mirror of
https://github.com/dirtbags/moth.git
synced 2025-01-13 18:35:09 -07:00
209 lines
12 KiB
Text
209 lines
12 KiB
Text
This is a conversation I had with Aaron about how to run the event.
|
|
It occurred on 2010-12-01.
|
|
|
|
13:00 <slackish> hello
|
|
13:00 <neale> so, are you in as root
|
|
13:00 <slackish> yes
|
|
13:00 <neale> good man
|
|
13:00 <slackish> runsv /var/service seemed to bring all services up
|
|
13:00 <neale> have you poked around the hard drive image at all?
|
|
13:00 <slackish> but i do not know if it is the best way
|
|
13:00 <slackish> a little bit
|
|
13:00 <neale> it's got two partitions
|
|
13:00 <slackish> most of the contest is in var
|
|
13:01 <slackish> /var/lib/ctf
|
|
13:01 <neale> yeah okay so
|
|
13:01 <neale> the FAT is mount under /mnt I think
|
|
13:01 <neale> read-only
|
|
13:01 <neale> anything in the root of that FS matching *pkg is mounted loopback under /opt
|
|
13:02 <neale> this is how you cherry-pick packages
|
|
13:02 <neale> the second FS is ext3 used for ephemeral data
|
|
13:02 <neale> er, changing anyway
|
|
13:02 <neale> like scores, what puzzles are open, etc.
|
|
13:02 <neale> it's all text files
|
|
13:02 <neale> that's what's mounted under /var/lib/ctf
|
|
13:03 <slackish> /dev/sda2 on /var/lib/ctf type ext2 (rw,relatime,errors=continue)
|
|
13:03 <neale> ext2 huh
|
|
13:03 <neale> I must not have given it the -j
|
|
13:03 <neale> well, whatevs
|
|
13:04 <slackish> so how do the teams work? i see the teams dir in /var/lib/ctf
|
|
13:04 <neale> yes
|
|
13:04 <slackish> names and colors
|
|
13:04 <neale> okay so the mcp package is the master server
|
|
13:04 /opt/mcp/bin should be in your path
|
|
13:04 *** 421 opt/mcp/bin Unknown command
|
|
13:04 <neale> /opt/mcp/bin should be in your path
|
|
13:04 <slackish> it is
|
|
13:04 <neale> that contains the "addteam" script
|
|
13:04 <slackish> ahh
|
|
13:05 <neale> which creates a hash for that team, puts their team name in "teams/names/$hash" and assigns them a color
|
|
13:05 <neale> I think I gave you a copy of the contest after I was done running it at NMT, so there should be stuff in there.
|
|
13:05 <neale> the team hash is really a password
|
|
13:05 <neale> but the passwords are unique
|
|
13:06 <neale> so teams only ever use the hash anywhere, and nothing needs to be able to handle unicode or escape weird characters
|
|
13:06 <neale> except the scoreboard.
|
|
13:07 <neale> okay so what else is in there
|
|
13:07 <slackish> in /opt/mcp/bin, might be helpful to look at all utilities in my $PATH
|
|
13:08 <slackish> /opt/mcp/bin # ls
|
|
13:08 <slackish> addteam in.tokend puzzles.cgi scoreboard tokencli
|
|
13:08 <slackish> arc4 pointscli run-ctf teams.sh
|
|
13:08 <slackish> /opt/mcp/bin # ls
|
|
13:08 <slackish> addteam in.tokend puzzles.cgi scoreboard tokencli
|
|
13:08 <slackish> arc4 pointscli run-ctf teams.sh
|
|
13:08 <slackish> sry
|
|
13:08 <neale> right I'll explain all that
|
|
13:08 <neale> in.tokend is the thing that hands out tokens
|
|
13:09 <neale> tokens look like category:xylep-nanob-fudex
|
|
13:09 <slackish> i saw the one for the posters
|
|
13:09 <neale> just like at defcon
|
|
13:09 <neale> aha clever boy
|
|
13:09 <neale> did you figure that out or did you steal it from the image?
|
|
13:09 <neale> (the hard drive image)
|
|
13:10 <slackish> figured it out. trying to think of what i would do with 3 keys while taking a shower
|
|
13:10 <neale> anyway in.tokend runs on tcp port 1 and most of the communication is encrypted with a shared rc4 secret
|
|
13:10 <neale> good man.
|
|
13:10 <neale> I was hoping you'd get that one.
|
|
13:11 <neale> puzzles.cgi lists the current open puzzles
|
|
13:11 <neale> I don't think it runs as a CGI, it generates a static page whenever a puzzle is solved.
|
|
13:11 <neale> i think.
|
|
13:11 <slackish> yeah
|
|
13:11 <neale> yes, that's correct.
|
|
13:12 <neale> scoreboard generates the scoreboard
|
|
13:12 <neale> it's in awk and it's ugly because it has to correlate a bunch of stuff
|
|
13:12 <neale> tokencli is a command-line interface to tokend
|
|
13:12 <neale> you can use it to generate tokens if you want
|
|
13:13 <neale> although the easier way would be to kill the tokend then edit /var/lib/ctf/tokens.db
|
|
13:13 <slackish> does service==category ?
|
|
13:13 <neale> not kill, sv down
|
|
13:13 <neale> yes
|
|
13:13 <neale> arc4 is just what you'd think it is
|
|
13:13 <neale> arc4 is a stream cipher and uses the same algorithm to encrypt as it does to decrypt
|
|
13:14 <neale> pointscli allows you to award points without needing to edit any files. You should use it.
|
|
13:14 <neale> I accidentally truncated tokens.db at NMT but nobody noticed
|
|
13:14 <neale> I was able to rebuild the later part of it.
|
|
13:15 <neale> run-ctf updates the points.db and makes the scoreboard
|
|
13:15 <neale> teams.sh is not in use.
|
|
13:15 <neale> I decided we had to keep team hashes secret.
|
|
13:16 <neale> okay, moving on
|
|
13:16 <slackish> /var/lib/ctf/teams/names # run-ctf
|
|
13:16 <slackish> cat: can't open '/var/lib/ctf/teams/colors/d5e3d52e': No such file or directory
|
|
13:16 <neale> okay first of all run-ctf is already running
|
|
13:16 <neale> although running it twice shouldn't hurt anything
|
|
13:16 <slackish> alright
|
|
13:16 <neale> and, yeah, one team decided to merge with another team so I removed their color and renamed them "Phantoms"
|
|
13:17 <neale> er, maybe I removed their name too
|
|
13:17 <slackish> ok
|
|
13:17 <neale> anyway that error message is because of a workaround of a busybox bug that I submitted and has now been fixed
|
|
13:18 <neale> okay what else.
|
|
13:18 <neale> web pages are /var/www
|
|
13:18 <neale> puzzles get symlinked into there
|
|
13:18 <neale> like steg and sequence
|
|
13:19 <neale> the puzzles themselves live under /opt/steg/
|
|
13:19 <neale> or whatnot
|
|
13:19 <neale> and there you will find anwsers.txt and summary.txt
|
|
13:19 <neale> which should assist you with assisting folks
|
|
13:20 <slackish> so under http://10.0.0.2/puzzles.html, it lists 4 puzzles... but there are far more on scoreboard
|
|
13:20 <slackish> i know tanks is not under open puzzles
|
|
13:20 <slackish> are there supposed to be more categories that will open up over time?
|
|
13:20 <neale> right okay
|
|
13:20 <neale> what I call "puzzles" are the static HTML web page things.
|
|
13:21 <neale> you look at the web page, maybe download some stuff, and later come back with the "answer"
|
|
13:21 <neale> which is sent to puzzler.cgi
|
|
13:21 <neale> which checks it against answers.txt
|
|
13:21 <neale> and then awards points if you got it right
|
|
13:21 <neale> also appends to /var/lib/ctf/puzzles.db so you can't get the same points twice
|
|
13:22 <slackish> alright
|
|
13:22 <neale> everything else up there was a token claim
|
|
13:22 <neale> so like, tanks connects to tokend, gets a token, and then claims it for you.
|
|
13:22 <neale> the pwnables just give you the token and you have to claim it yourself
|
|
13:23 <neale> /var/lib/ctf/claim.db lists what teams have claimed what tokens
|
|
13:23 <neale> each token is good for one point per team
|
|
13:24 <neale> so if team A redeemed a token, team B can still redeem that same token.
|
|
13:24 <neale> oh I should mention, sequence 300 may be unsolveable because of how browsers submit unicode.
|
|
13:24 <neale> I should have it fixed by the time you run but it may still break.
|
|
13:25 <slackish> ok
|
|
13:25 <neale> so sometimes people say they're usre they have the right answer, and sometimes they're just wrong, but other times there's a bug.
|
|
13:25 <neale> I *think* I've fixed all the bugs.
|
|
13:26 <neale> As long as you acknowledge that there was a bug in a timely fashion, people don't seem to get too bent out of shape about it.
|
|
13:26 <neale> um what else do we need to go over
|
|
13:26 <slackish> isnt crypto a puzzle that belongs on the open puzzles page?
|
|
13:26 <neale> well, it's not mounted
|
|
13:27 <neale> I think I mounted that one by hand on day 2.
|
|
13:30 <slackish> ok, so which things should be added on day two? just the rest in /mnt/ctf/disabled?
|
|
13:30 <neale> you can do that if you want.
|
|
13:30 <neale> You'll have to play it by ear and watch how far everybody's getting.
|
|
13:30 <neale> There are a lot of live puzzles in disabled.
|
|
13:31 <slackish> is octopus the same as blooper?
|
|
13:31 <neale> The pwnables package will come up as 10.0.0.10 if it's not running on the mcp box
|
|
13:31 <neale> yes it is.
|
|
13:31 <neale> I put pwnables and octopus on a second box
|
|
13:31 <slackish> ok
|
|
13:31 <neale> and logger.
|
|
13:32 <neale> those three ran on their own machine.
|
|
13:32 <neale> I told people to portscan 10.0.0.0/24
|
|
13:32 <neale> you have to tell them that octopus is on UDP 10.0.0.10:8888 because UDP portscans take weeks.
|
|
13:33 <neale> oh and printf
|
|
13:33 <neale> I ran printf on the pwnables box
|
|
13:33 <neale> all the live stuff, other than tanks, I ran there.
|
|
13:33 <neale> pwnables gives a passwordless telnet login
|
|
13:33 <neale> and you can guess what happens to that machin.
|
|
13:34 <neale> it's in a chroot jail so no big damage, but it gets slow.
|
|
13:34 <slackish> to bring up the 2nd box, did you just copy the .pkg files around in and restart the packages service?
|
|
13:34 <slackish> ok
|
|
13:34 <neale> yeah, just clone the thumb drive and select different .pkg files for the top-level
|
|
13:34 <neale> and boot that way
|
|
13:34 <neale> unfortunately packages aren't hot-swappable, really
|
|
13:34 <neale> you'll have to reboot to get new packages
|
|
13:34 <neale> or read some shell scripts
|
|
13:34 <slackish> ok
|
|
13:35 <neale> it's all in /var/service/packages
|
|
13:35 <neale> but I don't think I wrote that to be robust enough to deal with things already being mounted.
|
|
13:35 <neale> I'll work on it though.
|
|
13:35 <neale> it would be a nice thing to have.
|
|
13:36 <neale> I think that's about it!
|
|
13:37 <neale> I ought to go through the categories
|
|
13:37 <neale> basemath: for high school kids, learn about different bases
|
|
13:37 <neale> bletchley: just total weirdness in binary form. A lot like steg.
|
|
13:38 <neale> codebreaking: for high school kids, mostly monoalphabetic substition ciphers. Would be good for novice teams.
|
|
13:38 <neale> compaq: malware RE
|
|
13:38 <neale> crypto: cryptanalysis
|
|
13:38 <neale> forensics: some of Kevin's stuff. I don't think it even works :<
|
|
13:39 <neale> hackme: a dumb thing where you have to brute-force URLs to the puzzle system. Seems to really stump people.
|
|
13:39 <neale> logger: logfile parsing, you netcat to it and get a fire hose of made-up log entries
|
|
13:39 <neale> mcp: master control program (main server)
|
|
13:39 <neale> net-re: network RE, set up initially as a tutorial. My pride and joy.
|
|
13:39 <neale> octopus: blooper
|
|
13:40 <neale> printf: netcat to it and send it a printf formatting string to examine and manipulate the stack
|
|
13:40 <neale> pwnables: has three things:
|
|
13:40 <neale> gimmie: run it and it gives you a token. This seems to take people several hours to script, though.
|
|
13:40 <neale> killme: prints out a signal number, you have 2 seconds to send it that signal.
|
|
13:41 <neale> straceme: use strace (which you must first upload and get working) to figure out what the crap it wants
|
|
13:41 <neale> ltraceme: use ltrace (same deal), craft a new library, and LD_PRELOAD it
|
|
13:41 <neale> sequence: guess the next number(s) in the sequence
|
|
13:42 <neale> skynet: more malware RE
|
|
13:42 <neale> steg: steganography. I think this is the most fun one, then bletchley, then net-re
|
|
13:42 <neale> tanks: you know what tanks is
|
|
13:43 <neale> tokens: a helper package required by pwnables, tanks, octopus, logger, printf, and others. Just always have it.
|
|
13:43 <neale> webapp: chash's vulnerable web app. Not sure it works with this framework.
|
|
13:44 <neale> that's it
|
|
13:44 <neale> I can't think of anything else to type.
|
|
13:45 <slackish> i can not think of anything else to type
|
|
13:45 <slackish> i should probably to a test run at home
|
|
13:45 <slackish> set it up on multiple computers
|
|
13:45 <neale> that would be wise.
|
|
13:46 <slackish> see if i can get pwnables and octopus on it's own box
|
|
13:46 <neale> You'll want to make sure whatever machines you're running this on are able to bring up a network interface
|
|
13:46 <slackish> hardware does not have to be anything powerful, so i have a couple laptops at home
|
|
13:46 <neale> yeah, pretty much anything should work
|
|
13:46 <neale> I compiled in every NIC driver Linux had available.
|
|
13:47 <slackish> haha
|
|
13:47 <neale> and I presume I don't need to tell you how to set up the network.
|
|
13:48 <neale> I do 10.x.0.0/16 for each team with a DHCP server handing out addresses.
|
|
13:48 <neale> If you'd like I can provide you with the OpenWRT configuration files to set up a router.
|
|
13:48 <neale> then you just hook up a managed switch and you're all set.
|
|
13:50 <neale> for testing you could just turn on every package.
|
|
13:52 <neale> oh, and it's a good idea to test rebooting it to make sure scores persist
|
|
13:52 <neale> that requires a partiton with a certain label
|
|
13:52 <neale> CTF-STATE
|
|
13:52 <neale> I'll see if I can whip up a shell script to prepare a thumb drive.
|
|
>
|