Installation Guide, Production

Vincent edited this page Jun 25, 2018 · 33 revisions

Overview

The FBCTF platform was designed with flexibility in mind, allowing for different types of installations, depending on the needs of the end user. The FBCTF platform can be installed either in Development Mode, or Production Mode. Development is for testing and agility, and production is for better performance and typically used for live events. Production mode utilizes an HHVM web cache, which speed up processing.

Production Installation

Production is intended for live events utilizing the FBCTF platform. Installation of the production platform can be performed either manually, or by using Docker.

Please note that regardless of the installation method, your VM must have at least 2GB of memory. This is required for the Composer part of the installation.

Regardless of your installation method, ensure the date and time is correct on your base system. This will prevent certificate invalidation issues when downloading certain packages. Follow the below instructions to force a time update on Ubuntu 16.04:

sudo apt-get install ntp
sudo service ntp stop
sudo ntpd -gq
sudo service ntp start

Manual (Preferred)

Ubuntu 16.04 x64 (Xenial) should first be installed as the hosting system. This is currently the only supported operating system. Ensure that you only install the base system without extras such as LAMP. This will cause issues with the FBCTF installation.

Update repositories on the Ubuntu system, to ensure you are getting the latest packages:

sudo apt-get update

Install the git package which will allow you to clone the FBCTF project to your local system:

sudo apt-get install git

Clone the FBCTF project by running the following command. This will create folder called fbctf in the current directory:

git clone https://github.com/facebook/fbctf

Navigate to the fbctf directory:

cd fbctf

Run the provision script in order to install the FBCTF platform. To perform a default installation, run the command below. However, check the provision script section for custom installations:

./extra/provision.sh -m prod -s $PWD

The provision script will autogenerate an administrative password at the very end. Ensure you document this password, as it will not be provided anywhere else.

If the admin password needs to be reset, run the following commands in the fbctf directory:

source ./extra/lib.sh
set_password [new_password] ctf ctf fbctf $PWD

After installing the FBCTF platform, access it through your web browser using the configured IP address.

Login with the credentials admin and the password generated at the end of the provision script. Access the login screen by clicking the Login link at the top right of the window. You will then be redirected to the administration page. The gameboard can be accessed at the bottom of the navigation bar located on the left side of the window.

Docker (Alternate)

Although Vagrant is the recommended installation method for Development, you can provision a system through Docker if desired.

Similar to Vagrant, Docker is a tool for building complete development environments. The DockerFile, generated by the FBCTF team, provides automated instructions to Docker which configure the proper environment.

The Docker VM will automatically run the provision script, which installs the FBCTF platform itself.

Update repositories on the Ubuntu system, to ensure you are getting the latest packages:

sudo apt-get update

Install Docker, a virtual container application:

sudo apt-get install docker-ce

After installing Docker, install git:

sudo apt-get install git

Clone the FBCTF project as shown below:

git clone https://github.com/facebook/fbctf

Navigate to the fbctf directory:

cd fbctf

Run the following command to initiate a FBCTF Production installation. Do not forget the dot at the end of the line:

sudo docker build --build-arg MODE=prod -t="fbctf_in_prod" .

To bring up the Docker instance, run the below command:

sudo docker run --name fbctf -p 80:80 -p 443:443 fbctf_in_prod

The platform admin password will be autogenerated at the end of the provision script. Ensure you document this password, as it will not be displayed anywhere else. In order to reset the admin password, run the following command in the container:

set_password new_password ctf ctf fbctf /root

You will also need to mount /etc/letsencrypt as a volume to ensure the certificates files are persistent. Without performing this step, the certs will be continuously regenerated. Reference the following command as a guide:

docker run -v /etc/letsencrypt:/etc/letsencrypt ...

After installing the FBCTF platform, access it through your web browser using the configured IP address.

Login with the credentials admin and the password generated at the end of the provision script. Access the login screen by clicking the Login link at the top right of the window. You will then be redirected to the administration page. The gameboard can be accessed at the bottom of the navigation bar located on the left side of the window.

Provision Script Details

Some users may wish to break down the FBCTF platform installation, and perform all steps manually. The instructions can be found below. Note that parameters are left as their default values, but can be changed in many cases. This includes authentication information, certain folder locations, and how SSL certificates are generated.

For any FBCTF installation, it is highly recommended that you utilize the supported operating system, Ubuntu 16.04 x64 (Xenial), and have at least 1GB of memory.

To get started with a manual installation, update your system repositories:

sudo apt-get update

Install git, which will be needed in order to clone the platform:

sudo apt-get install git

Install curl, a tool utilized to download files:

sudo apt-get install curl

Install rsync, a tool utilized to copy files properly:

sudo apt-get install rsync

Clone the platform files onto your local system:

git clone https://github.com/facebook/fbctf

Browse to the code directory:

cd fbctf

Create the web directory, which will contain the FBCTF files:

sudo mkdir -p /var/www/fbctf

Copy the platform files to the web directory:

sudo rsync -a --exclude node_modules --exclude vendor $PWD/ /var/www/fbctf/

Set the Message of the Day (MOTD) to the Facebook CTF banner:

sudo cp /var/www/fbctf/extra/motd-ctf.sh /etc/update-motd.d/10-help-text

Install HHVM, a virtual machine designed to run PHP Hack code:

sudo apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xB4112585D386EB94
sudo add-apt-repository "deb http://dl.hhvm.com/ubuntu xenial-lts-3.21 main"
sudo apt-get update
sudo apt-get install hhvm

Copy the HHVM configuration over:

cat /var/www/fbctf/extra/hhvm.conf | sed "s|CTFPATH|/var/www/fbctf/|g" | sudo tee /etc/hhvm/server.ini

Enable HHVM as PHP systemwide:

sudo /usr/bin/update-alternatives --install /usr/bin/php php /usr/bin/hhvm 60

Enable HHVM to start by default on the system:

sudo update-rc.d hhvm defaults

Restart HHVM:

sudo service hhvm restart

Install Composer, a dependency manager for PHP:

cd /var/www/fbctf
curl -sS https://getcomposer.org/installer | php
hhvm composer.phar install
sudo mv composer.phar /usr/bin
sudo chmod +x /usr/bin/composer.phar
hhvm /usr/bin/composer.phar install

Enable HHVM Repo Authoritative mode:

cat /etc/hhvm/server.ini | sed "s|/var/run/hhvm/hhvm.hhbc|/var/cache/hhvm/hhvm.hhbc|g" | sudo tee /etc/hhvm/server.ini
sudo hhvm-repo-mode enable /var/www/fbctf
sudo chown www-data:www-data /var/cache/hhvm/hhvm.hhbc
sudo service hhvm restart

Create the database connection file:

cat "/var/www/fbctf/extra/settings.ini.example" | sed "s/DBHOST/127.0.0.1/g" | sed "s/DATABASE/fbctf/g" | sed "s/MYUSER/ctf/g" | sed "s/MYPWD/ctf/g" | sed "s/MCHOST/127.0.0.1/g" | sudo tee "/var/www/fbctf/settings.ini"

Install node.js, a Java runtime:

curl -sS https://deb.nodesource.com/setup_6.x | sudo -E bash -
sudo apt-get install nodejs

Install required npm node_modules:

sudo npm install --prefix /var/www/fbctf
sudo npm install -g grunt
sudo npm install -g flow-bin

Run Grunt in order to generate JavaScript files:

cd /var/www/fbctf
grunt --force

Choose one of the following certificate options, depending on your installation and certificate type preferred:

Generate Self-Signed Certificate:

sudo mkdir /etc/nginx/certs
sudo openssl req -nodes -newkey rsa:2048 -keyout /etc/nginx/certs/fbctf.key -out /etc/nginx/certs/fbctf.csr -subj "/O=Facebook CTF"
sudo openssl x509 -req -days 365 -in /etc/nginx/certs/fbctf.csr -signkey /etc/nginx/certs/fbctf.key -out /etc/nginx/certs/fbctf.crt

Utilize your own SSL Certificate. Note that you will need to replace [Path to SSL Cert PEM File] and [Path to SSL Key File] below:

sudo mkdir /etc/nginx/certs
sudo cp [Path to SSL Cert PEM File] /etc/nginx/certs/fbctf.crt
sudo cp [Path to SSL Key File] /etc/nginx/certs/fbctf.key

Generate Let’s Encrypt Valid SSL Certificate. Note that you will need to replace [Email] and [Domain] below:

sudo mkdir /etc/nginx/certs
wget -q https://dl.eff.org/certbot-auto -O /usr/bin/certbot-auto
sudo chmod a+x /usr/bin/certbot-auto
/usr/bin/certbot-auto certonly -n --agree-tos --standalone --standalone-supported-challenges tls-sni-01 -m "[Email]" -d "[Domain]"
sudo ln -s "/etc/letsencrypt/live/[Domain]/fullchain.pem" /etc/nginx/certs/fbctf.crt || true
sudo ln -s "/etc/letsencrypt/live/[Domain]/privkey.pem" /etc/nginx/certs/fbctf.key || true

Install NGINX, a high performance web server:

sudo apt-get install nginx

Set NGINX configuration options:

sudo openssl dhparam -out /etc/nginx/certs/dhparam.pem 2048
cat /var/www/fbctf/extra/nginx.conf | sed "s|CTFPATH|/var/www/fbctf/src|g" | sed "s|CER_FILE|/etc/nginx/certs/fbctf.crt|g" | sed "s|KEY_FILE|/etc/nginx/certs/fbctf.key|g" | sed "s|DHPARAM_FILE|/etc/nginx/certs/dhparam.pem|g" | sudo tee /etc/nginx/sites-available/fbctf.conf

Continue setting NGINX configuration options then finish by reloading the configuration and restarting:

sudo rm -f /etc/nginx/sites-enabled/default
sudo ln -sf /etc/nginx/sites-available/fbctf.conf /etc/nginx/sites-enabled/fbctf.conf
sudo nginx -t
sudo service nginx restart

Create the attachments folder, and set ownership to www-data:

sudo sudo mkdir -p "/var/www/fbctf/attachments"
sudo sudo mkdir -p "/var/www/fbctf/attachments/deleted"
sudo chown -R www-data:www-data "/var/www/fbctf/attachments"
sudo chown -R www-data:www-data "/var/www/fbctf/attachments/deleted"

Create the custom logos folder, and set ownership to www-data:

sudo mkdir -p "/var/www/fbctf/src/data/customlogos"
sudo chown -R www-data:www-data "/var/www/fbctf/src/data/customlogos"

Install Memcached, which will be used for web caching:

sudo apt-get install memcached

Install MySQL, for use as the database. By default the root password can be set to root during the interactive install:

sudo apt-get install mysql-server

Create the FBCTF database and import all schemas required:

mysql -u root --password=root -e "CREATE DATABASE IF NOT EXISTS fbctf;"
mysql -u root --password=root fbctf -e "source /var/www/fbctf/database/schema.sql;"
mysql -u root --password=root fbctf -e "source /var/www/fbctf/database/countries.sql;"
mysql -u root --password=root fbctf -e "source /var/www/fbctf/database/logos.sql;"

Create a database user. Note that by default you can use user ctf with password ctf:

mysql -u root --password=root -e "CREATE USER 'ctf'@'localhost' IDENTIFIED BY 'ctf';" || true
mysql -u root --password=root -e "GRANT ALL PRIVILEGES ON fbctf.* TO 'ctf'@'localhost';"
mysql -u root --password=root -e "FLUSH PRIVILEGES;"

Set admin password for FBCTF platform. Note that you will need to replace **password **below.

mysql -u root --password=root fbctf -e "DELETE FROM teams WHERE name='admin' AND admin=1"
mysql -u root --password=root fbctf -e "INSERT INTO teams (id, name, password_hash, admin, protected, logo, created_ts) VALUES (1, 'admin', '`hhvm -f /var/www/fbctf/extra/hash.php "password"`', 1, 1, 'admin', NOW())";

Your installation should be complete! Access the IP address of the platform in your browser, then login at the upper right hand corner of the window using admin and the password you created.

If you are having any issues, be sure to first examine the following logs for information:

/var/log/nginx/error.log
/var/log/hhvm/error.log
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.