wrongsecrets icon indicating copy to clipboard operation
wrongsecrets copied to clipboard

Published 20 hours ago verified publisher icon OWASP

Create a multi juicer type of setup

Open commjoen opened this issue 2 years ago • 5 comments

We need to improve our ctf version from a single instance to a multiuser instance with something like https://github.com/iteratec/multi-juicer . This should result in 1 wrongsecrets desktop and 1 wrongsecrets running container per user. if possible it should have a namespace per user where people can kubectl into for k8s/cloud challenges.

  • [x] Fork multi juicer
  • [x] make sure it spins up wrongsecrets
  • [x] make sure it spins up a webdesktop
  • [x] fix all the tests on this port!
  • [x] create a list of namespaces and let every team have its own namespace (tracked by the balancer)
  • [ ] have NSPS that: disallow internet connections for Desktop, disalow http://169.254.169.254/ for desktop, and isolate the namepaces. Just only need to get Kubectl enabled.
  • [ ] have acceptlist of teamnames to reduce number of team
  • [x] make a port of https://github.com/commjoen/wrongsecrets/blob/master/aws/k8s-aws-alb-script.sh for the CTF because LB adding does not work like this.
  • [x] enable securitycontexts to reduce ease of getting out of the cluster onto the node (wrongsecret hardened, balancer hardened, checked desktop on minikube)
  • [x] make the cleaner go over various Namespaces and both deployments
  • [x] UPDATE WRONGSECRETS:
    • [x] Fix bug that vault is enabled in k8s ctf mode without checking an override of the vault password. (add test)
    • [x] make cloud challenges disablebale in cTF mode (e.g. disable IAM challenge)
    • [x] make challenge 8 respond not only with a flag, but also with a locked value if present when correct (E.g. fill in this value at the CTF instance)
  • [x] configure wrongsecrets in js to support K8s
  • [x] configure wrongsecrets in js as option to support AWS exercises
  • [x] add missing tests!
  • [x] Provide kubectl instructions per user with access to his own namespace (SECRETS: read&list, CONFIGMAPS: read&list, LOGS: watch&read, POD: list&describe&read, DEPLOYMENT: lit&describe&read)
  • [x] Overhaul UI:
    • [x] have url of CTFD/facebook CTF configurable as part of the entry page
    • [x] have url for submitting scores for actual CTF points configurable and explained
    • [x] have wrongsecrets logo and configurable next logo
    • [x] make sure that both the webdesktop and the wrongsecrets have 2 buttons that will be clickable to get there per team
    • [ ] Document all the things (FOR NOW MINIKUBE AND AWS ONLY!! THE OTHERS WILL BE OUT OF SCOPE - so mark documentation as not happened yet, add shellscripts and TF for AWS)
  • [X] have persistence of progress in place (THIS IS NOT POSISBLE: WILL EVENTUALLY REMOVE PROGRESS AND CALLBACKS AS PEOPLE HAVE K8S ACCESS!)
  • [x] Check if we can have better resource cap
    • [x] on webtpo (cpu/mem/storage)
    • [x] on wrongsecrets (storage)
  • [x] Check if we can use 3 wrongsecrets-balancers and still run webtop (Seems to be working with the new aws script. we do need to test this with a large amount of people)
  • [x] Add better GB storage per node in TF
  • [x] add a get-started button before the form when entering the balancer
  • [x] Make sure the creation of an instance requires an hmac generated in teh ui as part of the uri dpeendent on the teamname
  • [x] delete full namespaces with the cleaner (outside of MVP, is now in https://github.com/commjoen/wrongsecrets-ctf-party/issues/54)

commjoen avatar Sep 03 '22 03:09 commjoen

Fork is at https://github.com/commjoen/wrongsecrets-ctf-party (working title)

commjoen avatar Sep 04 '22 05:09 commjoen

Note for the overhaul, given the Apache 2 licenses: Requirements Anyone who uses open source software licensed under Apache 2.0 must include the following in their copy of the code, whether they have modified it or not:

  • The original copyright notice
  • A copy of the license itself
  • If applicable, a statement of any significant changes made to the original code
  • A copy of the NOTICE file with attribution notes (if the original library has one)
  • The third requirement listed above is a major differentiator between the Apache License 2.0 and other permissive licenses. If you make any major modifications to the licensed code, you must disclose those changes in any updated version that you distribute.

However, you do not need to release the modified code under Apache 2.0. Simply including any modification notifications is enough to comply with the license terms.

commjoen avatar Sep 04 '22 05:09 commjoen

Progress on https://github.com/commjoen/wrongsecrets-ctf-party/pull/1 if you do: minikube start eval $(minikube docker-env) ./build-an-deploy.sh and then again ./build-an-deploy.sh : then you can do the kubectl port-forward service/wrongsecrets-balancer 3000:3000 then you can actually open up localhost:3000 and you can (ignore the ui) and start a new deployment!

commjoen avatar Sep 08 '22 12:09 commjoen

NSP by @madhuakula :

# Default Deny policy
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
  namespace: wrongsecrets-test
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress


# Deny for the Metadata Service endpoint
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: block-metadata-service
  namespace: wrongsecrets-test
spec:
  podSelector:
    matchLabels:
      app: wrongsecrets-no-vault
  policyTypes:
    - Egress
  egress:
    action: deny
    - to:
        - ipBlock:
            cidr: 169.254.169.254/32
      ports:
          - protocol: TCP
            port: 80


# Deny traffic to other namespaces
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: deny-traffic-from-other-namespaces
  namespace: wrongsecrets-test
spec:
  podSelector:
    matchLabels:
  ingress:
  - from:
    - podSelector: {}

# Allow DNS and disallow all egress traffic
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-egress-excpet-dns
spec:
  podSelector:
    matchLabels:
      app: wrongsecrets-no-vault
  policyTypes:
  - Egress
  egress:
  - ports:
    - port: 53
      protocol: UDP
    - port: 53
      protocol: TCP

which we can do with

networkingV1Api. createNamespacedNetworkPolicy

commjoen avatar Sep 15 '22 12:09 commjoen

for the rbac on the webtop by @madhuakula 👍

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: webtop-sa
  namespace: t-testing
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: t-testing
  name: wrongsecrets-team-role
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["secrets"]
  verbs: ["get", "list"]
- apiGroups: [""] # "" indicates the core API group
  resources: ["configmaps"]
  verbs: ["get", "list"]
- apiGroups: [""] # "" indicates the core API group
  resources: ["pod"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["apps"] # "" indicates the core API group
  resources: ["deployment"]
  verbs: ["get", "list", "watch"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: wrongsecrets-team-rolebinding
  namespace: t-testing
subjects:
  - kind: ServiceAccount
    name: webtop-sa
    namespace: t-testing
roleRef:
  kind: Role
  name: wrongsecrets-team-role
  apiGroup: rbac.authorization.k8s.io
# Now, we can use spec: serviceAccountName: webtop-sa in deployment/pod

commjoen avatar Sep 19 '22 08:09 commjoen

We will soon tag and release 0.1 at https://github.com/commjoen/wrongsecrets-ctf-party

commjoen avatar Sep 26 '22 20:09 commjoen

https://github.com/OWASP/wrongsecrets-ctf-party Is now at 0.2 with just a few items left to close this (docs & helm chart)

commjoen avatar Nov 12 '22 07:11 commjoen

Closing this as https://github.com/OWASP/wrongsecrets-ctf-party is having its own release cycle now.

commjoen avatar Feb 13 '23 06:02 commjoen