- Network creation
- Basic network elements
- The procedure for installing configs
- Network management
CTF competitions are firmly entrenched in IT sphere. Finding someone who hasn’t heard of competition for hackers is difficult, and more and more thoughts of the own competition appear. And if good platforms already exist for Task-based competitions, then for Attack / Defense you will have to come up with something more complicated. Sit back – now I will tell you about the experience of organizing such events.
CTF (Capture The Flag) is different. There are two genres: Task-based and Attack / Defense. In the first case, you can play almost “on a piece of paper” – these are ordinary tasks that can be solved or not solved, while your progress does not depend in any way on the actions of other participants. In the second, there is a gaming network where different teams attack and repel each other’s attacks. Of course, Attack / Defense is much more dynamic and interesting, but the organization of such competitions is much more difficult.
For training within our team, I needed to deploy my home Attack / Defense (already on ready-made other people’s services).
For Task-based competitions, the CTFd platform already exists.
Usually all Attack / Defense competitions take place inside a dedicated network. Thanks to this, it becomes several times easier to ensure the operation of the entire infrastructure. Virtual private networks (VPN) will help us in creating a network infrastructure. The leaders of ready-made solutions that allow you to create your own private network are OpenVPN and Wireguard.
Basic network elements
First, we need to decide on the elements that will be in our network.
- The main node is a server to which all devices will be connected to form our network. The important point is that this server must have a “white” IP address.
- Node to connect the players – it will connect to the players for the future of the game. Each team will have its own config, with which players can enter their network.
- A node for a server with services (volnbox) . A volnbox with services will be connected to this node. One of the remarkable things is that such a network construction will allow you to connect a volnbox from your server, and not the organizer’s server – provided that you have the necessary config.
As a result, we will get separate nodes for each of the teams, separate nodes for team vulnboxes (in this situation, we will allow third-party servers to be connected to our network for self-hosting) and a node for the jury.
Vulnbox (vulnbox) – a machine with a certain set of obviously vulnerable services. In CTF, each team receives an identical copy of such machine.
Let’s start our network building with OpenVPN.
In my opinion, this article on Habré is very good for understanding what and how to create your own networks. But below we will analyze what configuration files we need to create.
We have already decided which nodes we will have. Then we can move on to creating configs for our network. To avoid routine work, we will use the already existing open source OVPNGen repository . We also need to install the required dependencies for it to work correctly.
$ git clone https://github.com/pomo-mondreganto/OVPNGen $ pip3 install -r requirements.txt
Let’s look at the available functions of this generator.
$ ./gen.py --help
Let’s take a look at what we have.
serveris needed to specify the main server to which all connections will occur. This parameter is required.
per-teamsay how many custom configs need to be generated within a command (the same number is generated for each command).
- The parameter
teamprescribes to generate a config for the teams,
juryfor the jury, and
vulnfor the vulnboxes.
list specified to choose from.
teams – the number of teams. In this case, we will generate configs for teams 1-N (inclusive).
range – similar to the previous version, however in this case we ourselves indicate with which command for which (inclusive) we will generate configs. And in
list we can indicate all commands separated by commas, with which we will generate configs.
And before we get the configs themselves, let’s analyze the application settings (file config.py):
The last 3 lines will be important. In them, we indicate the ports that will be used to establish a connection to the server. For example, my server has a port range of 31000-33000 open. Then, to set the ports, the following settings will be enough for me:
TEAM_PORT = 31000VULN_PORT = 31100JURY_PORT = 31200
I use a little modified version of this script with support for the protocol TCP. Of course, this will be slower than UDP, but due to some peculiarities of my server, this is the only way the network will work.
Let’s generate the necessary configs for our network. In my case, the server will be ctf.bsuir.by , you should change the address to your own. And let’s say there will be only 4 teams, from the first to the fourth. We will do this as follows:
$ ./gen.py --server ctf.bsuir.by --jury --team --vuln --teams 4
Сonfig generated for 4 teams.
After the generation of configs is complete, we will have a result folder , which contains the jury , server , team and vuln folders . Each of these folders contains the corresponding configuration files. An important clarification will be that there are 3 more folders in the server folder: jury , team , vuln , which also contain configuration files, but already to run them on the server, and not on the client.
The procedure for installing configs
After generating all the configs, we need to install them. You can install the config with the following command:
$ sudo openvpn config.conf
Since I have only one server at my disposal, I will install all server configs on it. For home Attack / Defense, this tactic will work, but if you have a lot more teams and players, then you should think about a more correct distribution of the load.
So, we need to run all the configs from a folder
server on our server. We will talk about detailed configuration (or rather, about network management) a little later.
Of course, any Attack / Defense competition requires a system that will check the serviceability of services, send new flags, take into account the passed flags and display a table of results. ForcAD is a good example of such a system.
The platform is quite young. It can often be seen at competitions from the C4T-BuT-S4D team. The main advantages are the following:
- simple to deploy;
- well documented;
- ready-made sets of services with checkers (verification services) for this jury-system.
The hardest part here is writing configs.
Download project files:
$ git clone https://github.com/pomo-mondreganto/ForcAD
Config for the jury is already exists there backend/config/config.yml. On the basis of which we will write our own.
$ cp config.yml.example config.yml
Let’s start analyzing what was written in the config.
- The admin section is needed in order to access the admin panel during the competition. Obviously, the data is worth changing.
- The global section contains all the parameters that affect the operation of the system:
timezone– specify the time zone (used for the parameter
start_game– needed in order to set the start time of the checkers (the moment at which the system will start working in full force);
round_time– indicate the duration of the round in seconds. The author of the system recommends setting the time depending on the speed of the checkers;
flag_lifetime– the lifetime of the flag in rounds;
checkers_path– way to checkers;
env_path– the way to the environment of checkers;
default_score– the standard number of points for a service, unless otherwise specified for this service.
- In the storages section, the storage of the necessary information for the jury is configured. Don’t forget to change your passwords!
- In the tasks section we will add tasks that our teams will have to cope with:
checker– the path to the checker executable file. It must have the right to run from anywhere;
checker_timeout– after how many times to stop the checker in order to avoid accidental freezes;
checker_type– a special variable for specifying the checker operation mode. I strongly recommend that you familiarize yourself with the documentation in the author’s gita, as it provides several different modes and each has its own characteristics;
gets– the number of flags that the checker will check;
puts– the number of flags that the checker will add to the service;
places… A service can have multiple locations for storing a flag. In this parameter, you can specify the number of such places, then each new flag can be placed in another field;
name– the name of the service, which will be visible on the scoreboard;
default_score– sets the initial number of points for the service.
- Finally, the teams section . Everything is simple: there is
name. In we
ipindicate the address to the command (an important point: it is not necessary to indicate , the checker will not be able to reach the command). An interesting detail that is not listed in the official documentation: we can add highlighting for a command using a parameter . For example, the config for one command will be like this:
127.0.0.1 highlighted teams:
- ip: 10.80.14.2
name: Bulba Hackers
After completion, you should upload the checker files to the folder that you specified in the settings. Now you can proceed to start the system.
$ pip3 install -r requirements.txt# install all the necessary modules # install the config, configure docker # start the system $ sudo ./control.py setup $ sudo ./control.py start --fast
After starting the system, you can open the web interface at the address where the jury was launched (I have
Of the interesting mechanics, the generation of flags and tokens can be distinguished. If in the jury system from Hackerdom there are just flags and you do not need to specify any additional parameters when submitting, then in ForcAD you must additionally specify the command token. To get tokens for each command, you need to write the following:
$ sudo ./control.py print_tokens
WE MANAGE THE NETWORK
During Attack / Defense competitions, there is usually a time when the network is closed, that is, checkers do not start their work and teams cannot visit the services of other teams. All this can be done with the help
iptables, which will require certain knowledge. Fortunately for us, everything is already invented . You can install this miracle of automation with one command:
$ git clone https://github.com/pomo-mondreganto/ad_net_control
As in the previous cases, I am using a slightly modified version due to TCP connections and ports. If you also changed the standard OVPNGen config, then it is worth changing some places in this script.
Since we ran all the server configs on the same machine, exactly one file is enough for us
There are several commands here that set a specific set of rules for our network. Obviously, you need to run this script from the server side. Let’s move on to some commands that will help us configure the network.
init– we use this command when we run all server configs. It will configure all routing on the network. By default, teams are allowed to connect to their own vulnboxes.
open– opens the network, and teams of opponents can visit your services (and you – theirs).
close– closes the network, leaving the right to connect to its own volnboxes.
shutdown– turns off the network (completely). More specifically, it removes the previously selected instruction set for
Example of using teams (if 4 teams participate in our competition):
$ sudo ./net_control.py init --teams 4# after starting all server configs # opens the network # closes the network # turns off the network $ sudo ./net_control.py open --teams 4 $ sudo ./net_control.py close --teams 4 $ sudo ./net_control.py shutdown --teams 4
As you can see, deploying your little Attack / Defense is not a very difficult task. In open source, you can find ready-made services with checkers, scripts for automating routine work, and ready-made jury systems, and I figured out most of the nuances when creating my own home Attack / Defense competition. If you combine all the steps in a checklist, you get the following points:
- Write your own services and checkers for them (or take ready-made ones).
- Raise your network.
- Raise the jury system and set it up.
- Manage the network with a ready-made utility or customize the rules yourself
And all that remains is to enjoy the Attack / Defense CTF.