https://github.com/ory/defcon-30-ctf

https://github.com/ory/defcon-30-ctf

Last synced: 10 months ago
JSON representation

• Host: GitHub
• URL: https://github.com/ory/defcon-30-ctf
• Owner: ory
• License: apache-2.0
• Created: 2022-08-04T08:38:56.000Z (almost 4 years ago)
• Default Branch: master
• Last Pushed: 2025-03-12T16:19:35.000Z (over 1 year ago)
• Last Synced: 2025-08-05T05:44:00.244Z (11 months ago)
• Language: Go
• Homepage: https://defcon.getory.io/
• Size: 2.62 MB
• Stars: 19
• Watchers: 8
• Forks: 3
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Contributing: CONTRIBUTING.md
  • Funding: .github/FUNDING.yml
  • License: LICENSE
  • Code of conduct: CODE_OF_CONDUCT.md
  • Security: SECURITY.md

Awesome Lists containing this project

README

          
# Capture The Flag // Voting Village // Def Con 30

Welcome to the github.com/ory CTF at DEF CON 30! Explore a vulnerable, open-source digital election system and capture the flag!

Join the [community slack](https://slack.ory.sh) or have a look at the video summary:

[![Ory Capture The Flag Interactive Summary](https://img.youtube.com/vi/Mx8LNRndsO8/0.jpg)](https://www.youtube.com/watch?v=Mx8LNRndsO8 "Ory Capture The Flag Interactive Summary")

## Targets

This challenge runs five services. They mock a basic election system used by **authenticated** users (election workers) to submit their voting districts results. This is not a service for voters. However, everyone can sign up and see the already submitted results.

The services are all open source:

- [Ory Oathkeeper](https://github.com/ory/oathkeeper): reverse proxy for all other services

- [Ory Kratos](https://github.com/ory/kratos): authentication and session management

- [Ory Keto](https://github.com/ory/keto): authorization and access control

- Backend (this repo): the actual election system backend

- Postgres: the database

The target of this CTF is the **backend** service. Vulnerabilities found in the open source **Ory Oathkeeper**, **Ory Kratos**, and **Ory Keto** projects can be reported through our [bug bounty program](https://hackerone.com/ory_corp) and give you bounties between 100$ (low) and 3,000$ (critical). On top, we will add another 100$ for any submission done during DEF CON 30 after you talked to us personally at the Voting Machine village.

## Running Locally

Open source also means you can investigate the services locally.

You'll need to have Docker installed and this repository checked out to start the challenge:

```bash

$ git clone https://github.com/ory/defcon-30-ctf.git

$ cd defcon-30-ctf

$ docker compose up -d --build --force-recreate

```

Once the services are running, you are able to access them at:

```

http://localhost:5050

```