moth/doc/tutorial.txt

210 lines
12 KiB
Plaintext

This is a conversation I had with Aaron about how to run the event.
It occurred on 2010-12-01.
13:00 <slackish> hello
13:00 <neale> so, are you in as root
13:00 <slackish> yes
13:00 <neale> good man
13:00 <slackish> runsv /var/service seemed to bring all services up
13:00 <neale> have you poked around the hard drive image at all?
13:00 <slackish> but i do not know if it is the best way
13:00 <slackish> a little bit
13:00 <neale> it's got two partitions
13:00 <slackish> most of the contest is in var
13:01 <slackish> /var/lib/ctf
13:01 <neale> yeah okay so
13:01 <neale> the FAT is mount under /mnt I think
13:01 <neale> read-only
13:01 <neale> anything in the root of that FS matching *pkg is mounted loopback under /opt
13:02 <neale> this is how you cherry-pick packages
13:02 <neale> the second FS is ext3 used for ephemeral data
13:02 <neale> er, changing anyway
13:02 <neale> like scores, what puzzles are open, etc.
13:02 <neale> it's all text files
13:02 <neale> that's what's mounted under /var/lib/ctf
13:03 <slackish> /dev/sda2 on /var/lib/ctf type ext2 (rw,relatime,errors=continue)
13:03 <neale> ext2 huh
13:03 <neale> I must not have given it the -j
13:03 <neale> well, whatevs
13:04 <slackish> so how do the teams work? i see the teams dir in /var/lib/ctf
13:04 <neale> yes
13:04 <slackish> names and colors
13:04 <neale> okay so the mcp package is the master server
13:04 /opt/mcp/bin should be in your path
13:04 *** 421 opt/mcp/bin Unknown command
13:04 <neale> /opt/mcp/bin should be in your path
13:04 <slackish> it is
13:04 <neale> that contains the "addteam" script
13:04 <slackish> ahh
13:05 <neale> which creates a hash for that team, puts their team name in "teams/names/$hash" and assigns them a color
13:05 <neale> I think I gave you a copy of the contest after I was done running it at NMT, so there should be stuff in there.
13:05 <neale> the team hash is really a password
13:05 <neale> but the passwords are unique
13:06 <neale> so teams only ever use the hash anywhere, and nothing needs to be able to handle unicode or escape weird characters
13:06 <neale> except the scoreboard.
13:07 <neale> okay so what else is in there
13:07 <slackish> in /opt/mcp/bin, might be helpful to look at all utilities in my $PATH
13:08 <slackish> /opt/mcp/bin # ls
13:08 <slackish> addteam in.tokend puzzles.cgi scoreboard tokencli
13:08 <slackish> arc4 pointscli run-ctf teams.sh
13:08 <slackish> /opt/mcp/bin # ls
13:08 <slackish> addteam in.tokend puzzles.cgi scoreboard tokencli
13:08 <slackish> arc4 pointscli run-ctf teams.sh
13:08 <slackish> sry
13:08 <neale> right I'll explain all that
13:08 <neale> in.tokend is the thing that hands out tokens
13:09 <neale> tokens look like category:xylep-nanob-fudex
13:09 <slackish> i saw the one for the posters
13:09 <neale> just like at defcon
13:09 <neale> aha clever boy
13:09 <neale> did you figure that out or did you steal it from the image?
13:09 <neale> (the hard drive image)
13:10 <slackish> figured it out. trying to think of what i would do with 3 keys while taking a shower
13:10 <neale> anyway in.tokend runs on tcp port 1 and most of the communication is encrypted with a shared rc4 secret
13:10 <neale> good man.
13:10 <neale> I was hoping you'd get that one.
13:11 <neale> puzzles.cgi lists the current open puzzles
13:11 <neale> I don't think it runs as a CGI, it generates a static page whenever a puzzle is solved.
13:11 <neale> i think.
13:11 <slackish> yeah
13:11 <neale> yes, that's correct.
13:12 <neale> scoreboard generates the scoreboard
13:12 <neale> it's in awk and it's ugly because it has to correlate a bunch of stuff
13:12 <neale> tokencli is a command-line interface to tokend
13:12 <neale> you can use it to generate tokens if you want
13:13 <neale> although the easier way would be to kill the tokend then edit /var/lib/ctf/tokens.db
13:13 <slackish> does service==category ?
13:13 <neale> not kill, sv down
13:13 <neale> yes
13:13 <neale> arc4 is just what you'd think it is
13:13 <neale> arc4 is a stream cipher and uses the same algorithm to encrypt as it does to decrypt
13:14 <neale> pointscli allows you to award points without needing to edit any files. You should use it.
13:14 <neale> I accidentally truncated tokens.db at NMT but nobody noticed
13:14 <neale> I was able to rebuild the later part of it.
13:15 <neale> run-ctf updates the points.db and makes the scoreboard
13:15 <neale> teams.sh is not in use.
13:15 <neale> I decided we had to keep team hashes secret.
13:16 <neale> okay, moving on
13:16 <slackish> /var/lib/ctf/teams/names # run-ctf
13:16 <slackish> cat: can't open '/var/lib/ctf/teams/colors/d5e3d52e': No such file or directory
13:16 <neale> okay first of all run-ctf is already running
13:16 <neale> although running it twice shouldn't hurt anything
13:16 <slackish> alright
13:16 <neale> and, yeah, one team decided to merge with another team so I removed their color and renamed them "Phantoms"
13:17 <neale> er, maybe I removed their name too
13:17 <slackish> ok
13:17 <neale> anyway that error message is because of a workaround of a busybox bug that I submitted and has now been fixed
13:18 <neale> okay what else.
13:18 <neale> web pages are /var/www
13:18 <neale> puzzles get symlinked into there
13:18 <neale> like steg and sequence
13:19 <neale> the puzzles themselves live under /opt/steg/
13:19 <neale> or whatnot
13:19 <neale> and there you will find anwsers.txt and summary.txt
13:19 <neale> which should assist you with assisting folks
13:20 <slackish> so under http://10.0.0.2/puzzles.html, it lists 4 puzzles... but there are far more on scoreboard
13:20 <slackish> i know tanks is not under open puzzles
13:20 <slackish> are there supposed to be more categories that will open up over time?
13:20 <neale> right okay
13:20 <neale> what I call "puzzles" are the static HTML web page things.
13:21 <neale> you look at the web page, maybe download some stuff, and later come back with the "answer"
13:21 <neale> which is sent to puzzler.cgi
13:21 <neale> which checks it against answers.txt
13:21 <neale> and then awards points if you got it right
13:21 <neale> also appends to /var/lib/ctf/puzzles.db so you can't get the same points twice
13:22 <slackish> alright
13:22 <neale> everything else up there was a token claim
13:22 <neale> so like, tanks connects to tokend, gets a token, and then claims it for you.
13:22 <neale> the pwnables just give you the token and you have to claim it yourself
13:23 <neale> /var/lib/ctf/claim.db lists what teams have claimed what tokens
13:23 <neale> each token is good for one point per team
13:24 <neale> so if team A redeemed a token, team B can still redeem that same token.
13:24 <neale> oh I should mention, sequence 300 may be unsolveable because of how browsers submit unicode.
13:24 <neale> I should have it fixed by the time you run but it may still break.
13:25 <slackish> ok
13:25 <neale> so sometimes people say they're usre they have the right answer, and sometimes they're just wrong, but other times there's a bug.
13:25 <neale> I *think* I've fixed all the bugs.
13:26 <neale> As long as you acknowledge that there was a bug in a timely fashion, people don't seem to get too bent out of shape about it.
13:26 <neale> um what else do we need to go over
13:26 <slackish> isnt crypto a puzzle that belongs on the open puzzles page?
13:26 <neale> well, it's not mounted
13:27 <neale> I think I mounted that one by hand on day 2.
13:30 <slackish> ok, so which things should be added on day two? just the rest in /mnt/ctf/disabled?
13:30 <neale> you can do that if you want.
13:30 <neale> You'll have to play it by ear and watch how far everybody's getting.
13:30 <neale> There are a lot of live puzzles in disabled.
13:31 <slackish> is octopus the same as blooper?
13:31 <neale> The pwnables package will come up as 10.0.0.10 if it's not running on the mcp box
13:31 <neale> yes it is.
13:31 <neale> I put pwnables and octopus on a second box
13:31 <slackish> ok
13:31 <neale> and logger.
13:32 <neale> those three ran on their own machine.
13:32 <neale> I told people to portscan 10.0.0.0/24
13:32 <neale> you have to tell them that octopus is on UDP 10.0.0.10:8888 because UDP portscans take weeks.
13:33 <neale> oh and printf
13:33 <neale> I ran printf on the pwnables box
13:33 <neale> all the live stuff, other than tanks, I ran there.
13:33 <neale> pwnables gives a passwordless telnet login
13:33 <neale> and you can guess what happens to that machin.
13:34 <neale> it's in a chroot jail so no big damage, but it gets slow.
13:34 <slackish> to bring up the 2nd box, did you just copy the .pkg files around in and restart the packages service?
13:34 <slackish> ok
13:34 <neale> yeah, just clone the thumb drive and select different .pkg files for the top-level
13:34 <neale> and boot that way
13:34 <neale> unfortunately packages aren't hot-swappable, really
13:34 <neale> you'll have to reboot to get new packages
13:34 <neale> or read some shell scripts
13:34 <slackish> ok
13:35 <neale> it's all in /var/service/packages
13:35 <neale> but I don't think I wrote that to be robust enough to deal with things already being mounted.
13:35 <neale> I'll work on it though.
13:35 <neale> it would be a nice thing to have.
13:36 <neale> I think that's about it!
13:37 <neale> I ought to go through the categories
13:37 <neale> basemath: for high school kids, learn about different bases
13:37 <neale> bletchley: just total weirdness in binary form. A lot like steg.
13:38 <neale> codebreaking: for high school kids, mostly monoalphabetic substition ciphers. Would be good for novice teams.
13:38 <neale> compaq: malware RE
13:38 <neale> crypto: cryptanalysis
13:38 <neale> forensics: some of Kevin's stuff. I don't think it even works :<
13:39 <neale> hackme: a dumb thing where you have to brute-force URLs to the puzzle system. Seems to really stump people.
13:39 <neale> logger: logfile parsing, you netcat to it and get a fire hose of made-up log entries
13:39 <neale> mcp: master control program (main server)
13:39 <neale> net-re: network RE, set up initially as a tutorial. My pride and joy.
13:39 <neale> octopus: blooper
13:40 <neale> printf: netcat to it and send it a printf formatting string to examine and manipulate the stack
13:40 <neale> pwnables: has three things:
13:40 <neale> gimmie: run it and it gives you a token. This seems to take people several hours to script, though.
13:40 <neale> killme: prints out a signal number, you have 2 seconds to send it that signal.
13:41 <neale> straceme: use strace (which you must first upload and get working) to figure out what the crap it wants
13:41 <neale> ltraceme: use ltrace (same deal), craft a new library, and LD_PRELOAD it
13:41 <neale> sequence: guess the next number(s) in the sequence
13:42 <neale> skynet: more malware RE
13:42 <neale> steg: steganography. I think this is the most fun one, then bletchley, then net-re
13:42 <neale> tanks: you know what tanks is
13:43 <neale> tokens: a helper package required by pwnables, tanks, octopus, logger, printf, and others. Just always have it.
13:43 <neale> webapp: chash's vulnerable web app. Not sure it works with this framework.
13:44 <neale> that's it
13:44 <neale> I can't think of anything else to type.
13:45 <slackish> i can not think of anything else to type
13:45 <slackish> i should probably to a test run at home
13:45 <slackish> set it up on multiple computers
13:45 <neale> that would be wise.
13:46 <slackish> see if i can get pwnables and octopus on it's own box
13:46 <neale> You'll want to make sure whatever machines you're running this on are able to bring up a network interface
13:46 <slackish> hardware does not have to be anything powerful, so i have a couple laptops at home
13:46 <neale> yeah, pretty much anything should work
13:46 <neale> I compiled in every NIC driver Linux had available.
13:47 <slackish> haha
13:47 <neale> and I presume I don't need to tell you how to set up the network.
13:48 <neale> I do 10.x.0.0/16 for each team with a DHCP server handing out addresses.
13:48 <neale> If you'd like I can provide you with the OpenWRT configuration files to set up a router.
13:48 <neale> then you just hook up a managed switch and you're all set.
13:50 <neale> for testing you could just turn on every package.
13:52 <neale> oh, and it's a good idea to test rebooting it to make sure scores persist
13:52 <neale> that requires a partiton with a certain label
13:52 <neale> CTF-STATE
13:52 <neale> I'll see if I can whip up a shell script to prepare a thumb drive.
>