Skip to content
Permalink
Browse files

Added some configuration files

  • Loading branch information...
gehaxelt committed Feb 22, 2016
1 parent 33aa689 commit 74753e941936f371ab7e0743692e73f81106a7e5
Showing with 657 additions and 5 deletions.
  1. +38 −5 README.md
  2. +43 −0 configs/etc/cgconfig.conf
  3. +2 −0 configs/etc/cgrules.conf
  4. +33 −0 configs/etc/iptables/proxy.rules
  5. +40 −0 configs/etc/iptables/serv.rules
  6. +24 −0 configs/etc/iptables/web.rules
  7. +4 −0 configs/etc/nginx/http-conf.d/upstreams.conf
  8. +38 −0 configs/etc/nginx/nginx.conf
  9. +23 −0 configs/etc/nginx/sites-available/0ldsk00lblog.ctf.internetwache.org.conf
  10. +15 −0 configs/etc/nginx/sites-available/http.conf
  11. +25 −0 configs/etc/nginx/sites-available/mess-of-hash.ctf.internetwache.org.conf
  12. +24 −0 configs/etc/nginx/sites-available/procrastination.ctf.internetwache.org.conf
  13. +24 −0 configs/etc/nginx/sites-available/replace-with-grace.ctf.internetwache.org.conf
  14. +24 −0 configs/etc/nginx/sites-available/texmaker.ctf.internetwache.org.conf
  15. +23 −0 configs/etc/nginx/sites-available/the-secret-store.ctf.internetwache.org.conf
  16. 0 configs/etc/nginx/sites-enabled/.symlink-here
  17. 0 configs/etc/nginx/ssl/cert1.pem
  18. 0 configs/etc/nginx/ssl/chain1.pem
  19. 0 configs/etc/nginx/ssl/fullchain1.pem
  20. 0 configs/etc/nginx/ssl/privkey1.pem
  21. +4 −0 configs/etc/nginx/tcp-available/code50.conf
  22. +4 −0 configs/etc/nginx/tcp-available/code60.conf
  23. +4 −0 configs/etc/nginx/tcp-available/code70.conf
  24. +4 −0 configs/etc/nginx/tcp-available/code80.conf
  25. +4 −0 configs/etc/nginx/tcp-available/code90.conf
  26. +4 −0 configs/etc/nginx/tcp-available/crypto70.conf
  27. +4 −0 configs/etc/nginx/tcp-available/crypto90.conf
  28. +4 −0 configs/etc/nginx/tcp-available/exp50.conf
  29. +4 −0 configs/etc/nginx/tcp-available/exp60.conf
  30. +4 −0 configs/etc/nginx/tcp-available/exp70.conf
  31. +4 −0 configs/etc/nginx/tcp-available/exp80.conf
  32. +4 −0 configs/etc/nginx/tcp-available/exp90.conf
  33. +49 −0 configs/etc/nginx/tcp-conf.d/upstreams.conf
  34. 0 configs/etc/nginx/tcp-enabled/.symlink-here
  35. +4 −0 configs/etc/service/code50/log/main/.gitignore
  36. +2 −0 configs/etc/service/code50/log/run
  37. +6 −0 configs/etc/service/code50/run
  38. +4 −0 configs/etc/service/code60/log/main/.gitignore
  39. +2 −0 configs/etc/service/code60/log/run
  40. +6 −0 configs/etc/service/code60/run
  41. +4 −0 configs/etc/service/code70/log/main/.gitignore
  42. +2 −0 configs/etc/service/code70/log/run
  43. +6 −0 configs/etc/service/code70/run
  44. +4 −0 configs/etc/service/code80/log/main/.gitignore
  45. +2 −0 configs/etc/service/code80/log/run
  46. +6 −0 configs/etc/service/code80/run
  47. +4 −0 configs/etc/service/code80/template/log/main/.gitignore
  48. +2 −0 configs/etc/service/code80/template/log/run
  49. +6 −0 configs/etc/service/code80/template/run
  50. +4 −0 configs/etc/service/code90/log/main/.gitignore
  51. +2 −0 configs/etc/service/code90/log/run
  52. +6 −0 configs/etc/service/code90/run
  53. +4 −0 configs/etc/service/crypto70/log/main/.gitignore
  54. +2 −0 configs/etc/service/crypto70/log/run
  55. +6 −0 configs/etc/service/crypto70/run
  56. +4 −0 configs/etc/service/crypto90/log/main/.gitignore
  57. +2 −0 configs/etc/service/crypto90/log/run
  58. +6 −0 configs/etc/service/crypto90/run
  59. +4 −0 configs/etc/service/exp50/log/main/.gitignore
  60. +2 −0 configs/etc/service/exp50/log/run
  61. +6 −0 configs/etc/service/exp50/run
  62. +4 −0 configs/etc/service/exp60/log/main/.gitignore
  63. +2 −0 configs/etc/service/exp60/log/run
  64. +6 −0 configs/etc/service/exp60/run
  65. +4 −0 configs/etc/service/exp70/log/main/.gitignore
  66. +2 −0 configs/etc/service/exp70/log/run
  67. +6 −0 configs/etc/service/exp70/run
  68. +4 −0 configs/etc/service/exp80/log/main/.gitignore
  69. +2 −0 configs/etc/service/exp80/log/run
  70. +6 −0 configs/etc/service/exp80/run
  71. +4 −0 configs/etc/service/exp90/log/main/.gitignore
  72. +2 −0 configs/etc/service/exp90/log/run
  73. +6 −0 configs/etc/service/exp90/run
  74. +4 −0 configs/etc/service/pkiller/log/main/.gitignore
  75. +2 −0 configs/etc/service/pkiller/log/run
  76. +6 −0 configs/etc/service/pkiller/run
  77. +4 −0 configs/etc/service/template/log/main/.gitignore
  78. +2 −0 configs/etc/service/template/log/run
  79. +6 −0 configs/etc/service/template/run
@@ -39,14 +39,45 @@ The most interesting directory is ```tasks/```:

# Other files:

- ```checkservice.py```: A small python script/plugin for the collectd monitoring system. Checks the availability of the services.
- ```createzips.sh```: Bundles every ```tasks/<challenge>/task/``` directory into a ```static/files/<challenge>.zip```
- ```pkiller.py```: Dirty workaround script to kill long-living apache-mpm-itk subprocesses (spawned by RCE challenges)
- ```tasks.md```: An overview over all challenges' name, flag, url, ip, port.
- ```tasks/checkservice.py```

A small python script/plugin for the collectd monitoring system. Checks the availability of the services.

- ```tasks/createzips.sh```

Bundles every ```tasks/<challenge>/task/``` directory into a ```static/files/<challenge>.zip```

- ```tasks/pkiller.py```

Dirty workaround script to kill long-living apache-mpm-itk subprocesses (spawned by RCE challenges)

- ```tasks/tasks.md```

An overview over all challenges' name, flag, url, ip, port.

- ```configs/etc/cgconfig.conf```

Configuration file for Cgroups. The group ```ctf``` had limited I/O, memory and CPU shares.

- ```configs/etc/cgrules.conf```

Configuration file for Cgroups. Assigns the rule groups to system groups.

- ```configs/etc/iptables/```

Iptables rules for the VMs.

- ```configs/etc/nginx/```

Nginx config for load balancing HTTP and TCP services.

- ```configs/etc/service/```

Daemontools services for all challenges/tools.

# Hosting details:

- 4 VMs from Digitalocean.com in AMS3 datacenter
- 4 VMs from Digitalocean.com in AMS3 datacenter, based on Debian 8 x64, private networking enabled
- 1x 1 Core, 512 mb, 20GB, 0.007$/h Box as monitor
- 1x 4 Core, 8 gb, 80gb, 0.119$/h Box as proxy (load balancer)
- nginx load balancer: HTTP to web1 / TCP to serv1
@@ -62,6 +93,8 @@ The most interesting directory is ```tasks/```:
- Pro: Easy scalable by spawning new VMs
- Pro: Bad attackers easily stoppable on the proxy
- Contra: Single point of failure (Proxy)
- All challenges ran as a separate user
- All users were in the ```ctf``` group
- Used [Daemontools](http://cr.yp.to/daemontools.html) to easily control services
- Used [TCPServer](http://cr.yp.to/ucspi-tcp/tcpserver.html) to provide tcp connection for executable and scripts.
- Used [CGroups](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Resource_Management_Guide/ch01.html) to limit service-users resources
@@ -0,0 +1,43 @@
group ctf {
perm {
admin {
gid = root;
}
task {
gid = root;
}
}
cpu {
cpu.shares="512";
}
cpuacct {
cpuacct.usage="0";
}
memory {
memory.limit_in_bytes="2G";
memory.oom_control="0";
}
blkio {
blkio.throttle.read_bps_device="254:0 209715200";
blkio.throttle.write_bps_device="254:0 10485760";
blkio.throttle.read_iops_device="254:0 20000";
blkio.throttle.write_iops_device="254:0 10000";
blkio.weight="500";
}
}
group root {
perm {
admin {
gid = root;
}
task {
gid = root;
}
}
cpu {
cpu.shares="1024";
}
cpuacct {
cpuacct.usage="0";
}
}
@@ -0,0 +1,2 @@
@ctf cpu,cpuacct,memory,blkio ctf
@root cpu,cpuacct root
@@ -0,0 +1,33 @@
# Generated by iptables-save v1.4.21 on Fri Feb 12 16:15:55 2016
*filter
:INPUT DROP [552:40116]
:FORWARD DROP [0:0]
:OUTPUT DROP [338:38228]
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
-A OUTPUT -j ACCEPT
# Allows SSH connections
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Allow HTTP(s)
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 443 -j ACCEPT
# Allow service
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 10009 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 10061 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 11027 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 11059 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 11071 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 11117 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 11491 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 12037 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 12049 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 12157 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 12377 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 12589 -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
COMMIT
@@ -0,0 +1,40 @@
# Generated by iptables-save v1.4.21 on Wed Feb 10 14:45:55 2016
*filter
:INPUT DROP [2418:3982778]
:FORWARD DROP [0:0]
:OUTPUT DROP [1576:200742]
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Block ctf users
-A OUTPUT -m state --state NEW -m owner --uid-owner crypto70 -j DROP
-A OUTPUT -m state --state NEW -m owner --uid-owner crypto90 -j DROP
-A OUTPUT -m state --state NEW -m owner --uid-owner code50 -j DROP
-A OUTPUT -m state --state NEW -m owner --uid-owner code60 -j DROP
-A OUTPUT -m state --state NEW -m owner --uid-owner code70 -j DROP
-A OUTPUT -m state --state NEW -m owner --uid-owner code80 -j DROP
-A OUTPUT -m state --state NEW -m owner --uid-owner code90 -j DROP
-A OUTPUT -m state --state NEW -m owner --uid-owner exp50 -j DROP
-A OUTPUT -m state --state NEW -m owner --uid-owner exp60 -j DROP
-A OUTPUT -m state --state NEW -m owner --uid-owner exp70 -j DROP
-A OUTPUT -m state --state NEW -m owner --uid-owner exp90 -j DROP
# Allow output
-A OUTPUT -j ACCEPT
# Allow SSH
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Allow service from proxy
-A INPUT -i eth1 -s 10.133.11.41 -p tcp -m state --state NEW --dport 10009 -j ACCEPT
-A INPUT -i eth1 -s 10.133.11.41 -p tcp -m state --state NEW --dport 10061 -j ACCEPT
-A INPUT -i eth1 -s 10.133.11.41 -p tcp -m state --state NEW --dport 11027 -j ACCEPT
-A INPUT -i eth1 -s 10.133.11.41 -p tcp -m state --state NEW --dport 11059 -j ACCEPT
-A INPUT -i eth1 -s 10.133.11.41 -p tcp -m state --state NEW --dport 11071 -j ACCEPT
-A INPUT -i eth1 -s 10.133.11.41 -p tcp -m state --state NEW --dport 11117 -j ACCEPT
-A INPUT -i eth1 -s 10.133.11.41 -p tcp -m state --state NEW --dport 11491 -j ACCEPT
-A INPUT -i eth1 -s 10.133.11.41 -p tcp -m state --state NEW --dport 12037 -j ACCEPT
-A INPUT -i eth1 -s 10.133.11.41 -p tcp -m state --state NEW --dport 12049 -j ACCEPT
-A INPUT -i eth1 -s 10.133.11.41 -p tcp -m state --state NEW --dport 12157 -j ACCEPT
-A INPUT -i eth1 -s 10.133.11.41 -p tcp -m state --state NEW --dport 12377 -j ACCEPT
-A INPUT -i eth1 -s 10.133.11.41 -p tcp -m state --state NEW --dport 12589 -j ACCEPT
# Allow Ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
COMMIT
@@ -0,0 +1,24 @@
# Generated by iptables-save v1.4.21 on Wed Feb 10 14:45:55 2016
*filter
:INPUT DROP [2418:3982778]
:FORWARD DROP [0:0]
:OUTPUT DROP [1576:200742]
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Block ctf user output
-A OUTPUT -m owner --uid web50 -j DROP
-A OUTPUT -m owner --uid web60 -j DROP
-A OUTPUT -m owner --uid web70 -j DROP
-A OUTPUT -m owner --uid web80 -j DROP
-A OUTPUT -m owner --uid web90 -j DROP
-A OUTPUT -m owner --uid crypto80 -j DROP
# Allow output
-A OUTPUT -j ACCEPT
# Allow SSH
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Allow apache/https from proxy
-A INPUT -i eth1 -s 10.133.11.41 -p tcp -m state --state NEW --dport 443 -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
COMMIT
@@ -0,0 +1,4 @@
upstream web-backend {
ip_hash;
server web1:443 max_fails=5 fail_timeout=30s;
}
@@ -0,0 +1,38 @@

user nginx;
worker_processes 1;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;


events {
worker_connections 1024;
}


http {
include /etc/nginx/mime.types;
default_type application/octet-stream;

log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/access.log main;

sendfile on;
#tcp_nopush on;

keepalive_timeout 65;

#gzip on;

include /etc/nginx/http-conf.d/*.conf;
include /etc/nginx/sites-enabled/*.conf;
}

stream {
include /etc/nginx/tcp-conf.d/*.conf;
include /etc/nginx/tcp-enabled/*.conf;
}
@@ -0,0 +1,23 @@
server {
listen 443;

server_name 0ldsk00lblog.ctf.internetwache.org;

ssl_certificate /etc/nginx/ssl/fullchain1.pem;
ssl_certificate_key /etc/nginx/ssl/privkey1.pem;

ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

access_log /var/log/nginx/proxy.access.log;

location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://web-backend;
}
}
@@ -0,0 +1,15 @@
server {
listen 80;
location /status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
}

server {
listen 80;
server_name mess-of-hash.ctf.internetwache.org replace-with-grace.ctf.internetwache.org the-secret-store.ctf.internetwache.org 0ldsk00lblog.ctf.internetwache.org texmaker.ctf.internetwache.org procrastination.ctf.internetwache.org;
return 301 https://$host$request_uri;
}
@@ -0,0 +1,25 @@
#include conf/upstreams.conf;

server {
listen 443;

server_name mess-of-hash.ctf.internetwache.org;

ssl_certificate /etc/nginx/ssl/fullchain1.pem;
ssl_certificate_key /etc/nginx/ssl/privkey1.pem;

ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

access_log /var/log/nginx/proxy-mess-of-hash.ctf.internetwache.org.access.log;

location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://web-backend;
}
}
@@ -0,0 +1,24 @@
server {
listen 443;

server_name procrastination.ctf.internetwache.org;

ssl_certificate /etc/nginx/ssl/fullchain1.pem;
ssl_certificate_key /etc/nginx/ssl/privkey1.pem;

ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

access_log /var/log/nginx/proxy.access.log;

location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://web-backend;
}
}

@@ -0,0 +1,24 @@
server {
listen 443;

server_name replace-with-grace.ctf.internetwache.org;

ssl_certificate /etc/nginx/ssl/fullchain1.pem;
ssl_certificate_key /etc/nginx/ssl/privkey1.pem;

ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

access_log /var/log/nginx/proxy.access.log;

location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://web-backend;
}
}

@@ -0,0 +1,24 @@
server {
listen 443;

server_name texmaker.ctf.internetwache.org;

ssl_certificate /etc/nginx/ssl/fullchain1.pem;
ssl_certificate_key /etc/nginx/ssl/privkey1.pem;

ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

access_log /var/log/nginx/proxy.access.log;

location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://web-backend;
}
}

Oops, something went wrong.

0 comments on commit 74753e9

Please sign in to comment.
You can’t perform that action at this time.