Vulnbox images are automatically generated by Packer and based on VirtualBox.
Images are based on Debian 11 (Bullseye).
Subsequent builds can be speed up by installing apt-cacher-ng on the host: apt-get install -y apt-cacher-ng
.
- Scripts to build a vulnbox including services that follow the saarCTF service template
- Scripts to build a testbox (similar to vulnbox but with a simple test service only)
- Scripts to build a "router VM"
- Scripts to convert any of there .ova VM images to a .tar.xz cloud bundle (see below)
-
Step 0: Download and install Packer, Docker and VirtualBox.
-
Step 1: Prepare services
Clone all services into the
services
directory. They must be structured following these guidelines -
Step 2: Build the vulnbox
./vulnbuild.py build
In a first step, a plain debian image is built. In a second step, services are built. In a third final step, vulnbox is built, based on the plain debian image and the service builds.
./vulnbuild.py prepare [--rebuild]
Build all services../vulnbuild.py prepare <service> [--rebuild]
Build service<service>
../vulnbuild.py prepare-debian [--rebuild]
Build plain debian image../vulnbuild.py clean [<service>|debian]
Clean cached build from service, all services or plain image../vulnbuild.py pull [<service>]
Update git repositories containing one or all services../vulnbuild.py build
Build the final vulnbox../vulnbuild.py build [testbox|router]
Build other boxes.
- In any case you should create a new SSH key and move it to
ssh/saarctf[.pub]
. - The greeting frontpage can be edited in
/frontpage
and/frontpage-testbox
. - The general structure of build steps is in
vulnbox.yaml
and can be modified. - Meta information of all VMs are in
/*.yaml
.
We can convert any of these VMs into a .tar.xz
bundle that is suited for cloud hosting.
These bundles are our hacky way to get cloud images, which we came up with due to the COVID-19 outbreak.
Please read the setup instructions on ctf.saarland to get an idea what these bundles are.
To build a bundle from an existing ova VM image, run:
sudo ./cloudbuild.py <ova-file> <output-archive> [<password>]
Conversion requires root, libguestfs-tools
must be installed and all VirtualBox VMs must be powered off.
If a password is given, the archive is encrypted using GnuPG.
Building a cloud-image for orga-hosted Hetzner Cloud is easy.
- First build the regular vulnbox and the cloud bundle as described above.
HCLOUD_TOKEN=... packer build vulnbox-cloud.json
If you (optionally) host vulnboxes as organizer, we provide Hetzner cloud images.
These cloud images come with OpenVPN preinstalled that connects to the game network.
Use cloudinit to provide SSH keys, root password and /etc/openvpn/vulnbox.conf
.
Include sed '/^root/s/:0:0:99999:/:1:0:99999:/' -i /etc/shadow
in cloudinit's runcmd
to get rid of some "password reset" issues.
- First build the regular vulnbox and the cloud bundle as described above.
- Create a new Hetzner Cloud Server (Debian), boot it into rescue mode.
- Upload the cloud bundle archive and the scripts from
/cloudhosting-scripts
to/dev/shm
on that machine. - Run
/dev/shm/install_bundle_for_orgahosted_cloud.sh <uploaded-archive.tar.xz>
- Shutdown the server and take a snapshot. This snapshot is your image.