The 2008 iCTF HowTo

Network Setup

This page explains the very basic and simple way to set up a network infrastructure necessary for participating in the iCTF 2008. The closer you follow the instructions provided below, the less likely you will experience connectivity problems before/during the CTF.

Important: if you are planning to have a very restrictive firewall, make sure that your rules do not block ICMP "Fragmentation Needed" messages.

Team Box Setup

The instructions below are based on the following assumptions:

• You have sent the public IP of your teambox to the person responsible for the CTF network, who is Nick Childers.
• You have received the public IP of the mainbox from us (for the sake of the following discussion, we will assume that the public IP of the mainbox is 128.111.41.37, but it is actually different).
• The non-routable IP address assigned to your teambox is 10.1.1.1.
• Your teambox's external NIC interface is eth0.
• Your teambox's internal NIC interface is eth1.
• Your public, routable network is 131.175.5.0/24, and your teambox has IP address 131.175.5.25, with gateway 131.175.5.1.

If you follow the steps in this section and substitute the IP addresses given as an example with the IP addresses you will use, by the end of this section you should be able to connect to the main box through the GRE tunnel.

1. Install Ubuntu 8.10 Desktop (Linux 2.6-series kernel) with iptables v1.4.0 and the ip utility (iproute2). Note that these tools are installed by default.
2. Configure your IP address and routing information.

   In our example, if your public gateway is 131.175.5.1, you will execute:

   ifconfig eth0 131.175.5.25 netmask 255.255.255.0 broadcast 131.175.5.255
   ifconfig eth1 10.1.1.1 netmask 255.255.255.0 broadcast 10.1.1.255
   route add default gw 131.175.5.1 eth0
               
   

   To make this settings permanent, put the following commands into /etc/network/interfaces.

   For example:

   auto lo
   iface lo inet loopback
   auto eth0
   iface eth0 inet static
         address 131.175.5.25
         netmask 255.255.255.0
         broadcast 131.175.5.255
   auto eth1
   iface eth1 inet static
         address 10.1.1.1
         netmask 255.255.255.0
   

3. Enable IP forwarding: in the file /etc/sysctl.conf set net.ipv4.ip_forward to 1. For this change to take effect right away (without rebooting the computer), execute:

   sysctl -p /etc/sysctl.conf
   

4. Setup the GRE Tunnel, by executing the following commands:

   modprobe ipip
   modprobe ip_gre
   ip tunnel add vpnet mode gre remote 128.111.41.37 local 131.175.5.25 ttl 255
   ip link set vpnet up
   ip addr add 10.1.1.1 dev vpnet
   ip route add 10.0.0.0/8 dev vpnet
   

   At this point, if you execute ifconfig, you should see a new interface vpnet listed. To make this settings permanent, put the above commands into /etc/rc.local.

5. Firewalling:
   • You have to make sure that the only packets that are routed through your teambox have its source and destination the 10.x.x.x network addresses.:

     iptables -flush FORWARD
     iptables -P FORWARD DROP
     iptables -A FORWARD -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
     

   • It is up to you how to set the INPUT and OUTPUT chain rules, but you have to allow for GRE packets to go through:

     iptables -A INPUT -p gre -s 128.111.41.37 -j ACCEPT
     iptables -A OUTPUT -p gre -d 128.111.41.37 -j ACCEPT
     

   To make this settings permanent, put the above commands into /etc/rc.local.

Image Box Setup

The instructions given below are based on the following assumptions:

• The IP address assigned to your imagebox by us is 10.1.1.2
• The IP address assigned to your teambox is 10.1.1.1
• Your imagebox's external NIC interface is eth0

Do the following:

1. Install Ubuntu 8.10 Desktop (Linux 2.6-series kernel) with iptables v1.4.0 and ip utility (iproute2). Note that these utilities come with the default installation.
2. Configure your IP address and routing:

   ifconfig eth0 10.1.1.2 netmask 255.255.255.0  broadcast 10.1.1.255
   route add default gw 10.1.1.1 eth0
   

   To make this settings permanent, put the following commands into /etc/network/interfaces.

   auto lo
   face lo inet loopback
   auto eth0
   iface eth0 inet static
         address 10.1.1.2
         netmask 255.255.255.0
         gateway 10.1.1.1
   

3. Install VMware player.
4. It is up to you how to set up the firewall on your image box. The only requirement is that the images running on your VMware machine must be reachable from the outside (10.0.0.0/8 network).

This host should not be able to connect to any hosts other than the hosts in 10.0.0.0/8 network. Do not add any name server information to the /etc/resolv.conf file.

Vulnerable Box Setup

The instructions given below are based on the following assumptions:

• The IP address assigned to your vulnerable box is 10.1.1.3
• Your vulnerable box's external NIC interface is eth0
• The actual vulnerable VMware image will be distributed only at the time of the CTF. Meanwhile, we are making an image from a previous competition, called iCTF_VulnBox.tgz.

Do the following:

1. Start your VMware machine.
2. Extract the host image from iCTF_VulnBox.tgz, load it into Vmware, and start it.
3. The root password on this image is ucsbctf.
4. Configure your IP address and routing by adding the commands below in /etc/network/interfaces

   For example:

   auto lo
   iface lo inet loopback
   auto eth0
   iface eth0 inet static
         address 10.1.1.3
         netmask 255.255.255.0
         broadcast 10.1.1.255
         gateway 10.1.1.1
   

5. Reboot the image.

At this point, you should have an image that has the same setup of your competition image. You will have to repeat these steps on the day of the competition.

Test Box Setup

Do not modify anything (including the root password) on this host and do not attack this host!

The testbox is the host that we will be using to test the network connectivity between the teams. Please, have this box running at all times starting from now and until the CTF starts. Notify Nick Childers when your testbox is up and running.

Note: We are not planning to use this box at the time of the CTF, but we might ask you to boot your testboxes during the CTF if there are connectivity problems with one or more teams.

The instructions given below are based on the following assumptions:

• The IP address assigned to your testbox is 10.1.1.4
• Your testbox's external NIC interface is eth0
• We have provided you with the VMware image iCTF_TestBox.tgz

Do the following:

1. Extract the host image from iCTF_TestBox.tgz
2. Assuming that you have the VMware machine already running with the vulnerable image, boot the testbox image (in a single user mode) as the second image on the same VMware application.
3. Configure your IP address and routing (add the commands below in /etc/network/interfaces file):

   auto lo
   iface lo inet loopback
   auto eth0
   iface eth0 inet static
         address 10.1.1.4
         netmask 255.255.255.0
         broadcast 10.1.1.255
         gateway 10.1.1.1
   

4. Reboot the image.

Please keep this image running and do not attack it. We really need it to test connectivity and diagnose network problems.

---

Giovanni Vigna - http://www.cs.ucsb.edu/~vigna