Coding Agents Guide - Sky-Sec Inventory CTF Project
This document provides guidance for coding agents working on the Sky-Sec İç Ağ Envanter Sistemi CTF challenge, a medium-difficulty Capture The Flag educational project.
Project Overview
This is a multi-language CTF project consisting of:
- Python TCP Socket Server with intentional SQL injection vulnerability
- Golang CLI Client with hardcoded encryption for reverse engineering
- MySQL Database with inventory and secret vault tables
- Docker deployment for easy setup and distribution
Project Structure
skysec-inventory/
├── server/
│ ├── requirements.txt # Python dependencies
│ ├── server.py # TCP server with MySQL integration
│ ├── setup_db.py # Database initialization script
│ └── docker-compose.yml # MySQL and Server deployment
├── client/
│ ├── main.go # Golang CLI application
│ └── go.mod # Go module definition
└── solution/
└── solver.py # Reference exploit script
Build/Lint/Test Commands
Python Server Development
# Create and activate virtual environment
python3 -m venv venv
source venv/bin/activate # Linux/Mac
# venv\Scripts\activate # Windows
# Install dependencies
pip install -r server/requirements.txt
# Run database setup
python server/setup_db.py
# Start server (port 1337 by default)
python server/server.py
# Run with Docker
docker-compose -f server/docker-compose.yml up -d
Golang Client Development
# Initialize Go module (if not exists)
cd client && go mod init skysec-client
# Build client binary
go build -o skysec_client main.go
# Build statically linked binary for distribution
go build -ldflags "-s -w" -o skysec_client main.go
# Cross-compile for different platforms
GOOS=linux GOARCH=amd64 go build -o skysec_client_linux main.go
GOOS=windows GOARCH=amd64 go build -o skysec_client.exe main.go
# Format code
go fmt ./...
# Vet code for common issues
go vet ./...
# Test compilation
go build -v ./...
Testing Commands
# Test server connectivity
python solution/solver.py
# Test client connection
./client/skysec_client -h 127.0.0.1 -p 1337
# Test database queries directly
mysql -u root -p -e "USE skysec_inventory; SELECT * FROM inventory;"
# Validate Docker deployment
docker ps | grep skysec
docker logs skysec-mysql
docker logs skysec-server
Code Style Guidelines
Python Server Standards
# Import order: standard library, third-party, local
import socket
import base64
import mysql.connector
from threading import Thread
# Function naming: snake_case
def decode_xor_message(encrypted_data: str) -> str:
"""Decode Base64 and XOR decrypt message."""
pass
# Constants: UPPER_SNAKE_CASE
XOR_KEY = "SkY_S3c_P4ssW0rd_99"
DEFAULT_PORT = 1337
# Intentional vulnerability comments
def execute_read_command(user_input):
# INTENTIONAL VULNERABILITY: String concatenation for SQL injection
query = f"SELECT details FROM inventory WHERE id = '{user_input}' AND status = 'public'"
return execute_query(query)
Golang Client Standards
// Package and import organization
package main
import (
"encoding/base64"
"flag"
"fmt"
"net"
"bufio"
"os"
)
// Constants: PascalCase for exported, camelCase for unexported
const XORKey = "SkY_S3c_P4ssW0rd_99" // Hardcoded for reverse engineering
const defaultPort = "1337"
// Function naming: PascalCase for exported, camelCase for unexported
func encryptMessage(message string) string {
// XOR encryption implementation
encrypted := make([]byte, len(message))
key := []byte(XORKey)
for i, b := range []byte(message) {
encrypted[i] = b ^ key[i%len(key)]
}
return base64.StdEncoding.EncodeToString(encrypted)
}
// Error handling patterns
func connectToServer(host, port string) (net.Conn, error) {
conn, err := net.Dial("tcp", host+":"+port)
if err != nil {
return nil, fmt.Errorf("failed to connect to %s:%s: %v", host, port, err)
}
return conn, nil
}
MySQL Database Standards
-- Table naming: snake_case
-- Column naming: snake_case
-- Comments for educational context
CREATE TABLE IF NOT EXISTS inventory (
id INT AUTO_INCREMENT PRIMARY KEY,
item_name VARCHAR(255) NOT NULL,
details TEXT,
status VARCHAR(50) DEFAULT 'public',
INDEX idx_status (status)
);
-- Intentional data for CTF challenge
INSERT INTO inventory (item_name, details, status) VALUES
('Router-A', 'Cisco 2901 - IP: 10.0.0.1', 'public'),
('Switch-Core', 'HP ProCurve - IP: 10.0.0.2', 'public'),
('Firewall-Ext', 'Palo Alto - IP: 192.168.1.1', 'private');
Naming Conventions
Files and Directories
- Python files: snake_case (
server.py,setup_db.py) - Go files: snake_case (
main.go) - Directories: kebab-case (
skysec-inventory,docker-compose)
Variables and Functions
- Python: snake_case (
xor_key,handle_client_connection) - Go: camelCase for unexported, PascalCase for exported
- SQL: snake_case for tables and columns
Constants
- All languages: UPPER_SNAKE_CASE (
XOR_KEY,DEFAULT_PORT)
Error Handling Patterns
Python Server
try:
result = mysql_cursor.execute(query)
return format_response(result)
except mysql.connector.Error as e:
if e.errno == 1064: # Syntax error - give hint to CTF player
return "EMS Error: Internal processing failure (Code: 1064)"
else:
return "EMS Error: Database connection failed"
except Exception as e:
logging.error(f"Unexpected error: {e}")
return "EMS Error: Internal server error"
Golang Client
if err != nil {
fmt.Fprintf(os.Stderr, "Error: %v\n", err)
os.Exit(1)
}
// Graceful connection handling
defer func() {
if conn != nil {
conn.Close()
}
}()
Security Guidelines (CTF Context)
Intentional Vulnerabilities
⚠️ This project contains deliberate security flaws for educational purposes:
- SQL Injection: Use string concatenation, NOT prepared statements
- Hardcoded Secrets: XOR key must be easily discoverable
- Weak Encryption: Simple XOR + Base64 for reverse engineering
Implementation Requirements
# CORRECT (Vulnerable) Implementation
query = f"SELECT details FROM inventory WHERE id = '{user_input}' AND status = 'public'"
# WRONG (Secure) Implementation - DO NOT USE
cursor.execute("SELECT details FROM inventory WHERE id = %s AND status = 'public'", (user_input,))
WAF Bypass Patterns
Implement filtering that can be bypassed:
- Block spaces (bypassable with
/**/) - Block
UNIONandSELECTkeywords - Force Boolean-based blind SQL injection
Testing and Validation
Integration Testing Workflow
- Start MySQL database via Docker
- Run database setup script to populate tables
- Start Python TCP server on port 1337
- Test Golang client connects and encrypts properly
- Validate SQL injection vulnerability works as intended
- Test intended solution path with solver script
Quality Assurance
- Python code follows PEP 8 standards
- Go code passes
go vetandgo fmt - All intentional vulnerabilities documented with comments
- Docker deployment tested on clean system
- Binary reverse engineering path validated
Documentation Requirements
Code Comments
# Turkish/English comments for maintainability
def handle_read_command(self, user_input: str) -> str:
"""
Handle 'read <id>' command with intentional SQL injection vulnerability.
INTENTIONAL VULNERABILITY: Uses string concatenation instead of
parameterized queries to enable CTF exploitation.
Args:
user_input: User-provided ID parameter (potentially malicious)
Returns:
Query results or error message
"""
README Requirements
Each component should include:
- Setup instructions
- Usage examples
- Dependency requirements
- Educational context explanation
Remember: This is an educational CTF project. Maintain intentional vulnerabilities while following clean code practices for everything else. The goal is teachable, exploitable code that demonstrates real-world security issues.