ENOWARS 3

VMs

You are on your own...

The organizers will provide several VMs that each team needs to host on its own. You will receive the VMs as ".ova" files that are import-ready for VirtualBox. We suggest using VirtualBox, but you are obviously free to choose any other hypervisor without any support from the organizers.

The VMs in general

Teamrouter

The teamrouter is a debian-based VM that will act as the router for your team. It will connect to our gameserver using a IPv4-OpenVPN tunnel and provide a IPv6 network on your end for your team. It is your team's entry point to the game network. It has the IP address fd00:1337:X::1 where X is your team ID (see enowars.com/teams). You can download the VM before the CTF starts to test your setup.

Teamtestvm

This VM can be used before the CTF starts to install and test your setup. In the CTF it will be replaced by the vulnbox VM. The VM is therefore structured similarly to the actual vulnbox and also Debian based. It has the IP address fd00:1337:X::3 where X is your team ID. To test your setup the "echod" service can be used. It listens on fd00:1337:X:ecc0::1, port 1337 and needs to be reachable by the game engine. You need to reach the game engine on fd00:1337::1337, port 4242. You can use the following netcat command to test this:

nc -6 -vv fd00:1337::1337 4242

Disclaimer: If your DNS does not seem to work and you see `130.149.X.X` IPs in your /etc/resolv.conf, please replace those IPs with DNS servers of your choice (e.g. 8.8.8.8 or 1.1.1.1).

In order to enable your team members to access the gamenetwork and the teamtestvm/vulnbox from their respective PCs there are two network interfaces used. One configured as NAT to the host and one (bridged) to the gamenetwork. Internet connectivity (v4) for the VM should be provided over the first interface through the host. It can also be configured to use port forwarding to give you access to the VM. The latter interface connects the teamrouter + other VMs and yourself with the game network. How to do that is explained below under "Bridging the network". Remember to setup the two interfaces if you decide to use the VM as qemu, qcow, .... This applies to the vulnbox as well.

Vulnbox

This is the most important VM on which your part of the game will take place. You'll get a bunch of services that you need to defend and find security vulnerabilities to attack other teams. It has the IP address fd00:1337:X::2 where X is your team ID. You can download the encrypted VM before the CTF starts. The decryption key will be released the minute the CTF starts, so that all teams have the same chances to start analyzing the services.

We recommend a host PC with at least 4 CPU cores and 8 GB of RAM.

Vulnbox - Service Installation

All services are shipped as debian package and managed through APT. They can be installed and updated through our APT repository. We will open the firewall to the APT repository once the game starts. With an established connection to the network use the following commands to install all services:

apt-get update apt-get install -y servicename

Vulnbox - Service Interaction

The services run in their own docker container and are started via docker-compose. We have also included a systemd file for docker that lets you monitor and control the services. You can use systemctl to start/stop/restart/inspect a given service respectively:

systemctl {start|stop|restart|status} dc@servicename

In order to inspect logs you can use journalctl like this:

journalctl -u servicename

Hosting your VMs

First of all, you need to download the images:

wget http://enowars.com/files/teamrouter.ova wget http://enowars.com/files/teamtestvm.ova wget http://enowars.com/files/vulnbox.ova.gpg

Once that is done, ensure that VirtualBox is installed and that you can run "VBoxManage"! If so, you can proceed with importing the VMs. But first have a look at the settings using "--dry-run":

VBoxManage import --dry-run teamrouter.ova VBoxManage import --dry-run teamtestvm.ova

There are ways to change all those values (e.g. RAM, CPU) using VBoxManage, but that is left as an exercise to the motivated reader.

VBoxManage import teamrouter.ova VBoxManage import teamtestvm.ova [...] 0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100% Successfully imported the appliance.

In order to ssh into the vulnbox we configure port forwarding from the host's port "2222"/"2233" to the VM's port "22".

VBoxManage modifyvm "teamrouter" --natpf1 "guestssh,tcp,,2222,,22" VBoxManage modifyvm "teamtestvm" --natpf1 "guestssh,tcp,,2233,,22"

To start the VM, run:

VBoxManage startvm "teamrouter" --type headless VBoxManage startvm "teamtestvm" --type headless

You should be able to login into the VMs now (user: root, password: root). For the teamrouter use port 2222 and for the teamtestvm use 2233:

ssh -p2222 root@localhost [...] root@teamrouter:~#

Before you run anything, you need to upload the content of your VPN configuration file (teamX.conf) to the teamrouter and move it to "/etc/openvpn/client/game.conf". Example:

scp -P 2222 teamX.conf teamrouter:/etc/openvpn/game.conf

Attention: Don’t change the name of the game.conf file! The final step is to configure the networks on both VMs. Run the same command on both VMs! The script takes two arguments. The teamid and the 2nd-interface, which is the connection between both VMs and the gamenetwork.

root@teamrouter:~# network-setup X enp0s8 Configuring network for team X root@teamtestvm:~# network-setup X enp0s8 ######### # Configuring network for team X [...]

To test your network connection, contact the game server on port 4242

root@teamrouter:~# nc -vv fd00:1337::1337 4242 Connection to fd00:1337::1337 4242 port [tcp/*] succeeded! enowars!

To test your local connection, curl your echod service: (replace X with your team ID)

root@teamrouter:~# curl http://[fd00:1337:X:ecc0::1]:1337 works!

Now you are ready to take part in the CTF!

Bridging the network

If you want to provide internet access to other systems than the testvm and vulnbox, then you most likely want to bridge it to another real interface. This is not required to play the CTF, but might make things easier for you. WE DO NOT SUPPORT THIS, so please fix bugs and errors yourself.
NOTE: You most likely need a 2nd interface on the host system for that. First, shutdown the VMs:

VBoxManage shutdown teamrouter VBoxManage shutdown teamtestvm

Then configure a bridged adapter and restart the VMs and rerun the configuration (replace eth0 with your host ethernet)

VBoxManage modifyvm "teamrouter" --nic2 bridged --nictype2 virtio --bridgeadapter2 eth0 VBoxManage modifyvm "teamtestvm" --nic2 bridged --nictype2 virtio --bridgeadapter2 eth0 VBoxManage startvm "teamrouter" --type headless VBoxManage startvm "teamtestvm" --type headless root@teamrouter:~# network-setup 20 enp0s8 eth0 root@teamtestvm:~# network-setup 20 enp0s8 eth0

Now you should be able to connect other systems to the 2nd ethernet device (eth0).
On your other systems give an IP6 address and configure the route.

sudo ip a a fd00:1337:1::IP/48 dev eth0 sudo ip -6 r a fd00:1337::/32 via fd00:1337:1::1 dev eth0