This is a conversation I had with Aaron about how to run the event. It occurred on 2010-12-01. 13:00 hello 13:00 so, are you in as root 13:00 yes 13:00 good man 13:00 runsv /var/service seemed to bring all services up 13:00 have you poked around the hard drive image at all? 13:00 but i do not know if it is the best way 13:00 a little bit 13:00 it's got two partitions 13:00 most of the contest is in var 13:01 /var/lib/ctf 13:01 yeah okay so 13:01 the FAT is mount under /mnt I think 13:01 read-only 13:01 anything in the root of that FS matching *pkg is mounted loopback under /opt 13:02 this is how you cherry-pick packages 13:02 the second FS is ext3 used for ephemeral data 13:02 er, changing anyway 13:02 like scores, what puzzles are open, etc. 13:02 it's all text files 13:02 that's what's mounted under /var/lib/ctf 13:03 /dev/sda2 on /var/lib/ctf type ext2 (rw,relatime,errors=continue) 13:03 ext2 huh 13:03 I must not have given it the -j 13:03 well, whatevs 13:04 so how do the teams work? i see the teams dir in /var/lib/ctf 13:04 yes 13:04 names and colors 13:04 okay so the mcp package is the master server 13:04 /opt/mcp/bin should be in your path 13:04 *** 421 opt/mcp/bin Unknown command 13:04 /opt/mcp/bin should be in your path 13:04 it is 13:04 that contains the "addteam" script 13:04 ahh 13:05 which creates a hash for that team, puts their team name in "teams/names/$hash" and assigns them a color 13:05 I think I gave you a copy of the contest after I was done running it at NMT, so there should be stuff in there. 13:05 the team hash is really a password 13:05 but the passwords are unique 13:06 so teams only ever use the hash anywhere, and nothing needs to be able to handle unicode or escape weird characters 13:06 except the scoreboard. 13:07 okay so what else is in there 13:07 in /opt/mcp/bin, might be helpful to look at all utilities in my $PATH 13:08 /opt/mcp/bin # ls 13:08 addteam in.tokend puzzles.cgi scoreboard tokencli 13:08 arc4 pointscli run-ctf teams.sh 13:08 /opt/mcp/bin # ls 13:08 addteam in.tokend puzzles.cgi scoreboard tokencli 13:08 arc4 pointscli run-ctf teams.sh 13:08 sry 13:08 right I'll explain all that 13:08 in.tokend is the thing that hands out tokens 13:09 tokens look like category:xylep-nanob-fudex 13:09 i saw the one for the posters 13:09 just like at defcon 13:09 aha clever boy 13:09 did you figure that out or did you steal it from the image? 13:09 (the hard drive image) 13:10 figured it out. trying to think of what i would do with 3 keys while taking a shower 13:10 anyway in.tokend runs on tcp port 1 and most of the communication is encrypted with a shared rc4 secret 13:10 good man. 13:10 I was hoping you'd get that one. 13:11 puzzles.cgi lists the current open puzzles 13:11 I don't think it runs as a CGI, it generates a static page whenever a puzzle is solved. 13:11 i think. 13:11 yeah 13:11 yes, that's correct. 13:12 scoreboard generates the scoreboard 13:12 it's in awk and it's ugly because it has to correlate a bunch of stuff 13:12 tokencli is a command-line interface to tokend 13:12 you can use it to generate tokens if you want 13:13 although the easier way would be to kill the tokend then edit /var/lib/ctf/tokens.db 13:13 does service==category ? 13:13 not kill, sv down 13:13 yes 13:13 arc4 is just what you'd think it is 13:13 arc4 is a stream cipher and uses the same algorithm to encrypt as it does to decrypt 13:14 pointscli allows you to award points without needing to edit any files. You should use it. 13:14 I accidentally truncated tokens.db at NMT but nobody noticed 13:14 I was able to rebuild the later part of it. 13:15 run-ctf updates the points.db and makes the scoreboard 13:15 teams.sh is not in use. 13:15 I decided we had to keep team hashes secret. 13:16 okay, moving on 13:16 /var/lib/ctf/teams/names # run-ctf 13:16 cat: can't open '/var/lib/ctf/teams/colors/d5e3d52e': No such file or directory 13:16 okay first of all run-ctf is already running 13:16 although running it twice shouldn't hurt anything 13:16 alright 13:16 and, yeah, one team decided to merge with another team so I removed their color and renamed them "Phantoms" 13:17 er, maybe I removed their name too 13:17 ok 13:17 anyway that error message is because of a workaround of a busybox bug that I submitted and has now been fixed 13:18 okay what else. 13:18 web pages are /var/www 13:18 puzzles get symlinked into there 13:18 like steg and sequence 13:19 the puzzles themselves live under /opt/steg/ 13:19 or whatnot 13:19 and there you will find anwsers.txt and summary.txt 13:19 which should assist you with assisting folks 13:20 so under http://10.0.0.2/puzzles.html, it lists 4 puzzles... but there are far more on scoreboard 13:20 i know tanks is not under open puzzles 13:20 are there supposed to be more categories that will open up over time? 13:20 right okay 13:20 what I call "puzzles" are the static HTML web page things. 13:21 you look at the web page, maybe download some stuff, and later come back with the "answer" 13:21 which is sent to puzzler.cgi 13:21 which checks it against answers.txt 13:21 and then awards points if you got it right 13:21 also appends to /var/lib/ctf/puzzles.db so you can't get the same points twice 13:22 alright 13:22 everything else up there was a token claim 13:22 so like, tanks connects to tokend, gets a token, and then claims it for you. 13:22 the pwnables just give you the token and you have to claim it yourself 13:23 /var/lib/ctf/claim.db lists what teams have claimed what tokens 13:23 each token is good for one point per team 13:24 so if team A redeemed a token, team B can still redeem that same token. 13:24 oh I should mention, sequence 300 may be unsolveable because of how browsers submit unicode. 13:24 I should have it fixed by the time you run but it may still break. 13:25 ok 13:25 so sometimes people say they're usre they have the right answer, and sometimes they're just wrong, but other times there's a bug. 13:25 I *think* I've fixed all the bugs. 13:26 As long as you acknowledge that there was a bug in a timely fashion, people don't seem to get too bent out of shape about it. 13:26 um what else do we need to go over 13:26 isnt crypto a puzzle that belongs on the open puzzles page? 13:26 well, it's not mounted 13:27 I think I mounted that one by hand on day 2. 13:30 ok, so which things should be added on day two? just the rest in /mnt/ctf/disabled? 13:30 you can do that if you want. 13:30 You'll have to play it by ear and watch how far everybody's getting. 13:30 There are a lot of live puzzles in disabled. 13:31 is octopus the same as blooper? 13:31 The pwnables package will come up as 10.0.0.10 if it's not running on the mcp box 13:31 yes it is. 13:31 I put pwnables and octopus on a second box 13:31 ok 13:31 and logger. 13:32 those three ran on their own machine. 13:32 I told people to portscan 10.0.0.0/24 13:32 you have to tell them that octopus is on UDP 10.0.0.10:8888 because UDP portscans take weeks. 13:33 oh and printf 13:33 I ran printf on the pwnables box 13:33 all the live stuff, other than tanks, I ran there. 13:33 pwnables gives a passwordless telnet login 13:33 and you can guess what happens to that machin. 13:34 it's in a chroot jail so no big damage, but it gets slow. 13:34 to bring up the 2nd box, did you just copy the .pkg files around in and restart the packages service? 13:34 ok 13:34 yeah, just clone the thumb drive and select different .pkg files for the top-level 13:34 and boot that way 13:34 unfortunately packages aren't hot-swappable, really 13:34 you'll have to reboot to get new packages 13:34 or read some shell scripts 13:34 ok 13:35 it's all in /var/service/packages 13:35 but I don't think I wrote that to be robust enough to deal with things already being mounted. 13:35 I'll work on it though. 13:35 it would be a nice thing to have. 13:36 I think that's about it! 13:37 I ought to go through the categories 13:37 basemath: for high school kids, learn about different bases 13:37 bletchley: just total weirdness in binary form. A lot like steg. 13:38 codebreaking: for high school kids, mostly monoalphabetic substition ciphers. Would be good for novice teams. 13:38 compaq: malware RE 13:38 crypto: cryptanalysis 13:38 forensics: some of Kevin's stuff. I don't think it even works :< 13:39 hackme: a dumb thing where you have to brute-force URLs to the puzzle system. Seems to really stump people. 13:39 logger: logfile parsing, you netcat to it and get a fire hose of made-up log entries 13:39 mcp: master control program (main server) 13:39 net-re: network RE, set up initially as a tutorial. My pride and joy. 13:39 octopus: blooper 13:40 printf: netcat to it and send it a printf formatting string to examine and manipulate the stack 13:40 pwnables: has three things: 13:40 gimmie: run it and it gives you a token. This seems to take people several hours to script, though. 13:40 killme: prints out a signal number, you have 2 seconds to send it that signal. 13:41 straceme: use strace (which you must first upload and get working) to figure out what the crap it wants 13:41 ltraceme: use ltrace (same deal), craft a new library, and LD_PRELOAD it 13:41 sequence: guess the next number(s) in the sequence 13:42 skynet: more malware RE 13:42 steg: steganography. I think this is the most fun one, then bletchley, then net-re 13:42 tanks: you know what tanks is 13:43 tokens: a helper package required by pwnables, tanks, octopus, logger, printf, and others. Just always have it. 13:43 webapp: chash's vulnerable web app. Not sure it works with this framework. 13:44 that's it 13:44 I can't think of anything else to type. 13:45 i can not think of anything else to type 13:45 i should probably to a test run at home 13:45 set it up on multiple computers 13:45 that would be wise. 13:46 see if i can get pwnables and octopus on it's own box 13:46 You'll want to make sure whatever machines you're running this on are able to bring up a network interface 13:46 hardware does not have to be anything powerful, so i have a couple laptops at home 13:46 yeah, pretty much anything should work 13:46 I compiled in every NIC driver Linux had available. 13:47 haha 13:47 and I presume I don't need to tell you how to set up the network. 13:48 I do 10.x.0.0/16 for each team with a DHCP server handing out addresses. 13:48 If you'd like I can provide you with the OpenWRT configuration files to set up a router. 13:48 then you just hook up a managed switch and you're all set. 13:50 for testing you could just turn on every package. 13:52 oh, and it's a good idea to test rebooting it to make sure scores persist 13:52 that requires a partiton with a certain label 13:52 CTF-STATE 13:52 I'll see if I can whip up a shell script to prepare a thumb drive. >