cyberhub-pracenv
v1.2.1
Published
A beginner-friendly, fully terminal-based cybersecurity (CTF) practice platform in the ICOA terminal style.
Maintainers
Readme
CyberHub Practice Environment (cyberhub-pracenv)
A beginner-friendly, fully terminal-based cybersecurity (CTF) practice platform in the ICOA terminal style. Everything happens inside one interactive shell: browse challenges, read prompts, download attached files, and submit flags — no web browser, no separate commands.
Install
npm install -g cyberhub-pracenv@latestOr install from a local clone:
git clone <this-repo> cyberhub-pracenv
cd cyberhub-pracenv
npm install
npm install -g .Run
cyberhub-pracenv # or the short alias: chpeYou'll see a welcome screen — press Enter, then log in or create an
account to enter the platform shell. Type help at any time to see every
command.
Accounts & the global leaderboard
Since v1.2.0 the platform uses online accounts. On launch you're asked to
log in or register with a username and password you choose. Your points
and solved challenges are stored on a shared backend, and the scoreboard
command shows the top 100 users globally.
Heads-up on scores: challenges and their flags live in local YAML files, so the client grades your own submissions and reports the result to the server. The leaderboard is meant as a fun, community board — it is not a cheat-proof competitive ranking.
The platform needs a backend to be configured (see
Backend setup). The admin panel does not require an
account — anyone with the admin password can run admin.
What you can do
| Command | Description |
| --- | --- |
| challenges (ls) | List all available challenges |
| open <id> | View a challenge: prompt, points, attached files |
| files <id> | List files attached to a challenge |
| cat <id> <file> | Print an attached file's contents |
| get <id> <file> | Copy an attached file into your launch directory |
| sh (shell) | Drop to your system shell to use any installed tool; exit returns |
| submit <id> <flag> | Submit a flag to solve a challenge |
| stats (whoami) | Your full user breakdown (points, rank, progress) |
| scoreboard | Global leaderboard — the top 100 users |
| requirements (rq) | Points needed to reach each rank |
| changelog | What changed across versions |
| login / register | Log in to / create an account |
| logout | Log out of your account |
| admin | Unlock admin mode (asks for the admin password) |
| help | Show all commands |
| exit (quit) | Leave the platform |
Admin (admin mode only)
| Command | Description |
| --- | --- |
| upload | Wizard that creates a new challenge .yml |
| addfile <id> <path> | Attach a file from disk to an existing challenge |
| rmchallenge <id> | Delete a challenge and its files |
| passwd | Change the admin password |
The default admin password is admin — change it with passwd. Use
logout to leave admin mode (and your account).
Since v1.2.1 the admin password is stored on the backend, not locally, so it is the same in every environment (e.g. Windows and WSL). Unlocking or changing it therefore requires a network connection. Note this means the admin password is shared across all installs pointed at the same backend.
Solving challenges fully in-terminal
Use get <id> <file> to copy an attached file into your working directory, then
sh to drop into your own shell (cmd.exe on Windows, $SHELL on Linux/WSL) in
that same directory — run python, strings, openssl, binwalk, whatever you
have installed. Type exit to come back to CyberHub and submit the flag.
Backend setup (Supabase)
The online accounts + leaderboard run on a free Supabase project. To stand one up:
Create a Supabase project (free tier).
Open SQL Editor → New query, paste the contents of
supabase/schema.sql, and Run it. This creates theaccountsandadmin_configtables and the locked-down RPC functions (chpe_register/chpe_login/chpe_sync/chpe_leaderboard/chpe_admin_verify/chpe_admin_set). The script is idempotent — re-run it after upgrading to pick up new objects (e.g. the admin functions added in v1.2.1).From Project Settings → API, copy the Project URL and the anon public key.
Point the CLI at them, either via environment variables:
export CHPE_SUPABASE_URL="https://YOUR-PROJECT.supabase.co" export CHPE_SUPABASE_ANON_KEY="your-anon-public-key"…or by baking the defaults into
src/config.jsbefore publishing your own build.
The anon key is safe to ship: Row-Level Security blocks all direct table access,
so that key can only call the four SECURITY DEFINER functions, and password
hashes (bcrypt via pgcrypto) never leave the database.
Challenge format
Challenges are plain .yml files (created by the upload wizard or by hand):
id: web-101
title: Cookie Monster
category: web
difficulty: easy
points: 100
description: |
Multi-line prompt describing the challenge.
flag: CHPE{example_flag}
files:
- cookies.txtWhere data lives
Challenge data and the admin password are local to your machine, under:
~/.cyberhub-pracenv/
config.json # admin password hash + settings
challenges/<id>.yml # challenge definitions
files/<id>/<file> # files attached to challengesUser accounts and the leaderboard are not stored here — they live on the
Supabase backend (see Backend setup). Sample
challenges (web-101, crypto-101, forensics-101, …) are seeded on first run.
Development
npm install
npm test # runs the node:test suite
npm start # run without a global installLicense
MIT
