo-socket:
-    container_name: dojo-socket
-    profiles:
-      - main
-    hostname: dojo-socket
-    build: ./dojo-socket
-    restart: always
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-      - /data/dojo-command:/var/run/dojo-command
-    healthcheck:
-      test: ["CMD", "test", "-S", "/var/run/dojo-command/socket"]
-      interval: 10s
-      timeout: 5s
-      retries: 3
+    networks:
+      default:
+      workspace_net:
+        ipv4_address: 10.0.0.2
 
   db:
     container_name: db

dojo-socket/Dockerfile

@@ -90,7 +90,6 @@ fi
 mkdir -p /data/workspace/nix
 mkdir -p /data/workspacefs/bin
 mkdir -p /data/ctfd-ipython
-mkdir -p /data/dojo-command
 
 mkdir -p /data/homes
 if [ "$(findmnt -n -o FSTYPE /data/homes)" != "btrfs" ] && [ "$(findmnt -n -o FSTYPE /data)" != "btrfs" ]; then
@@ -148,6 +147,7 @@ iptables -I DOCKER-USER -i workspace_net -j DROP
 for host in $(cat /opt/pwn.college/user_firewall.allowed); do
     iptables -I DOCKER-USER -i workspace_net -d $(host $host | awk '{print $NF; exit}') -j ACCEPT
 done
+iptables -I DOCKER-USER -i workspace_net -s 10.0.0.0/8 -d 10.0.0.2 -m conntrack --ctstate NEW -j ACCEPT
 iptables -I DOCKER-USER -i workspace_net -s 10.0.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
 iptables -I DOCKER-USER -i workspace_net -d 10.0.0.0/8 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 iptables -I DOCKER-USER -i workspace_net -s 192.168.42.0/24 -m conntrack --ctstate NEW -j ACCEPT

dojo-socket/dojo-socket-service.py

@@ -122,12 +122,6 @@ def start_container(docker_client, user, as_user, user_mounts, dojo_challenge, p
             read_only=True,
             propagation="slave",
         ),
-        docker.types.Mount(
-            "/run/dojo/socket",
-            f"{HOST_DATA_PATH}/dojo-command/socket",
-            "bind",
-            read_only=True,
-        ),
         *user_mounts,
     ]
 
@@ -172,6 +166,7 @@ def start_container(docker_client, user, as_user, user_mounts, dojo_challenge, p
             "challenge.localhost": "127.0.0.1",
             "hacker.localhost": "127.0.0.1",
             "dojo-user": user_ipv4(user),
+            "ctfd": "10.0.0.2",
             **USER_FIREWALL_ALLOWED,
         },
         init=True,

dojo/dojo-init

@@ -16,16 +16,16 @@
 )
 
 
-def authenticate_container(auth_code):
-    if not auth_code:
-        return None, ({"success": False, "error": "Missing auth_code"}, 400)
+def authenticate_container(auth_token):
+    if not auth_token:
+        return None, ({"success": False, "error": "Missing auth_token"}, 400)
 
     docker_client = docker.DockerClient(base_url="unix://var/run/docker.sock")
 
     container = None
     try:
         for c in docker_client.containers.list():
-            if c.labels.get("dojo.auth_token") == auth_code:
+            if c.labels.get("dojo.auth_token") == auth_token:
                 container = c
                 break
     except Exception as e:
@@ -52,13 +52,13 @@ def authenticate_container(auth_code):
 class IntegrationSolve(Resource):
     def post(self):
         data = request.get_json()
-        auth_code = data.get("auth_code")
+        auth_token = data.get("auth_token") or data.get("auth_code")  # Support both for backward compatibility
         submission = data.get("submission")
 
         if not submission:
             return {"success": False, "error": "Missing submission"}, 400
 
-        auth_result, error_response = authenticate_container(auth_code)
+        auth_result, error_response = authenticate_container(auth_token)
         if error_response:
             return error_response
 

dojo_plugin/api/v1/docker.py

@@ -15,31 +15,26 @@ def test_integrations_solve_endpoint(example_dojo, random_user):
 
     response = requests.post(
         f"{DOJO_URL}/pwncollege_api/v1/integrations/solve",
-        json={"auth_code": auth_token, "submission": flag}
+        json={"auth_token": auth_token, "submission": flag}
     )
     assert response.status_code == 200
     assert response.json()["status"] == "solved"
 
     response = requests.post(
         f"{DOJO_URL}/pwncollege_api/v1/integrations/solve",
-        json={"auth_code": auth_token, "submission": flag}
+        json={"auth_token": auth_token, "submission": flag}
     )
     assert response.status_code == 200
     assert response.json()["status"] == "already_solved"
 
 
 def test_dojo_command_files(example_dojo, random_user):
-    """Test that socket has correct permissions"""
     uid, session = random_user
     start_challenge(example_dojo, "hello", "apple", session=session)
 
     result = workspace_run("ls -la /run/dojo/bin/dojo", user=uid)
     assert result.returncode == 0, f"dojo command should exist, got {result.stderr}"
 
-    result = workspace_run("ls -la /run/dojo/socket", user=uid)
-    assert result.returncode == 0, f"Socket should exist, got {result.stderr}"
-    assert "srw" in result.stdout, f"Expected socket file, got {result.stdout}"
-
 
 def test_dojo_command_submit(random_user, example_dojo):
     uid, session = random_user

dojo_plugin/api/v1/integrations.py

@@ -1,41 +1,18 @@
 { pkgs }:
 
-# This creates the /run/dojo/bin/dojo command available in user containers
-# The command communicates with the socket service running in the CTFd container
 pkgs.writeScriptBin "dojo" ''
   #!${pkgs.python3}/bin/python3
 
-  import socket
   import json
   import sys
   import os
-  import struct
   import argparse
+  import urllib.request
+  import urllib.error
   
-  SOCKET_PATH = "/run/dojo/socket"
-  
-  def send_message(sock, data):
-      sock.sendall(struct.pack("!I", len(data)) + data)
-      
-  def recv_message(sock):
-      length_data = sock.recv(4)
-      if len(length_data) != 4:
-          return None
-      length = struct.unpack("!I", length_data)[0]
-      
-      data = b""
-      while len(data) < length:
-          chunk = sock.recv(min(length - len(data), 4096))
-          if not chunk:
-              return None
-          data += chunk
-      return data
+  CTFD_URL = "http://ctfd:8000"
   
   def submit_flag(flag):
-      if not os.path.exists(SOCKET_PATH):
-          print("Error: Dojo socket not available. Are you running this inside a challenge container?")
-          return 1
-          
       if int(open("/run/dojo/sys/workspace/privileged").read()):
           print("Error: workspace is in practice mode. Flag submission disabled.")
           return 1
@@ -46,39 +23,40 @@ pkgs.writeScriptBin "dojo" ''
           return 1
           
       try:
-          sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
-          sock.connect(SOCKET_PATH)
-          
-          request = {
-              "command": "submit_flag",
+          request_data = {
               "auth_token": auth_token,
-              "flag": flag
+              "submission": flag
           }
           
-          send_message(sock, json.dumps(request).encode())
-          response_data = recv_message(sock)
+          req = urllib.request.Request(
+              f"{CTFD_URL}/pwncollege_api/v1/integrations/solve",
+              data=json.dumps(request_data).encode(),
+              headers={"Content-Type": "application/json"}
+          )
           
-          if not response_data:
-              print("Error: No response from server")
-              return 1
-              
-          response = json.loads(response_data.decode())
+          response = urllib.request.urlopen(req, timeout=10)
+          result = json.loads(response.read().decode())
           
-          if response.get("success"):
-              print(f"✓ {response.get('message', 'Flag submitted successfully!')}")
+          if response.status == 200:
+              if result.get("status") == "already_solved":
+                  print("✓ You already solved this challenge!")
+              else:
+                  print("✓ Congratulations! Flag accepted!")
               return 0
           else:
-              print(f"✗ {response.get('message', 'Unknown error')}")
+              print(f"✗ {result.get('message', result.get('status', 'Flag submission failed'))}")
               return 1
               
-      except socket.error as e:
-          print(f"Error: Unable to connect to dojo service: {e}")
+      except urllib.error.HTTPError as e:
+          result = json.loads(e.read().decode())
+          print(f"✗ {result.get('message', result.get('status', 'Flag submission failed'))}")
+          return 1
+      except urllib.error.URLError as e:
+          print(f"Error: Unable to connect to CTFd service: {e}")
           return 1
       except Exception as e:
           print(f"Error: {e}")
           return 1
-      finally:
-          sock.close()
   
   def main():
       parser = argparse.ArgumentParser(