diff --git a/doc/2011-01-22-CMU/chase.pdf b/doc/2011-01-CMU/chase.pdf similarity index 100% rename from doc/2011-01-22-CMU/chase.pdf rename to doc/2011-01-CMU/chase.pdf diff --git a/doc/2011-01-22-CMU/chase.svg b/doc/2011-01-CMU/chase.svg similarity index 100% rename from doc/2011-01-22-CMU/chase.svg rename to doc/2011-01-CMU/chase.svg diff --git a/doc/2011-01-22-CMU/pacman2.pdf b/doc/2011-01-CMU/pacman2.pdf similarity index 100% rename from doc/2011-01-22-CMU/pacman2.pdf rename to doc/2011-01-CMU/pacman2.pdf diff --git a/doc/2011-01-22-CMU/pacman2.svg b/doc/2011-01-CMU/pacman2.svg similarity index 100% rename from doc/2011-01-22-CMU/pacman2.svg rename to doc/2011-01-CMU/pacman2.svg diff --git a/doc/2011-01-22-CMU/ship.pdf b/doc/2011-01-CMU/ship.pdf similarity index 100% rename from doc/2011-01-22-CMU/ship.pdf rename to doc/2011-01-CMU/ship.pdf diff --git a/doc/2011-01-22-CMU/ship.svg b/doc/2011-01-CMU/ship.svg similarity index 100% rename from doc/2011-01-22-CMU/ship.svg rename to doc/2011-01-CMU/ship.svg diff --git a/doc/2011-02-UNM/chase.pdf b/doc/2011-02-UNM/chase.pdf new file mode 100644 index 0000000..51b959c Binary files /dev/null and b/doc/2011-02-UNM/chase.pdf differ diff --git a/doc/2011-02-UNM/chase.svg b/doc/2011-02-UNM/chase.svg new file mode 100644 index 0000000..393c904 --- /dev/null +++ b/doc/2011-02-UNM/chase.svg @@ -0,0 +1,350 @@ + + + + + + + + + + + image/svg+xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 5e5e5e205468657265277320616e6f74686572207374657020696e766f6c766564205e5e5e + + + + + + A Computer Security CompetitionPresented by Los Alamos National Laboratory,UNM Computer Science Department Sat, Feb 12, 8AM - 5PMCentennial Engineering CenterRoom 1044 (Stamm Room)University of New Mexico Register by February 4http://dirtbags.net/ctf/ + Capture The Flag 2011 + + diff --git a/doc/2011-02-UNM/pacman2.pdf b/doc/2011-02-UNM/pacman2.pdf new file mode 100644 index 0000000..2043a9b Binary files /dev/null and b/doc/2011-02-UNM/pacman2.pdf differ diff --git a/doc/2011-02-UNM/pacman2.svg b/doc/2011-02-UNM/pacman2.svg new file mode 100644 index 0000000..de2fa75 --- /dev/null +++ b/doc/2011-02-UNM/pacman2.svg @@ -0,0 +1,739 @@ + + + + + + + + + + + image/svg+xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 5e5e5e204272696e6720796f757220616e7377657220666f7220706f696e747320205e5e5e + + + + + A Computer Security CompetitionPresented by Los Alamos National Laboratory,UNM Computer Science Department Sat, Feb 12, 8AM - 5PMCentennial Engineering CenterRoom 1044 (Stamm Room)University of New Mexico Register by February 4http://dirtbags.net/ctf/ + Capture The Flag 2011 + + diff --git a/doc/2011-02-UNM/ship.pdf b/doc/2011-02-UNM/ship.pdf new file mode 100644 index 0000000..7ec4aeb Binary files /dev/null and b/doc/2011-02-UNM/ship.pdf differ diff --git a/doc/2011-02-UNM/ship.svg b/doc/2011-02-UNM/ship.svg new file mode 100644 index 0000000..3141465 --- /dev/null +++ b/doc/2011-02-UNM/ship.svg @@ -0,0 +1,188 @@ + + + + + + + + + + + + + + + + + + + + + image/svg+xml + + + + + + + + + A Computer Security CompetitionPresented by Los Alamos National Laboratory,UNM Computer Science Department Sat, Feb 12, 8AM - 5PMCentennial Engineering CenterRoom 1044 (Stamm Room)University of New Mexico Register by February 4http://dirtbags.net/ctf/ + Capture The Flag 2011 + + + + + + + + + + 5e5e5e5e363a2c3c2277653c60793d663c6e7c2964242e713327716126222236645e5e5e5e + + + diff --git a/doc/problems.txt b/doc/problems.txt index 3f7fd2f..c6a3ffc 100644 --- a/doc/problems.txt +++ b/doc/problems.txt @@ -2,23 +2,9 @@ Bugs ==== * claim.cgi not exiting (maybe fixed?) -* tanks/designer.cgi: s/token/team hash/ -* teams.txt: Come up with a better solution to creating this at boot - - -NMT ---- -* Lots of files missing at startup: I really need a new-contest script -* Tanks aren't awarding points (hadn't added tokens to packages) - * put tokencli in tanks package - * all packages ought to work standalone -* scoreboard: 8 points (1,1,3,3) looks incorrectly proportioned, maybe - table height competing with cell height? -* forf manual: describe comments * We need some programs so that we never have to edit .db files directly. I truncated tokens.db with > instead of >>. * Get erin to edit net-re -* reject port 22 from outside of 10.0.0.0/16 Physical @@ -32,3 +18,10 @@ Physical Possibly fixed -------------- * sequence 300; puzzler isn't taking the unicode character right + + +Won't fix +--------- +* tanks/designer.cgi: s/token/team hash/ + "Token" is a good generic term given what forftanks (standalone) does. + If necessary, we can pipe the output of the cgi through sed. diff --git a/doc/todo.txt b/doc/todo.txt index 6380f26..5f43553 100644 --- a/doc/todo.txt +++ b/doc/todo.txt @@ -3,3 +3,6 @@ Things That Need Fixin' * Do something about all the symbolic links in the build tree * Make arc4 global somehow +* put tokencli in tanks package +* all packages ought to work standalone +* teams.txt: Come up with a better solution to creating this at boot diff --git a/doc/tutorial.txt b/doc/tutorial.txt new file mode 100644 index 0000000..e7af3bc --- /dev/null +++ b/doc/tutorial.txt @@ -0,0 +1,209 @@ +This is a conversation I had with Aaron about how to run the event. +It occurred on 2010-12-01. + +13:00 hello +13:00 so, are you in as root +13:00 yes +13:00 good man +13:00 runsv /var/service seemed to bring all services up +13:00 have you poked around the hard drive image at all? +13:00 but i do not know if it is the best way +13:00 a little bit +13:00 it's got two partitions +13:00 most of the contest is in var +13:01 /var/lib/ctf +13:01 yeah okay so +13:01 the FAT is mount under /mnt I think +13:01 read-only +13:01 anything in the root of that FS matching *pkg is mounted loopback under /opt +13:02 this is how you cherry-pick packages +13:02 the second FS is ext3 used for ephemeral data +13:02 er, changing anyway +13:02 like scores, what puzzles are open, etc. +13:02 it's all text files +13:02 that's what's mounted under /var/lib/ctf +13:03 /dev/sda2 on /var/lib/ctf type ext2 (rw,relatime,errors=continue) +13:03 ext2 huh +13:03 I must not have given it the -j +13:03 well, whatevs +13:04 so how do the teams work? i see the teams dir in /var/lib/ctf +13:04 yes +13:04 names and colors +13:04 okay so the mcp package is the master server +13:04 /opt/mcp/bin should be in your path +13:04 *** 421 opt/mcp/bin Unknown command +13:04 /opt/mcp/bin should be in your path +13:04 it is +13:04 that contains the "addteam" script +13:04 ahh +13:05 which creates a hash for that team, puts their team name in "teams/names/$hash" and assigns them a color +13:05 I think I gave you a copy of the contest after I was done running it at NMT, so there should be stuff in there. +13:05 the team hash is really a password +13:05 but the passwords are unique +13:06 so teams only ever use the hash anywhere, and nothing needs to be able to handle unicode or escape weird characters +13:06 except the scoreboard. +13:07 okay so what else is in there +13:07 in /opt/mcp/bin, might be helpful to look at all utilities in my $PATH +13:08 /opt/mcp/bin # ls +13:08 addteam in.tokend puzzles.cgi scoreboard tokencli +13:08 arc4 pointscli run-ctf teams.sh +13:08 /opt/mcp/bin # ls +13:08 addteam in.tokend puzzles.cgi scoreboard tokencli +13:08 arc4 pointscli run-ctf teams.sh +13:08 sry +13:08 right I'll explain all that +13:08 in.tokend is the thing that hands out tokens +13:09 tokens look like category:xylep-nanob-fudex +13:09 i saw the one for the posters +13:09 just like at defcon +13:09 aha clever boy +13:09 did you figure that out or did you steal it from the image? +13:09 (the hard drive image) +13:10 figured it out. trying to think of what i would do with 3 keys while taking a shower +13:10 anyway in.tokend runs on tcp port 1 and most of the communication is encrypted with a shared rc4 secret +13:10 good man. +13:10 I was hoping you'd get that one. +13:11 puzzles.cgi lists the current open puzzles +13:11 I don't think it runs as a CGI, it generates a static page whenever a puzzle is solved. +13:11 i think. +13:11 yeah +13:11 yes, that's correct. +13:12 scoreboard generates the scoreboard +13:12 it's in awk and it's ugly because it has to correlate a bunch of stuff +13:12 tokencli is a command-line interface to tokend +13:12 you can use it to generate tokens if you want +13:13 although the easier way would be to kill the tokend then edit /var/lib/ctf/tokens.db +13:13 does service==category ? +13:13 not kill, sv down +13:13 yes +13:13 arc4 is just what you'd think it is +13:13 arc4 is a stream cipher and uses the same algorithm to encrypt as it does to decrypt +13:14 pointscli allows you to award points without needing to edit any files. You should use it. +13:14 I accidentally truncated tokens.db at NMT but nobody noticed +13:14 I was able to rebuild the later part of it. +13:15 run-ctf updates the points.db and makes the scoreboard +13:15 teams.sh is not in use. +13:15 I decided we had to keep team hashes secret. +13:16 okay, moving on +13:16 /var/lib/ctf/teams/names # run-ctf +13:16 cat: can't open '/var/lib/ctf/teams/colors/d5e3d52e': No such file or directory +13:16 okay first of all run-ctf is already running +13:16 although running it twice shouldn't hurt anything +13:16 alright +13:16 and, yeah, one team decided to merge with another team so I removed their color and renamed them "Phantoms" +13:17 er, maybe I removed their name too +13:17 ok +13:17 anyway that error message is because of a workaround of a busybox bug that I submitted and has now been fixed +13:18 okay what else. +13:18 web pages are /var/www +13:18 puzzles get symlinked into there +13:18 like steg and sequence +13:19 the puzzles themselves live under /opt/steg/ +13:19 or whatnot +13:19 and there you will find anwsers.txt and summary.txt +13:19 which should assist you with assisting folks +13:20 so under http://10.0.0.2/puzzles.html, it lists 4 puzzles... but there are far more on scoreboard +13:20 i know tanks is not under open puzzles +13:20 are there supposed to be more categories that will open up over time? +13:20 right okay +13:20 what I call "puzzles" are the static HTML web page things. +13:21 you look at the web page, maybe download some stuff, and later come back with the "answer" +13:21 which is sent to puzzler.cgi +13:21 which checks it against answers.txt +13:21 and then awards points if you got it right +13:21 also appends to /var/lib/ctf/puzzles.db so you can't get the same points twice +13:22 alright +13:22 everything else up there was a token claim +13:22 so like, tanks connects to tokend, gets a token, and then claims it for you. +13:22 the pwnables just give you the token and you have to claim it yourself +13:23 /var/lib/ctf/claim.db lists what teams have claimed what tokens +13:23 each token is good for one point per team +13:24 so if team A redeemed a token, team B can still redeem that same token. +13:24 oh I should mention, sequence 300 may be unsolveable because of how browsers submit unicode. +13:24 I should have it fixed by the time you run but it may still break. +13:25 ok +13:25 so sometimes people say they're usre they have the right answer, and sometimes they're just wrong, but other times there's a bug. +13:25 I *think* I've fixed all the bugs. +13:26 As long as you acknowledge that there was a bug in a timely fashion, people don't seem to get too bent out of shape about it. +13:26 um what else do we need to go over +13:26 isnt crypto a puzzle that belongs on the open puzzles page? +13:26 well, it's not mounted +13:27 I think I mounted that one by hand on day 2. +13:30 ok, so which things should be added on day two? just the rest in /mnt/ctf/disabled? +13:30 you can do that if you want. +13:30 You'll have to play it by ear and watch how far everybody's getting. +13:30 There are a lot of live puzzles in disabled. +13:31 is octopus the same as blooper? +13:31 The pwnables package will come up as 10.0.0.10 if it's not running on the mcp box +13:31 yes it is. +13:31 I put pwnables and octopus on a second box +13:31 ok +13:31 and logger. +13:32 those three ran on their own machine. +13:32 I told people to portscan 10.0.0.0/24 +13:32 you have to tell them that octopus is on UDP 10.0.0.10:8888 because UDP portscans take weeks. +13:33 oh and printf +13:33 I ran printf on the pwnables box +13:33 all the live stuff, other than tanks, I ran there. +13:33 pwnables gives a passwordless telnet login +13:33 and you can guess what happens to that machin. +13:34 it's in a chroot jail so no big damage, but it gets slow. +13:34 to bring up the 2nd box, did you just copy the .pkg files around in and restart the packages service? +13:34 ok +13:34 yeah, just clone the thumb drive and select different .pkg files for the top-level +13:34 and boot that way +13:34 unfortunately packages aren't hot-swappable, really +13:34 you'll have to reboot to get new packages +13:34 or read some shell scripts +13:34 ok +13:35 it's all in /var/service/packages +13:35 but I don't think I wrote that to be robust enough to deal with things already being mounted. +13:35 I'll work on it though. +13:35 it would be a nice thing to have. +13:36 I think that's about it! +13:37 I ought to go through the categories +13:37 basemath: for high school kids, learn about different bases +13:37 bletchley: just total weirdness in binary form. A lot like steg. +13:38 codebreaking: for high school kids, mostly monoalphabetic substition ciphers. Would be good for novice teams. +13:38 compaq: malware RE +13:38 crypto: cryptanalysis +13:38 forensics: some of Kevin's stuff. I don't think it even works :< +13:39 hackme: a dumb thing where you have to brute-force URLs to the puzzle system. Seems to really stump people. +13:39 logger: logfile parsing, you netcat to it and get a fire hose of made-up log entries +13:39 mcp: master control program (main server) +13:39 net-re: network RE, set up initially as a tutorial. My pride and joy. +13:39 octopus: blooper +13:40 printf: netcat to it and send it a printf formatting string to examine and manipulate the stack +13:40 pwnables: has three things: +13:40 gimmie: run it and it gives you a token. This seems to take people several hours to script, though. +13:40 killme: prints out a signal number, you have 2 seconds to send it that signal. +13:41 straceme: use strace (which you must first upload and get working) to figure out what the crap it wants +13:41 ltraceme: use ltrace (same deal), craft a new library, and LD_PRELOAD it +13:41 sequence: guess the next number(s) in the sequence +13:42 skynet: more malware RE +13:42 steg: steganography. I think this is the most fun one, then bletchley, then net-re +13:42 tanks: you know what tanks is +13:43 tokens: a helper package required by pwnables, tanks, octopus, logger, printf, and others. Just always have it. +13:43 webapp: chash's vulnerable web app. Not sure it works with this framework. +13:44 that's it +13:44 I can't think of anything else to type. +13:45 i can not think of anything else to type +13:45 i should probably to a test run at home +13:45 set it up on multiple computers +13:45 that would be wise. +13:46 see if i can get pwnables and octopus on it's own box +13:46 You'll want to make sure whatever machines you're running this on are able to bring up a network interface +13:46 hardware does not have to be anything powerful, so i have a couple laptops at home +13:46 yeah, pretty much anything should work +13:46 I compiled in every NIC driver Linux had available. +13:47 haha +13:47 and I presume I don't need to tell you how to set up the network. +13:48 I do 10.x.0.0/16 for each team with a DHCP server handing out addresses. +13:48 If you'd like I can provide you with the OpenWRT configuration files to set up a router. +13:48 then you just hook up a managed switch and you're all set. +13:50 for testing you could just turn on every package. +13:52 oh, and it's a good idea to test rebooting it to make sure scores persist +13:52 that requires a partiton with a certain label +13:52 CTF-STATE +13:52 I'll see if I can whip up a shell script to prepare a thumb drive. +> diff --git a/packages/ircd/ircd.mk b/packages/ircd/ircd.mk index 1f3bef0..75d1024 100644 --- a/packages/ircd/ircd.mk +++ b/packages/ircd/ircd.mk @@ -1,12 +1,13 @@ IRCD_PKGDIR = $(TARGET)/ircd IRCD_BUILDDIR = $(BUILD)/ircd -IRCD_VERSION = 16 +IRCD_VERSION = 17.1 IRCD_TAR = $(CACHE)/ngircd-$(IRCD_VERSION).tar.gz IRCD_URL = ftp://ftp.berlios.de/pub/ngircd/ngircd-$(IRCD_VERSION).tar.gz IRCD_SRCDIR = $(IRCD_BUILDDIR)/ngircd-$(IRCD_VERSION) # Prevents automake from mangling cross-compiled binary names -IRCD_CONF_OPT := --program-transform-name= +IRCD_CC_HOST := $(shell $(CC) -v 2>&1 | awk '/Target:/{print $$2}') +IRCD_CONF_OPT := --host=i686-unknown-linux-uclibc --program-transform-name= ircd-install: ircd-build @@ -30,7 +31,7 @@ ircd-install: ircd-build mkdir -p $(IRCD_PKGDIR)/bin cp $(IRCD_SRCDIR)/src/ngircd/ngircd $(IRCD_PKGDIR)/bin - $(call COPYTREE, packages/ngircd/service, $(IRCD_PKGDIR)/service) + $(call COPYTREE, packages/ircd/service, $(IRCD_PKGDIR)/service) ircd-clean: rm -rf $(IRCD_BUILDDIR) diff --git a/packages/mcp/bin/new-contest b/packages/mcp/bin/new-contest new file mode 100755 index 0000000..1f56500 --- /dev/null +++ b/packages/mcp/bin/new-contest @@ -0,0 +1,29 @@ +#! /bin/sh + +if [ "$1" -ne "-f" ]; then + echo "Usage: $0 -f" + echo + echo "Wipes out the current contest. This operation is not" + echo "reversable, which is why you have to specify -f to signify" + echo "that you know what you're getting into." + exit +fi + +sv d tokend +sv d pointsd +sv d puzzled +sv d tanksd + +rm -f /var/lib/ctf/tokens.db +rm -f /var/lib/ctf/points.log +rm -f /var/www/scoreboard.html +rm -f /var/lib/ctf/puzzles.db +rm -rf /var/lib/ctf/points.new +rm -rf /var/lib/ctf/points.tmp +rm -rf /var/lib/ctf/tanks +rm -rf /var/lib/ctf/teams + +sv u tokend +sv u pointsd +sv u puzzled +sv u tanksd diff --git a/packages/mcp/service/sshd/finish b/packages/mcp/service/sshd/finish new file mode 100755 index 0000000..6b7b77b --- /dev/null +++ b/packages/mcp/service/sshd/finish @@ -0,0 +1,4 @@ +#! /bin/sh + +iptables -D INPUT -s 10.0.0.0/16 --proto tcp --dport 55 -j ACCEPT +iptables -D INPUT --proto tcp --dport 55 -j REJECT diff --git a/packages/mcp/service/sshd/run b/packages/mcp/service/sshd/run index e60e68b..8c10f2e 100755 --- a/packages/mcp/service/sshd/run +++ b/packages/mcp/service/sshd/run @@ -1,4 +1,6 @@ #! /bin/sh exec 2>&1 +iptables -A INPUT -s 10.0.0.0/16 --proto tcp --dport 55 -j ACCEPT +iptables -A INPUT --proto tcp --dport 55 -j REJECT exec dropbear -r ./rsa.key -E -F diff --git a/packages/mcp/www/index.html b/packages/mcp/www/index.html index fdb8d02..2763674 100644 --- a/packages/mcp/www/index.html +++ b/packages/mcp/www/index.html @@ -21,6 +21,8 @@
  • Contest chat + carries important announcements, and sometimes clues and + puzzles.
    • @@ -43,7 +45,8 @@
  • Do not attack machines outside the contest network - (10.x.x.x). + (10.x.x.x). Low ports (under 1024) do not + run contest categories.
  • Consider the contest network hostile. It is up to you to diff --git a/packages/packages.mk b/packages/packages.mk index 261e2b5..2981412 100644 --- a/packages/packages.mk +++ b/packages/packages.mk @@ -7,8 +7,8 @@ endef define STANDARD_PUZZLE t=$(strip $1) -$t-install: $t-stdinstall -$t-stdinstall: +$t-install: $(TARGET)/$t +$(TARGET)/$t: packages/$t mkdir -p $(TARGET)/$t ./mkpuzzles packages/$t $(TARGET)/$t