Network Setup

This page explains the very basic and simple way to set up a network infrastructure necessary for participating in the iCTF 2005. The closer you follow the instructions provided below, the less likely you will experience connectivity problems before/during the CTF.

Team Box Setup

The instructions below are based on the following assumptions:

• You have sent the public IP of your teambox to Vika Felmetsger
• You have received a public IP of the mainbox from us
• The non-routable IP address assigned to your teambox is 10.1.1.1
• The public IP address of the mainbox is 128.111.41.37
• Your teambox's external NIC interface is eth0
• Your teambox's internal NIC interface is eth1

If you follow the steps in this section and substitute the IP addresses given as an example with the IP addresses you will use, by the end of this section you should be able to connect to the main box through the GRE tunnel.

1. Install Fedora Core 4 (Linux 2.6-series kernel) with iptables v1.3.0 and the ip utility (iproute2).
2. Configure your IP address and routing:
   1. ifconfig eth0 <your public IP> netmask <your netmask> broadcast <your broadcast address>
   2. ifconfig eth1 10.1.1.1 netmask 255.255.255.0 broadcast 10.1.1.255
   3. route add default gw <your gateway IP>eth0

   To make this settings permanent, put the above commands into /etc/rc.local.

3. Enable IP forwarding: in the file /etc/sysctl.conf set net.ipv4.ip_forward to 1. For this change to take effect right away (without rebooting the computer), execute:

   	     sysctl -p /etc/sysctl.conf
   	  

4. Setup GRE Tunnel:
   1. modprobe ipip
   2. modprobe ip_gre
   3. ip tunnel add vpnet mode gre remote 128.111.41.37 local <your teambox public IP> ttl 255
   4. ip link set vpnet up
   5. ip addr add 10.1.1.1 dev vpnet
   6. ip route add 10.0.0.0/8 dev vpnet

   At this point, if you execute ifconfig, you should see a new interface vpnet listed. To make this settings permanent, put the above commands into /etc/rc.local.

5. Enable NATing:
   1. iptables --table nat --flush
   2. iptables --table nat --delete-chain
   3. iptables --table nat -A POSTROUTING -o eth0 -j SNAT --to-source <your public IP>

   To make this settings permanent, put the above commands into /etc/rc.local.

6. Firewalling:
   • You have to make sure that the only packets that are routed through your teambox have its source and destination the 10.x.x.x network addresses.:
     1. iptables -flush FORWARD
     2. iptables -P FORWARD DROP
     3. iptables -A FORWARD -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT

   • It is up to you how to set the INPUT and OUTPUT chain rules, but you have to allow for GRE packets to go through:

     1. iptables -A INPUT -p gre -s 128.111.41.37 -j ACCEPT
     2. iptables -A OUTPUT -p gre -d 128.111.41.37 -j ACCEPT

   To make this settings permanent, put the above commands into /etc/rc.local.

7. Send us your public IP address. After that we will be able to connect you to the main box.

Image Box Setup

The instructions given below are based on the following assumptions:

• You have a VMWare Workstation 5.0 license (you can get a free 30-day evaluation license from www.vmware.com web site )
• The IP address assigned to your imagebox by us is 10.1.1.2
• The IP address assigned to your teambox is 10.1.1.1
• Your imagebox's external NIC interface is eth0

Do the following:

1. Install Fedora Core 4 (Linux 2.6-series kernel) with iptables v1.3.0 and ip utility (iproute2).
2. Configure your IP address and routing:
   1. ifconfig eth0 10.1.1.2 netmask 255.255.255.0 broadcast 10.1.1.255
   2. route add default gw 10.1.1.1 eth0
   To make this settings permanent, put the above commands into /etc/rc.local.
3. Install VMware from VMware-workstation-5.0.0-13124.i386.rpm with bridged networking enabled
4. To be able to run two VMware images on the same VMware machine with bridged networking enabled, patch VMware with vmware-any-any-update94.tar.gz
   • Untar and unzip vmware-any-any-update94.tar.gz
   • cd vmware-any-any-update94
   • ./runme.pl
5. Start you vmware machine and enter the license number.
6. It is up to you how to set up the firewall on your image box. The only requirement is that the images running on your VMware machine must be reachable from the outside (10.0.0.0/8 network).

This host should not be able to connect to any hosts other than the hosts in 10.0.0.0/8 network. Do not add any nameserver information to /etc/resolv.conf file.

Vulnerable Box Setup

The instructions given below are based on the following assumptions:

• The IP address assigned to your vulnerable box is 10.1.1.3
• Your vulnerable box's external NIC interface is eth0
• The actual vulnerable MVWare image will be distributed only at the time of the CTF. Meanwhile, we are making the image from the previous iCTF available here. This image is provided for your convinience only and you do not have to have it up and running.

Do the following:

1. Start your VMware machine.
2. Extract the host image from iCTF_basstard.tgz
3. Boot the VMware image in a single user mode (note that Debian doesn't allow password-less single user mode boot. However, if during the booting procedure you modify the line:

   	      kernel /boot/vmlinuz-2.6.8-1-686 root=/dev/sda1 ro
   	  

   to

   	      kernel /boot/vmlinuz-1.6.8-1-686 root=/dev/sda1 rw init=/bin/sh
   	  

   This will give you a shell without asking for a password. Then you can edit the rc.local file and reboot).
4. Configure your IP address and routing (add the commands below in /etc/rc.local file):
   1. ifconfig eth0 10.1.1.3 netmask 255.255.255.0 broadcast 10.1.1.255
   2. route add default gw 10.1.1.1 eth0
5. Reboot the image.

Test Box Setup

Do not modify anything (including the root password) on this host and do not attack this host!

Testbox is the host that we will be using to test the network connectivity between the teams. Please, have this box running at all times starting from now and until the CTF starts. Notify Vika Felmetsger when your textbox is up and running.

Note: We are not planning to use this box at the time of the CTF, but we might ask you to boot your testboxes during the CTF if there are connectivity problems with one or more teams.

The instructions given below are based on the following assumptions:

• The IP address assigned to your testbox is 10.1.1.4
• Your testbox's external NIC interface is eth0
• We have provided you with the vmware image iCTF3_testbox.tgz

Do the following:

1. Extract the host image from iCTF3_testbox.tgz
2. Assuming that you have the VMware machine already running with the vulnerable image, boot the testbox image (in a single user mode) as the second image on the same vmware machine.
3. Configure your IP address and routing (add the commands below in /etc/rc.local file):
   1. ifconfig eth0 10.1.1.4 netmask 255.255.255.0 broadcast 10.1.1.255
   2. route add default gw 10.1.1.1 eth0
4. Reboot the image.