Initial Commit

Signed-off-by: Md Isfarul Haque <[email protected]>

1. deployment.yaml

@@ -0,0 +1,31 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: $name
+  labels:
+    app: $name
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: $name
+  template:
+    metadata:
+      labels:
+        app: $name
+    spec:
+      containers:
+        - name: $name
+          image: docker.io/library/$name:latest
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            readOnlyRootFilesystem: false
+            allowPrivilegeEscalation: true
+            privileged: true
+          ports:
+            - containerPort: $cport
+              protocol: TCP
+              name: $name-port
+          resources:
+            requests:
+              cpu: 100m

2. service.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: $name-service
+  labels:
+    app: $name
+spec:
+  selector:
+    app: $name
+  type: ClusterIP
+  ports:
+    - port: $xport
+      targetPort: $cport

3. ingress.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nginx-ingress-tcp-microk8s-conf
+  namespace: ingress
+data:
+  $xport: "default/$name-service:$xport"

4. daemonset.yaml

@@ -0,0 +1,15 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: nginx-ingress-microk8s-controller
+  namespace: ingress
+spec:
+  template:
+    spec:
+      containers:
+        - name: nginx-ingress-microk8s
+          ports:
+            - name: $name-port # challenge_name-port
+              containerPort: $xport
+              hostPort: $xport
+              protocol: TCP

5. hpa.yaml

@@ -0,0 +1,12 @@
+apiVersion: autoscaling/v1
+kind: HorizontalPodAutoscaler
+metadata:
+  name: $name
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: $name
+  minReplicas: 1
+  maxReplicas: 10
+  targetCPUUtilizationPercentage: 30

README.md

@@ -0,0 +1,100 @@
+# Microk8s framework for CTFs
+
+## Installation
+
+Ubuntu installation will be the easiest
+
+```bash
+sudo snap install microk8s --classic --channel=1.31
+```
+
+To check the installation
+
+```bash
+microk8s status --wait-ready
+```
+
+As a followup
+
+```bash
+sudo usermod -a -G microk8s $USER
+
+mkdir -p ~/.kube
+
+chmod 0700 ~/.kube
+```
+
+Now restart. You need to RESTART logging out and then logging in won't work!
+
+Check that `kubectl` is working. Note that microk8s has its own version.
+
+``` bash
+microk8s kubectl get nodes
+
+microk8s kubectl get services
+```
+
+
+## Add other nodes
+
+You need to run the instructions shown on the other computer. They need to be on
+the same network.
+
+``` bash
+microk8s add-node
+```
+
+
+## Enable nginx-ingress
+
+This allows us to forward ports to the pods on just connecting to the host IP.
+
+Enable ingress and check if it works:
+
+``` bash
+microk8s enable ingress
+
+microk8s kubectl get pods -A | grep ingress
+
+microk8s kubectl -n ingress get configmap
+```
+
+
+## Enable dashboard
+
+``` bash
+microk8s enable dashboard
+sudo microk8s kubectl get services -n kube-system
+```
+
+### Using the dashboard
+
+``` bash
+sudo microk8s kubectl describe secret -n kube-system microk8s-dashboard-token | grep ^token 
+# save the token in your clipboard; you'll need it later
+microk8s kubectl port-forward -n kube-system service/kubernetes-dashboard --address 0.0.0.0 10443:443
+```
+
+Now it should be accessible on port 10443. It'll ask for the token that you got
+from the above command.
+
+
+
+## Using the template
+
+Inside the root folder, create another folder for creating the challenges.
+Next, run `./create_template.sh <folder> <chall-name> <xport> <cport>` to create
+the folder for the challenge. `xport` is the port on the host and `cport` is the
+port in the container where the challenge is hosted.
+
+Now cd into the folder and run `./run.sh <chall-name>`. Keep it the same as the
+above for consistency. I have no idea what happens if the name is kept to a 
+different one.
+
+That's it! Now use the dashboard to check the pod status!
+
+
+# TODO
+
+- [ ] Once local docker registry is enabled, reflect the changes to pull from 
+      there instead.

chall_one/Dockerfile

@@ -0,0 +1,9 @@
+FROM pwn.red/jail
+
+COPY --from=ubuntu:20.04 / /srv
+
+RUN mkdir /srv/app
+COPY vuln /srv/app/run
+COPY flag /srv/app
+
+

chall_one/daemonset.yaml

@@ -0,0 +1,15 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: nginx-ingress-microk8s-controller
+  namespace: ingress
+spec:
+  template:
+    spec:
+      containers:
+        - name: nginx-ingress-microk8s
+          ports:
+            - name: shell-port # challenge_name-port
+              containerPort: 5000
+              hostPort: 5000
+              protocol: TCP

chall_one/deployment.yaml

@@ -0,0 +1,31 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: shell
+  labels:
+    app: shell
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: shell
+  template:
+    metadata:
+      labels:
+        app: shell
+    spec:
+      containers:
+        - name: shell
+          image: docker.io/library/shell:latest
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            readOnlyRootFilesystem: false
+            allowPrivilegeEscalation: true
+            privileged: true
+          ports:
+            - containerPort: 5000
+              protocol: TCP
+              name: shell-port
+          resources:
+            requests:
+              cpu: 100m

chall_one/flag

@@ -0,0 +1 @@
+iitmCTF{SHEll_C0D3_<3_so_S3Xy}

chall_one/hpa.yaml

@@ -0,0 +1,12 @@
+apiVersion: autoscaling/v1
+kind: HorizontalPodAutoscaler
+metadata:
+  name: shell
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: shell
+  minReplicas: 1
+  maxReplicas: 10
+  targetCPUUtilizationPercentage: 30

chall_one/ingress.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nginx-ingress-tcp-microk8s-conf
+  namespace: ingress
+data:
+  5000: "default/shell-service:5000"

chall_one/modify.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+tag=1
+name="got2win"
+flag_id=10
+
+echo "sseCTF{U_know_\$om3THinG_jon_\$N0w_$RANDOM}" > flag.txt
+cat flag.txt
+flag=$(cat flag.txt)
+
+docker build -t $name .
+docker save $name > $name.tar
+microk8s ctr image import $name.tar
+
+patch='{"spec":{"template":{"spec":{"containers":[{"name":"'$name'-challenge","image":"'$name':'$tag'"}]}}}}'
+
+microk8s.kubectl patch deployment $name --patch $patch
+
+curl \
+    -X PATCH "http://13.126.197.34/api/v1/flags/$flag_id" \
+    -H "Authorization: Token feb566432a58da3ac62227579b5d90e128efe527e7dc41f7e3add57e61149a50" \
+    -H "Content-Type: application/json" \
+    -d '{"content": "'$flag'", "id": "'$flag_id'"}'
+

chall_one/run.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+if [ "$#" -ne 1 ]; then
+	echo "Usage: $0 <name>" >&2
+	exit 1
+fi
+
+name=$1
+
+docker build -t $name:latest .
+docker image save $name > $name.tar
+microk8s ctr image import $name.tar
+
+microk8s.kubectl apply -f "deployment.yaml"
+microk8s.kubectl apply -f "service.yaml"
+microk8s.kubectl patch configmaps nginx-ingress-tcp-microk8s-conf --namespace ingress --patch-file "ingress.yaml"
+microk8s.kubectl patch daemonsets.apps --namespace=ingress nginx-ingress-microk8s-controller --patch "$(cat "daemonset.yaml")"
+microk8s.kubectl apply -f "hpa.yaml"

chall_one/service.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: shell-service
+  labels:
+    app: shell
+spec:
+  selector:
+    app: shell
+  type: ClusterIP
+  ports:
+    - port: 5000
+      targetPort: 5000

create_template.sh

@@ -0,0 +1,27 @@
+if [ "$#" -ne 4 ]; then
+	echo "Usage: $0 <folder> <name> <xport> <cport>" >&2
+	exit 1
+fi
+
+folder=$1
+#challenge name
+name=$2
+# external port
+xport=$3
+# container port
+cport=$4
+
+mkdir -p $folder
+
+
+sed "s/\$name/$name/g; s/\$cport/$cport/g; s/\$cport/$cport/g" '1. deployment.yaml' > $folder/deployment.yaml 
+
+sed "s/\$name/$name/g; s/\$cport/$cport/g; s/\$xport/$xport/g" '2. service.yaml' > $folder/service.yaml
+
+sed "s/\$name/$name/g; s/\$cport/$cport/g; s/\$xport/$xport/g" '3. ingress.yaml' > $folder/ingress.yaml
+
+sed "s/\$name/$name/g; s/\$cport/$cport/g; s/\$xport/$xport/g" '4. daemonset.yaml' > $folder/daemonset.yaml
+
+sed "s/\$name/$name/g; s/\$cport/$cport/g; s/\$xport/$xport/g" '5. hpa.yaml' > $folder/hpa.yaml
+
+cp run.sh modify.sh $folder/

modify.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+tag=1
+name="got2win"
+flag_id=10
+
+echo "sseCTF{U_know_\$om3THinG_jon_\$N0w_$RANDOM}" > flag.txt
+cat flag.txt
+flag=$(cat flag.txt)
+
+docker build -t $name .
+docker save $name > $name.tar
+microk8s ctr image import $name.tar
+
+patch='{"spec":{"template":{"spec":{"containers":[{"name":"'$name'-challenge","image":"'$name':'$tag'"}]}}}}'
+
+microk8s.kubectl patch deployment $name --patch $patch
+
+curl \
+    -X PATCH "http://13.126.197.34/api/v1/flags/$flag_id" \
+    -H "Authorization: Token feb566432a58da3ac62227579b5d90e128efe527e7dc41f7e3add57e61149a50" \
+    -H "Content-Type: application/json" \
+    -d '{"content": "'$flag'", "id": "'$flag_id'"}'
+

run.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+if [ "$#" -ne 1 ]; then
+	echo "Usage: $0 <name>" >&2
+	exit 1
+fi
+
+name=$1
+
+docker build -t $name:latest .
+docker image save $name > $name.tar
+microk8s ctr image import $name.tar
+
+microk8s.kubectl apply -f "deployment.yaml"
+microk8s.kubectl apply -f "service.yaml"
+microk8s.kubectl patch configmaps nginx-ingress-tcp-microk8s-conf --namespace ingress --patch-file "ingress.yaml"
+microk8s.kubectl patch daemonsets.apps --namespace=ingress nginx-ingress-microk8s-controller --patch "$(cat "daemonset.yaml")"
+microk8s.kubectl apply -f "hpa.yaml"