bhackari
diff --git a/‎content/posts/DestructiveFarm_Setup.md‎
Lines changed: 120 additions & 0 deletions b/‎content/posts/DestructiveFarm_Setup.md‎
Lines changed: 120 additions & 0 deletions
diff --git a/‎content/posts/Tulip_Setup.md‎
Lines changed: 239 additions & 0 deletions b/‎content/posts/Tulip_Setup.md‎
Lines changed: 239 additions & 0 deletions
@@ -0,0 +1,120 @@
+---
+date: '2024-04-19T12:01:00Z'
+draft: false
+title: 'DestructiveFarm setup for A/D CTFs'
+summary: "DestructiveFarm is a popular tool used in CTFs and 
+what it does is running exploits every tick to retrieve flags and
+automatically submit them to the checker."
+
+categories: 
+    - docs
+keywords: 
+    - attack-defense
+    - infra
+author: bhackari
+---
+
+# Setup the submitter (server)
+
+The submitter is the tool that collects flags from [farm clients](#setup-an-exploit-farm-client), sends them to the checksystem, monitors the usage of quotas and shows the stats about the accepted and rejected flags. It is being configured and run by the team's admin at the start of the competition. After that, team members can use a web interface to watch the exploits' results and stats.
+
+Clone the repo on a local server or on a dedicated VPS and enter the  server direcrory
+```
+$ git clone https://github.com/DestructiveVoice/DestructiveFarm  
+$ cd DestructiveFarm/server/
+```
+
+---
+
+### Submitter general configuration
+
+Edit `config.py` according to the rules of your specific competition
+- `TEAMS` ip addresses of all the teams (generated using a format string)
+- `FLAG_FORMAT` the regex the server will use to identify the flags in the traffic generated by the exploits 
+- `SUBMIT_FLAG_LIMIT` max number of flag the server will try to send in a `SUBMIT_PERIOD`
+- `FLAG_LIFETIME` flags older than this period, not yet sent, will be discarded
+- `SERVER_PASSWORD` password to access the front-end control page of the submitter
+.
+- `SYSTEM_PROTOCOL` the name of your protocol (see [Protocols](#protocols))
+- `SYSTEM_HOST` IP address of the flag checker (only for TCP protocols)
+- `SYSTEM_URL` URL  of the flag checker (only for HTTP protocols)
+- `SYSTEM_PORT` port number used by the flag checker for incoming traffic
+- `SYSTEM_TOKEN` authentication token (only for HTTP protocols)
+
+---
+
+### Protocols
+
+A protocol defines the interaction standard between the submitter and the flag checker hosted by the competition host. It is specific to the competition and it is usually explicitly outlined in the rules.
+
+The comunication protocols usually are either based on a `HTTP` session or a simple `TCP` connection.
+The folder `protocols/` already contains 4 examples of both cases pulled from real competitions. 
+You need to make one specific for your competition. 
+
+Regardless of the type of the connection, first you need to map all the possible server response to a `FlagStatus`.
+```
+RESPONSES = {
+    FlagStatus.QUEUED: ['timeout', 'game not started', 'try again later','game over', 'is not up', 'no such flag'],
+    FlagStatus.ACCEPTED: ['accepted', 'congrat'],
+    FlagStatus.REJECTED: ['bad', 'wrong', 'expired', 'unknown', 'your own', 'too old', 'not in database', 'already submitted','invalid flag'],
+}
+```
+After that, the `submit_flags(flags, config)` function must be configured to craft a request to the checker for each flag present in the `flags` parameter, listen for a response by the server and update the staus of each flag based on the `RESPONSES` defined before.
+
+Destructive Farm will invoke your function whenever its needed.
+
+**HINT:**
+Most protocols are very similar, copy one of the examples and adapt it to your competition
+
+---
+
+### Running the submitter
+
+Once everything is set up you can run the server by running:
+```
+$ ./start_server.sh
+```
+This script can be edited to change the port used by the service by addding `--port=1234`. 
+By default Flask will use port `5000`
+
+DestructiveFarm maintains persistence in the file `flags.sqlite`. 
+Deleting the file will result in the removal of all flags collected up to this point.
+
+---
+
+# Setup the farm client
+
+A farm client is a tool that periodically runs the exploit to attack other teams and looks after their work. 
+It can be run by each participant on their laptop after they've written an exploit.
+
+Clone the same repo on the client that will run the exploit and enter the **client** folder
+```
+$ git clone https://github.com/DestructiveVoice/DestructiveFarm  
+$ cd DestructiveFarm/client/
+```
+
+---
+
+### The exploit
+
+The exploit is a script that steals **flags** from some service of other teams. It is written by a participant during the competition and should accept the **victim's host** (IP address or domain) as the **first command-line argument**, attack them and print flags to stdout.
+
+The first argument can be retrieved with `sys.argv[1]`
+
+You should find an example called `spl_example.py` from where you can start to build your own. 
+
+---
+
+### The client
+
+The client will be in constant comunication with the server and it will periodically run the exploit providing the address of the victim. The frequency and number of invocations depends on the server configuration shown [here](#submitter-general-configuration).
+
+The only 2 parameters required by the client are the **name of the expoit** and the **address** of the submitter [server](#setup-the-submitter-server) (the same address and port you use to reach the front-end)
+
+```
+./start_sploit.py my_exploit.py -u serverAddress.com:5000
+```
+
+The system will automatically **extract the flags** from your exploit's output based on the `FLAG_FORMAT` you provided [here](#submitter-general-configuration) and send them to the server. 
+
+The server will automatically detect duplicates and it will try to submit the flags in multiple occasions until either the state of the flag becomes `ACCEPTED` or the lifetime of the flag is exceeded.
@@ -0,0 +1,239 @@
+---
+date: '2024-04-19T12:00:00Z'
+draft: false
+title: 'Tulip setup for A/D CTFs'
+summary: "Tulip is a traffic analyzer tool made for A/D CTFs, this post walks you throught all the important steps requied to deploy Tulip painlessly (hopefully)."
+
+categories: 
+    - docs
+keywords: 
+    - attack-defense
+    - infra
+author: bhackari
+---
+
+# Setup tulip on the VM
+
+### Tulip specific configurations
+
+Clone the repo
+```
+$ git clone https://github.com/OpenAttackDefenseTools/tulip.git  
+$ cd tulip  
+```
+
+---
+
+Edit `services/api/configurations.py` with the correct `tick_length`, `start_date`, `vm_ip`, and the `services`  
+
+---
+
+```
+$ cp .env.example .env  
+```
+
+edit `.env` with the correct `FLAG_REGEX`, `TICK_START`, `TICK_LENGTH` and 
+change `TRAFFIC_DIR_HOST` to point to the correct folder containing the pcaps (in our case `/ready_pcaps`)
+
+---
+
+If you want tulip to listen on a different port (e.g. port 4444) edit `docker-compose.yml` 
+and under the `frontend` service change 
+```yml
+ports: 
+    - "3000:3000"
+```
+to
+```yml
+ports: 
+    - "4444:3000"
+```
+
+**WARNING:**
+(if you host tulip on the vulnbox and don't change the web interface port you risk other teams to steal flags throght tulip. Yep, they know tulip default port is 3000)
+
+---
+
+```
+$ docker compose up -d --build
+```
+
+Tulip is now running.
+
+---
+
+### Packet capturing
+
+Save these scripts:  
+
+`/create-pcap.sh`
+```bash
+#!/bin/sh
+# -i game : game is the wireguard network interface, change it as needed
+
+mkdir -p /pcaps
+mkdir -p /ready_pcaps
+chmod 777 /pcaps
+chmod 777 /ready_pcaps
+
+tcpdump -G 120 -w /pcaps/myfile-%Y-%m-%d_%H.%M.%S.pcap -i game -z '/post-rotate.sh' port not 22
+```
+
+`/post-rotate.sh`
+```bash
+#!/bin/sh
+mkdir -p /ready_pcaps/
+mv $1 /ready_pcaps/
+```
+
+Then disable the apparmor profile for tcpdump
+```
+$ apt install apparmor-utils
+$ aa-complain /usr/bin/tcpdump
+```
+
+Now in a tmux or screen:
+```
+$ chmod +x /create-pcap.sh
+$ chmod +x /post-rotate.sh
+$ /create-pcap.sh
+```
+
+While `create-pcap.sh` is running, `ready_pcaps` will be populated with the network pcaps and 
+Tulip will show them on the web interface.s
+
+---
+# Setup Tulip on a dedicated VPS
+
+## On the vps
+
+Clone the repo
+```
+$ git clone https://github.com/OpenAttackDefenseTools/tulip.git  
+$ cd tulip  
+```
+
+---
+
+Edit `services/api/configurations.py` with the correct `tick_length`, `start_date`, `vm_ip`, and the `services`  
+
+---
+
+```
+$ cp .env.example .env  
+```
+
+edit `.env` with the correct `FLAG_REGEX`, `TICK_START` and `TICK_LENGTH`
+
+---
+
+If you want tulip to only listen on `localhost:3000` instead of `0.0.0.0:3000`, then edit `docker-compose.yml` 
+and under the `frontend` service change 
+```yml
+ports: 
+    - "3000:3000"
+```
+to
+```yml
+ports: 
+    - "127.0.0.1:3000:3000"
+```
+
+---
+
+```
+$ docker compose up -d --build
+```
+
+Tulip is now running.
+
+---
+
+## On the vulnbox
+
+Save these scripts:  
+
+`/create-pcap.sh`
+```bash
+#!/bin/sh
+# -i game : game is the wireguard network interface, change it as needed
+
+mkdir -p /pcaps
+mkdir -p /ready_pcaps
+chmod 777 /pcaps
+chmod 777 /ready_pcaps
+
+tcpdump -G 120 -w /pcaps/myfile-%Y-%m-%d_%H.%M.%S.pcap -i game -z '/post-rotate.sh' port not 22
+```
+
+`/post-rotate.sh`
+```bash
+#!/bin/sh
+mkdir -p /ready_pcaps/
+mv $1 /ready_pcaps/
+```
+
+Then disable the apparmor profile for tcpdump
+```
+$ apt install apparmor-utils
+$ aa-complain /usr/bin/tcpdump
+```
+
+Now in a tmux or screen:
+```
+$ chmod +x /create-pcap.sh
+$ chmod +x /post-rotate.sh
+$ /create-pcap.sh
+```
+
+While `create-pcap.sh` is running, `ready_pcaps` will be populated with the network pcaps.
+
+---
+
+## Send pcaps to tulip
+
+The last thing is to send the pcaps to tulip, there are two ways to do it :
+- 1: The vps has ssh access to the vulnbox, and can scp the pcaps
+- 2: The vps is not in the vpn, so no access to the vulnbox. In this case the vulnbox will have ssh access to the vps (this could be hardened)
+
+---
+
+### `Case 1`:  
+First create an ssh key in the vps and add it in the vulbox.  
+Then, on the vps save the script `take-pcap.sh`:
+```bash
+#!/usr/bin/bash
+
+IP_VULNBOX=10.32.55.2
+
+while true
+do
+	rsync -avz --remove-source-files root@$IP_VULNBOX:/ready_pcaps/* CHANGE_ME_TRAFFIC_DIR_HOST
+	sleep 10 # tweak this as you like
+done
+```
+
+Now open a tmux and run this script, tulip will receive the pcaps.
+
+---
+
+### `Case 2`:
+First create an ssh key in the vulnbox and add it in the vps.  
+Then, on the vulnbox save the script `take-pcap.sh`:  
+```bash
+#!/usr/bin/bash
+
+IP_VPS=10.32.55.2 # remember to change this
+
+while true
+do
+	rsync -avz --remove-source-files /ready_pcaps/* root@$IP_VPS:CHANGE_ME_TRAFFIC_DIR_HOST
+	sleep 10 # tweak this as you like
+done
+```
+
+Now open a tmux and run this script, tulip will receive the pcaps.
+
+---
+
+`CHANGE_ME_TRAFFIC_DIR_HOST` is the absolute path to the `TRAFFIC_DIR_HOST` value in the `.env` you wrote when configuring tulip.