cyberhub-pracenv 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 yoitzmochi
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,102 @@
+# CyberHub Practice Environment (`cyberhub-pracenv`)
+
+A beginner-friendly, **fully terminal-based** cybersecurity (CTF) practice
+platform in the ICOA terminal style. Everything happens inside one interactive
+shell: browse challenges, read prompts, download attached files, and submit
+flags — no web browser, no separate commands.
+
+## Install
+
+```bash
+npm install -g cyberhub-pracenv@latest
+```
+
+Or install from a local clone:
+
+```bash
+git clone <this-repo> cyberhub-pracenv
+cd cyberhub-pracenv
+npm install
+npm install -g .
+```
+
+## Run
+
+```bash
+cyberhub-pracenv      # or the short alias: chpe
+```
+
+You'll see a welcome screen — **press Enter** to drop into the platform shell.
+Type `help` at any time to see every command.
+
+## What you can do
+
+| Command | Description |
+| --- | --- |
+| `challenges` (`ls`) | List all available challenges |
+| `open <id>` | View a challenge: prompt, points, attached files |
+| `files <id>` | List files attached to a challenge |
+| `cat <id> <file>` | Print an attached file's contents |
+| `get <id> <file>` | Copy an attached file into your launch directory |
+| `submit <id> <flag>` | Submit a flag to solve a challenge |
+| `stats` (`whoami`) | Your full user breakdown (points, rank, progress) |
+| `admin` | Unlock admin mode (asks for the admin password) |
+| `help` | Show all commands |
+| `exit` (`quit`) | Leave the platform |
+
+### Admin (admin mode only)
+
+| Command | Description |
+| --- | --- |
+| `upload` | Wizard that creates a new challenge `.yml` |
+| `addfile <id> <path>` | Attach a file from disk to an existing challenge |
+| `rmchallenge <id>` | Delete a challenge and its files |
+| `passwd` | Change the admin password |
+| `logout` | Leave admin mode |
+
+The **default admin password is `admin`** — change it with `passwd` after your
+first login.
+
+## Challenge format
+
+Challenges are plain `.yml` files (created by the `upload` wizard or by hand):
+
+```yaml
+id: web-101
+title: Cookie Monster
+category: web
+difficulty: easy
+points: 100
+description: |
+  Multi-line prompt describing the challenge.
+flag: CHPE{example_flag}
+files:
+  - cookies.txt
+```
+
+## Where data lives
+
+All state is local to your machine, under:
+
+```
+~/.cyberhub-pracenv/
+  config.json            # admin password hash + settings
+  profile.json           # your local profile (points, solved challenges)
+  challenges/<id>.yml    # challenge definitions
+  files/<id>/<file>      # files attached to challenges
+```
+
+Three sample challenges (`web-101`, `crypto-101`, `forensics-101`) are seeded on
+first run.
+
+## Development
+
+```bash
+npm install
+npm test          # runs the node:test suite
+npm start         # run without a global install
+```
+
+## License
+
+MIT

package/bin/cyberhub.js

@@ -0,0 +1,12 @@
+#!/usr/bin/env node
+'use strict';
+
+// Entry point for the `cyberhub-pracenv` (alias `chpe`) global command.
+// Keep this thin: delegate everything to src/app.js so the binary stays a launcher.
+
+const { main } = require('../src/app');
+
+main(process.argv.slice(2)).catch((err) => {
+  console.error('Fatal error:', err && err.stack ? err.stack : err);
+  process.exit(1);
+});

package/data/challenges/crypto-101.yml

@@ -0,0 +1,16 @@
+id: crypto-101
+title: Caesar's Secret
+category: crypto
+difficulty: easy
+points: 100
+description: |
+  Intercepted transmission, encrypted with a classic rotation cipher.
+
+  The attached file (message.txt) contains ciphertext that has been shifted by
+  a fixed number of letters (a Caesar cipher). Recover the plaintext to reveal
+  the flag.
+
+  Hint: there are only 25 shifts to try.
+flag: CHPE{rotation_is_not_encryption}
+files:
+  - message.txt

package/data/challenges/files/crypto-101/message.txt

@@ -0,0 +1,5 @@
+Intercepted transmission (Caesar cipher, unknown shift):
+
+Gur synt vf PUCR{ebgngvba_vf_abg_rapelcgvba}
+
+-- end of transmission --

package/data/challenges/files/forensics-101/access.log

@@ -0,0 +1,7 @@
+10.0.0.5 - - [24/Jun/2026:09:11:02 +0000] "GET /index.html HTTP/1.1" 200 1043
+10.0.0.5 - - [24/Jun/2026:09:11:03 +0000] "GET /style.css HTTP/1.1" 200 512
+10.0.0.9 - - [24/Jun/2026:09:12:44 +0000] "POST /login HTTP/1.1" 302 0
+10.0.0.9 - - [24/Jun/2026:09:12:45 +0000] "GET /dashboard HTTP/1.1" 200 8841
+192.168.1.7 - - [24/Jun/2026:09:13:10 +0000] "GET /search?q=CHPE{grep_is_your_friend} HTTP/1.1" 200 233
+10.0.0.5 - - [24/Jun/2026:09:13:55 +0000] "GET /favicon.ico HTTP/1.1" 404 199
+10.0.0.12 - - [24/Jun/2026:09:14:21 +0000] "GET /robots.txt HTTP/1.1" 200 64

package/data/challenges/files/web-101/cookies.txt

@@ -0,0 +1,11 @@
+HTTP/1.1 302 Found
+Date: Tue, 24 Jun 2026 14:03:11 GMT
+Server: nginx/1.24.0
+Set-Cookie: session=8f14e45fceea167a5a36dedd4bea2543; Path=/; HttpOnly
+Set-Cookie: role=Z3Vlc3Q=; Path=/
+Set-Cookie: theme=dark; Path=/
+Location: /login?error=1
+
+# Captured during a separate session, an admin response also set:
+#   Set-Cookie: role=Q0hQRXtjMDBraWVzX2FyZV9ub3RfZm9yX2F1dGh9; Path=/
+# The "role" cookie is just base64. Decode the admin value to get the flag.

package/data/challenges/forensics-101.yml

@@ -0,0 +1,14 @@
+id: forensics-101
+title: Hidden in Plain Sight
+category: forensics
+difficulty: easy
+points: 150
+description: |
+  Sometimes the flag is right there if you know where to look.
+
+  The attached log file (access.log) looks like an ordinary web server access
+  log, but a flag has been smuggled into one of the request lines. Scan through
+  it carefully — or use your favourite search tool — to find the CHPE{...} flag.
+flag: CHPE{grep_is_your_friend}
+files:
+  - access.log

package/data/challenges/web-101.yml

@@ -0,0 +1,16 @@
+id: web-101
+title: Cookie Monster
+category: web
+difficulty: easy
+points: 100
+description: |
+  A login page trusts its own cookies a little too much.
+
+  The attached capture (cookies.txt) shows the HTTP response headers from the
+  site after a failed login. One of the cookies looks like it controls whether
+  you are an admin. Decode it and figure out the value the server expects.
+
+  The flag is the decoded admin cookie value, wrapped as CHPE{...}.
+flag: CHPE{c00kies_are_not_for_auth}
+files:
+  - cookies.txt

package/package.json

@@ -0,0 +1,37 @@
+{
+  "name": "cyberhub-pracenv",
+  "version": "1.0.0",
+  "description": "A beginner-friendly, fully terminal-based cybersecurity (CTF) practice platform in the ICOA terminal style.",
+  "keywords": [
+    "cybersecurity",
+    "ctf",
+    "cli",
+    "terminal",
+    "practice",
+    "education",
+    "icoa"
+  ],
+  "license": "MIT",
+  "engines": {
+    "node": ">=18"
+  },
+  "bin": {
+    "cyberhub-pracenv": "bin/cyberhub.js",
+    "chpe": "bin/cyberhub.js"
+  },
+  "main": "src/app.js",
+  "files": [
+    "bin/",
+    "src/",
+    "data/",
+    "README.md"
+  ],
+  "scripts": {
+    "start": "node bin/cyberhub.js",
+    "test": "node --test"
+  },
+  "dependencies": {
+    "chalk": "^4.1.2",
+    "js-yaml": "^4.1.0"
+  }
+}

package/src/app.js

@@ -0,0 +1,85 @@
+'use strict';
+
+// Top-level orchestration: handle non-interactive flags, initialise the data
+// directory, show the welcome screen (exit by pressing Enter), then drop the
+// user into the in-platform shell.
+
+const readline = require('readline');
+const pkg = require('../package.json');
+const store = require('./store');
+const ui = require('./ui');
+const { createInput } = require('./input');
+const { startRepl } = require('./repl');
+const { c } = ui;
+
+function printVersion() {
+  process.stdout.write(`${pkg.name} v${pkg.version}\n`);
+}
+
+function printHelp() {
+  process.stdout.write(
+    [
+      `${pkg.name} v${pkg.version}`,
+      pkg.description,
+      '',
+      'Usage:',
+      '  cyberhub-pracenv         Launch the interactive platform',
+      '  cyberhub-pracenv --help  Show this help',
+      '  cyberhub-pracenv --version',
+      '',
+      'Once inside, type `help` to see the in-platform commands.',
+      `Default admin password: "${store.DEFAULT_ADMIN_PASSWORD}" (change it with \`passwd\`).`,
+      '',
+    ].join('\n')
+  );
+}
+
+// Build the shared readline interface and install the echo-muting hook used by
+// the masked password prompt.
+function createInterface() {
+  const rl = readline.createInterface({
+    input: process.stdin,
+    output: process.stdout,
+    // Terminal mode only when attached to a real TTY; piping input (tests,
+    // scripts) needs standard line mode so every line is dispatched.
+    terminal: Boolean(process.stdin.isTTY),
+  });
+  rl.stdoutMuted = false;
+  rl._writeToOutput = function _writeToOutput(str) {
+    if (rl.stdoutMuted) return; // suppress echo during password entry
+    rl.output.write(str);
+  };
+  return rl;
+}
+
+async function main(argv = []) {
+  if (argv.includes('--version') || argv.includes('-v')) {
+    printVersion();
+    return;
+  }
+  if (argv.includes('--help') || argv.includes('-h')) {
+    printHelp();
+    return;
+  }
+
+  // Capture the directory the platform was launched from so `get`/`addfile`
+  // resolve relative paths against it.
+  const launchCwd = process.cwd();
+
+  store.init();
+
+  const rl = createInterface();
+  const input = createInput(rl);
+
+  // Welcome screen: any Enter proceeds.
+  process.stdout.write('\x1b[2J\x1b[H'); // clear screen
+  process.stdout.write(ui.welcomeScreen() + '\n');
+  await input.ask('');
+
+  process.stdout.write('\x1b[2J\x1b[H');
+  process.stdout.write(c.title('CyberHub Practice Environment') + '\n\n');
+
+  await startRepl(rl, input, launchCwd);
+}
+
+module.exports = { main };

package/src/auth.js

@@ -0,0 +1,42 @@
+'use strict';
+
+// Admin authentication: scrypt-based password hashing plus a tiny in-memory
+// session flag. The platform has a single local profile; "admin" is a mode you
+// unlock for the current session by entering the admin password.
+
+const crypto = require('crypto');
+
+const KEYLEN = 64;
+
+function hashPassword(password, salt) {
+  const useSalt = salt || crypto.randomBytes(16).toString('hex');
+  const hash = crypto.scryptSync(String(password), useSalt, KEYLEN).toString('hex');
+  return { hash, salt: useSalt };
+}
+
+function verifyPassword(password, expectedHash, salt) {
+  if (!expectedHash || !salt) return false;
+  const { hash } = hashPassword(password, salt);
+  const a = Buffer.from(hash, 'hex');
+  const b = Buffer.from(expectedHash, 'hex');
+  if (a.length !== b.length) return false;
+  return crypto.timingSafeEqual(a, b);
+}
+
+// Per-session admin state.
+let adminUnlocked = false;
+
+function isAdmin() {
+  return adminUnlocked;
+}
+
+function setAdmin(value) {
+  adminUnlocked = Boolean(value);
+}
+
+module.exports = {
+  hashPassword,
+  verifyPassword,
+  isAdmin,
+  setAdmin,
+};