From c6998920d4a0a7b6127b8f3517d90fedc2b32bbf Mon Sep 17 00:00:00 2001
From: Neale Pickett <neale@lanl.gov>
Date: Thu, 3 Feb 2011 07:34:12 -0700
Subject: [PATCH] More emergency commit

---
 doc/2011-TF3/categories.txt                   |  15 ++
 doc/token-categories.txt                      | 176 ++++++++++++++++++
 packages/logger/service/logger/finish         |   4 +
 packages/logger/service/logger/ip.txt         |   1 +
 .../service/octopus-redirect/octopus-redirect |   3 +
 packages/octopus/service/octopus-redirect/run |   5 +
 packages/octopus/service/octopus/finish       |   4 +
 packages/octopus/service/octopus/ip.txt       |   1 +
 packages/printf/service/printf/finish         |   4 +
 packages/printf/service/printf/ip.txt         |   1 +
 packages/pwnables/service/pwnables/finish     |   4 +
 packages/pwnables/service/pwnables/ip.txt     |   1 +
 12 files changed, 219 insertions(+)
 create mode 100644 doc/2011-TF3/categories.txt
 create mode 100644 doc/token-categories.txt
 create mode 100755 packages/logger/service/logger/finish
 create mode 100644 packages/logger/service/logger/ip.txt
 create mode 100755 packages/octopus/service/octopus-redirect/octopus-redirect
 create mode 100755 packages/octopus/service/octopus-redirect/run
 create mode 100755 packages/octopus/service/octopus/finish
 create mode 100644 packages/octopus/service/octopus/ip.txt
 create mode 100755 packages/printf/service/printf/finish
 create mode 100644 packages/printf/service/printf/ip.txt
 create mode 100755 packages/pwnables/service/pwnables/finish
 create mode 100644 packages/pwnables/service/pwnables/ip.txt

diff --git a/doc/2011-TF3/categories.txt b/doc/2011-TF3/categories.txt
new file mode 100644
index 0000000..cb5401b
--- /dev/null
+++ b/doc/2011-TF3/categories.txt
@@ -0,0 +1,15 @@
+TF3 Categories
+==============
+
+Last year we ran:
+
+    bletchley, compaq, crypto, forensics, hackme, hispaniola, net-re,
+    sequence, skynet, survey, webapp, tanks, badmath, kevin
+
+
+This year we have:
+
+    basemath, bletchley, codebreaking, compaq, crypto, forensics,
+    hackme, logger, net-re, octopus, printf, pwnables, sequence, skynet,
+    steg, tanks, webapp
+
diff --git a/doc/token-categories.txt b/doc/token-categories.txt
new file mode 100644
index 0000000..f5ebcb8
--- /dev/null
+++ b/doc/token-categories.txt
@@ -0,0 +1,176 @@
+LANL CTF Token-Based Categories
+===============================
+
+LANL's CTF contest allows for easy addition of new modules which can use
+"tokens".  A token is a character string worth one point in the contest.
+A point may only be claimed once per team, but multiple teams can claim
+the same token and each will get a point.  Tokens look like this:
+
+    example:xylep-donut-nanox
+
+Tokens are issued by the token server using the tokencli program at the
+end of this document.  They can also be issued before the beginning of a
+contest.  If your category allows it, it will be much easier for you to
+simply request a number of tokens before the contest begins, and
+hard-code them into your category.
+
+You will want to arrange that participants get a token after having
+completed some sort of task.  In existing categories, tokens are
+frequently what lie beneath some trail of hacking.  For instance, one
+program provides a token when the proper printf formatting string is
+provided.  Another embeds five tokens into log messages using different
+encodings.
+
+Any machine that you connect to our network will get a wired connection
+and should claim a static IP address on the 10.0.2.0/24 network.  While
+it's unlikely you'll conflict with anyone else, be prepared to
+reconfigure it with a new IP on the morning of the event.
+
+If you plan to request tokens, please do so at least 2 weeks before the
+start of the event.  I will need to know what you'd like your category
+to be called, and how many tokens you'd like.  It's not a problem if you
+don't use all the tokens you request.
+
+Remember that this is a security contest, and contestants will be far
+more engaged with your category if they have to do real work to get the
+tokens.  For example, a vendor might be tempted to leave tokens lying
+around in configuration boxes to reward people who explore its rich
+configurability, but this would probably result in people clicking
+through the UI as quickly as possible looking only for tokens.  Far
+better would be to have the tokens lying under the products
+functionality somewhere, forcing contestants to interact with the
+product like they would in their day to day work after having purchased
+it.  A Snort category, for instance, would do well to have tokens within
+packet captures which triggered alarms.
+
+I can't stress that last point enough: constestants have been known to
+spend over 2 hours on a single problem.  Don't be afraid to really
+challenge them.
+
+
+
+
+
+
+/* tokencli.c - LANL CTF token client
+Author: Neale Pickett <neale@lanl.gov>
+
+This program requires an arc4 implementation, email me if you can't find
+one you like.
+
+This also requires a shared 128-bit key.  I need the key before you can
+start requesting tokens from the server :)
+
+
+This software has been authored by an employee or employees of Los
+Alamos National Security, LLC, operator of the Los Alamos National
+Laboratory (LANL) under Contract No. DE-AC52-06NA25396 with the
+U.S. Department of Energy.  The U.S. Government has rights to use,
+reproduce, and distribute this software.  The public may copy,
+distribute, prepare derivative works and publicly display this software
+without charge, provided that this Notice and any statement of
+authorship are reproduced on all copies.  Neither the Government nor
+LANS makes any warranty, express or implied, or assumes any liability or
+responsibility for the use of this software.  If software is modified to
+produce derivative works, such modified software should be clearly
+marked, so as not to confuse it with the version available from LANL.
+*/
+
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <string.h>
+#include <unistd.h>
+#include <sysexits.h>
+#include <stdio.h>
+#include "arc4.h"
+
+/* I don't feel compelled to put all the TCP client code in here
+ * when it's so simple to run this with netcat or ucspi.  Plus, using
+ * stdin and stdout makes it simpler to test.
+ */
+
+int
+read_key(char *filename, uint8_t *key, size_t *keylen)
+{
+  int fd = open(filename, O_RDONLY);
+  int len;
+
+  if (-1 == fd) {
+    perror("open");
+    return EX_NOINPUT;
+  }
+
+  len = read(fd, key, *keylen);
+  if (-1 == len) {
+    perror("read");
+    return EX_NOINPUT;
+  }
+  *keylen = (size_t)len;
+
+  return 0;
+}
+
+int
+main(int argc, char *argv[]) {
+  uint8_t skey[200];
+  size_t  skeylen = sizeof(skey);
+  char    token[200];
+  size_t  tokenlen;
+  int     ret;
+
+  if (argc != 3) {
+    fprintf(stderr, "Usage: %s SERVICE SERVICEKEY 3>TOKENFILE\n", argv[0]);
+    fprintf(stderr, "\n");
+    fprintf(stderr, "SERVICEKEY is a filename.\n");
+    fprintf(stderr, "Server chatter happens over stdin and stdout.\n");
+    fprintf(stderr, "Tokens are written to file descriptor 3.\n");
+    fprintf(stderr, "\n");
+    fprintf(stderr, "To run with netcat:\n");
+    fprintf(stderr, "    nc 10.0.0.2 1 -e tokencli cat cat.key 3> tokenfile\n");
+    return EX_USAGE;
+  }
+
+  /* read in keys */
+  ret = read_key(argv[2], skey, &skeylen);
+  if (0 != ret) return ret;
+
+  /* write service name */
+  write(1, argv[1], strlen(argv[1]));
+
+  /* read nonce, send back encrypted version */
+  {
+    uint8_t nonce[80];
+    int     noncelen;
+
+    noncelen = read(0, nonce, sizeof(nonce));
+    if (0 >= noncelen) {
+      perror("read");
+      return EX_IOERR;
+    }
+    arc4_crypt_buffer(skey, skeylen, nonce, (size_t)noncelen);
+    write(1, nonce, (size_t)noncelen);
+  }
+
+  /* read token */
+  {
+    int len;
+
+    len = read(0, token, sizeof(token));
+    if (0 >= len) {
+      perror("read");
+      return EX_IOERR;
+    }
+    tokenlen = (size_t)len;
+  }
+
+  /* decrypt it */
+  arc4_crypt_buffer(skey, skeylen, (uint8_t *)token, tokenlen);
+
+  /* write it to fd 3 */
+  write(3, token, tokenlen);
+
+  return 0;
+}
+
diff --git a/packages/logger/service/logger/finish b/packages/logger/service/logger/finish
new file mode 100755
index 0000000..6317f74
--- /dev/null
+++ b/packages/logger/service/logger/finish
@@ -0,0 +1,4 @@
+#! /bin/sh
+
+IP=$(cat ip.txt)
+ip addr del $IP dev eth0
diff --git a/packages/logger/service/logger/ip.txt b/packages/logger/service/logger/ip.txt
new file mode 100644
index 0000000..b7c75a4
--- /dev/null
+++ b/packages/logger/service/logger/ip.txt
@@ -0,0 +1 @@
+10.0.0.14/24
diff --git a/packages/octopus/service/octopus-redirect/octopus-redirect b/packages/octopus/service/octopus-redirect/octopus-redirect
new file mode 100755
index 0000000..c6f06c6
--- /dev/null
+++ b/packages/octopus/service/octopus-redirect/octopus-redirect
@@ -0,0 +1,3 @@
+#! /bin/sh
+
+echo 'Try UDP.'
diff --git a/packages/octopus/service/octopus-redirect/run b/packages/octopus/service/octopus-redirect/run
new file mode 100755
index 0000000..f404009
--- /dev/null
+++ b/packages/octopus/service/octopus-redirect/run
@@ -0,0 +1,5 @@
+#! /bin/sh -e
+
+IP=$(cat ../octopus/ip.txt)
+sv s octopus >/dev/null || exit 1
+exec tcpsvd ${IP#/*} 8888 ./octopus-redirect
diff --git a/packages/octopus/service/octopus/finish b/packages/octopus/service/octopus/finish
new file mode 100755
index 0000000..6317f74
--- /dev/null
+++ b/packages/octopus/service/octopus/finish
@@ -0,0 +1,4 @@
+#! /bin/sh
+
+IP=$(cat ip.txt)
+ip addr del $IP dev eth0
diff --git a/packages/octopus/service/octopus/ip.txt b/packages/octopus/service/octopus/ip.txt
new file mode 100644
index 0000000..1628247
--- /dev/null
+++ b/packages/octopus/service/octopus/ip.txt
@@ -0,0 +1 @@
+10.0.0.8/24
diff --git a/packages/printf/service/printf/finish b/packages/printf/service/printf/finish
new file mode 100755
index 0000000..6317f74
--- /dev/null
+++ b/packages/printf/service/printf/finish
@@ -0,0 +1,4 @@
+#! /bin/sh
+
+IP=$(cat ip.txt)
+ip addr del $IP dev eth0
diff --git a/packages/printf/service/printf/ip.txt b/packages/printf/service/printf/ip.txt
new file mode 100644
index 0000000..fb7ede6
--- /dev/null
+++ b/packages/printf/service/printf/ip.txt
@@ -0,0 +1 @@
+10.0.0.91
diff --git a/packages/pwnables/service/pwnables/finish b/packages/pwnables/service/pwnables/finish
new file mode 100755
index 0000000..6317f74
--- /dev/null
+++ b/packages/pwnables/service/pwnables/finish
@@ -0,0 +1,4 @@
+#! /bin/sh
+
+IP=$(cat ip.txt)
+ip addr del $IP dev eth0
diff --git a/packages/pwnables/service/pwnables/ip.txt b/packages/pwnables/service/pwnables/ip.txt
new file mode 100644
index 0000000..2e7cb07
--- /dev/null
+++ b/packages/pwnables/service/pwnables/ip.txt
@@ -0,0 +1 @@
+10.0.0.3/24