This page describes how to get the CTF network and Vulnbox running in a basic setup. There is a multitude of things which could be done differently (and even be improved). So if you already know how to connect to the VPN and host the Vulnbox, feel free to do it differently. In any case, also have a look at the general Setup docs.
We assume that you're playing with a local team (i.e. all people sitting in one room). For a distributed team, large parts will be applicable, but some things will have to be done differently.
In our setup, one physical machine will host the Vulnbox and act as your personal VPN gateway. All team members will connect their personal computers to the team network, for which the machine also acts as gateway. Therefore, the team members can reach your Vulnbox, the other teams and the internet.
Requirements
You are going to need:
- A PC with an x86-64 CPU and two network interface – one for connecting to the internet and one for your team. No too fancy specs are required, a multi-core CPU (VT-x support is highly recommended) and 4 GB of RAM should suffice.
- Physical access, monitor and keyboard/mouse attached to the PC
- A network switch for your team network
In the rest of this guide, we're going to assume a standard Debian 8 ("Jessie") Desktop install on the PC. Other Debian versions or Ubuntu should work similarly and the general setup should also be applicable to other distributions.
Installation
We are going to install the required packages (as root):
apt install openvpn dnsmasq virtualbox-qt socat wireshark
Networking
We assume that you already have internet connectivity on one interface (the "internet" interface) and will now configure the other one, the team interface. It should be connected to your switch.
Using the NetworkManager GUI (or whatever your system uses for network configuration), assign manually assign an IP address to that interface. We are going to use 192.168.0.1 with a netmask of 255.255.255.0 for the team network. However, any RFC 1918 range should do as long as it does not collide with any other network attached to your PC or used in the CTF; the team network is not strictly required for the CTF.
To assign IP addresses inside the team network, we are going to set up Dnsmasq as a DHCP server. To this purpose, edit "/etc/dnsmasq.conf", uncomment the line which starts with interface= and set the name of your team network interface (like "eth1") as value. Additionally, uncomment this line:
#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h
If you used the proposed team network (192.168.0.1/24) when configuring the interface above, the default range should be fine. Otherwise, you must set the value of dhcp-range to match your network.
Then, restart Dnsmasq using systemctl restart dnsmasq.
Firewalling
As the PC acts as a gateway, we need to allow IP forwarding in it. To this purpose, edit "/etc/sysctl.conf" and uncomment this line:
#net.ipv4.ip_forward=1
Afterwards, reload the config using sysctl -p.
Now, we set the following iptables rules:
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i game -j REJECT
iptables -A INPUT -i vboxnet0 -j REJECT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i game -o vboxnet0 -j ACCEPT
iptables -A FORWARD -i vboxnet0 -o game -j ACCEPT
iptables -A FORWARD -i <team_interface> -j ACCEPT
iptables -P FORWARD DROP
iptables -t nat -A POSTROUTING -s <team_network> -j MASQUERADE
(Replace <team_interface> with the name of your team interface and <team_network> with your team network in CIDR notation, e.g. 192.168.0.1/24.)
To make the firewall rules persistent across reboots, install the "iptables-persistent" package and answer "Yes" when it asks you whether to save the current IPv4 rules.
This will:
- Disallow all traffic from the VPN or Vulnbox to your host machine
- Allow responses to already established and allowed connections
- Allow communication between the VPN and the Vulnbox
- Allow connections from your team network to everywhere with NAT
- Disallow all other routing between the different networks, e.g. traffic from the Vulnbox to your team network
With this firewalling setup, the Vulnbox will not be able to reach the internet. That for example means you won't be able to download software on the Vulnbox. You may choose to enable internet access for the Vulnbox, but keep in mind that it runs insecure software. This will be entirely at your own risk!
Similarly, traffic from the other teams to your team network is completely blocked, so things like back-connects won't work.
VPN
To connect to the VPN, move your personal VPN config ("faustctf.conf", which you have received from us via email) to "/etc/openvpn". Then, start the VPN using:
systemctl start openvpn@faustctf
systemctl enable openvpn@faustctf
Everything should be working alright if you can now ping our gatway at 10.65.<team_ID>.1 from your host PC and the team network.
Vulnbox
Finally, we are going to launch the Vulnbox (or the test image): Download it from us in OVA format and decrypt it using gpg -o <filename> -d <filename>.gpg.
Next, launch VirtualBox and go to "File" – "Preferences" – "Network" – "Host-only Networks". Edit "vboxnet0" and set its IPv4 address to 10.66.<team_ID>.1. It also can't hurt to disable the Host-only Network's DHCP Server, although that is not strictly necessary.
Afterwards, click "File" – "Import Appliance". Select the decrypted OVA image and finish the wizard without any changes. Open the settings for the imported VM. In the "Network" section, select "Attached to: Host-only Adapter".
Now comes a bit of a tricky part: The Vulnbox will already work if you start it now and you'll also be able to log in through the VirtualBox GUI. However, it would be kind of hard to get an SSH key onto it, since copy/paste doesn't work. To work around that, we'll attach a Serial Console before starting the Vulnbox: Select "Serial Ports" in the VM's settings, enable Port 1, set "Port Mode: Host Pipe" and "Port/File Path" for example to "/tmp/vulnbox.serial".
You may now start the Vulnbox VM and connect to the serial port as described in the illumos docs:
socat unix-connect:/tmp/vulnbox.serial stdio,raw,echo=0,icanon=0,escape=0x11
This attaches you to a serial console, where you can log into the Vulnbox as root without password (if you don't see anything, just Press Enter to log in). You should be greeted by our initial accountsetup tool, which will also let you paste SSH keys. The Vulnbox will reboot and you should be able to log in via SSH at 10.66.<team_ID>.1.
pcap Dumps
To see what's going on and how your Vulnbox is being attacked, you probably want to record pcaps of your Vulnbox traffic. You can dump the traffic of the vulnbox like this:
dumpcap -i vboxnet0 -b 'duration:180' -w ~/pcaps/faustctf -p
The pcap files will end up in a directory called "pcaps" in the Home on your host PC. You can analyze them for example using Wireshark.
Now you should be good to go. Good luck in the CTF!