Release 0.1

.gitignore

@@ -1,10 +1,13 @@
 # Generated by Cargo
 # will have compiled files and executables
-/target/
+target/
 
 # Remove Cargo.lock from gitignore if creating an executable, leave it for libraries
 # More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html
 Cargo.lock
 
 # These are backup files generated by rustfmt
 **/*.rs.bk
+
+# For vim
+*.swp

Dockerfile

@@ -0,0 +1,113 @@
+FROM ubuntu:focal
+
+# Users will log into this machine, so we need to unminimize it.
+# See https://wiki.ubuntu.com/Minimal
+RUN yes | unminimize
+
+# Install dependencies.
+RUN apt update -y
+RUN apt clean -y
+RUN DEBIAN_FRONTEND="noninteractive" apt install -y tzdata
+RUN apt clean -y
+RUN apt update -y && apt install -y \
+    git-all \
+    vim \
+    nano \
+    whois \
+    openssh-server \
+    curl \
+    apt-utils \
+    iputils-ping \
+    zsh \
+    tmux \
+    man \
+    fzf \ 
+    sudo \
+    jq
+
+# Create the required users. The game master is the `git` account, and the player is the user's account
+RUN useradd --comment "GameMaster account" --create-home --password $(mkpasswd -m sha-512 95+mcguffin+STRONG+ainasdf+15) gamemaster
+RUN useradd --comment "Player account" --create-home --password $(mkpasswd -m sha-512 player) --shell $(which zsh) player
+RUN useradd --comment "Testing account" --create-home --password $(mkpasswd -m sha-512 tester) --shell $(which zsh) tester
+
+# OWASP addition
+RUN useradd --comment "1st Flag account" --create-home --password $(mkpasswd -m sha-512 flagger) --shell $(which bash) flagger
+RUN useradd --comment "2nd Flag account" --create-home --password $(mkpasswd -m sha-512 flagger_the_second) --shell $(which bash) flagger_the_second
+RUN useradd --comment "Build system account" --create-home --password $(mkpasswd -m sha-512 build_system) --shell $(which bash) build_system
+RUN mkdir -p /etc/owasp/flags
+ARG OWASP_FLAG_1
+RUN echo $OWASP_FLAG_1 > /etc/owasp/flags/flag.txt
+ARG OWASP_FLAG_2
+RUN echo $OWASP_FLAG_2 > /flag.txt
+RUN chown --verbose --recursive flagger /etc/owasp
+RUN chmod --verbose --recursive 0700 /etc/owasp
+RUN chown --verbose flagger_the_second /flag.txt
+RUN chmod --verbose 0400 /flag.txt
+# OWASP additions
+RUN echo "gamemaster     ALL=(flagger) NOPASSWD:/usr/bin/whoami, /usr/bin/python3" >> /etc/sudoers
+RUN echo "gamemaster     ALL=(flagger_the_second) NOPASSWD:/usr/bin/whoami, /usr/bin/cp, /usr/bin/chown" >> /etc/sudoers
+RUN echo "gamemaster     ALL=(build_system) NOPASSWD: ALL" >> /etc/sudoers
+RUN echo "gamemaster     ALL=(ALL) NOPASSWD:/usr/bin/chown" >> /etc/sudoers
+
+# Set up the player's SSH keys and copy the public key to /tmp
+COPY build/player_entrypoint.sh /home/player
+COPY build/keys/id_rsa.player /home/player/.ssh/id_rsa
+COPY build/keys/id_rsa.player.pub /home/player/.ssh/id_rsa.pub
+RUN chown player:player /home/player/player_entrypoint.sh
+RUN chmod 770 /home/player/player_entrypoint.sh
+RUN su -c "/home/player/player_entrypoint.sh" - player
+COPY build/player_zshrc.sh /home/player/.zshrc
+RUN chown player:player /home/player/.zshrc
+RUN chmod 770 /home/player/.zshrc
+
+# Do the same for the tester account.
+COPY build/tester_entrypoint.sh /home/tester
+RUN chown tester:tester /home/tester/tester_entrypoint.sh
+RUN chmod 770 /home/tester/tester_entrypoint.sh
+RUN su -c "/home/tester/tester_entrypoint.sh" - tester
+COPY build/tester_zshrc.sh /home/tester/.zshrc
+RUN chown tester:tester /home/tester/.zshrc
+RUN chmod 770 /home/tester/.zshrc
+# Copy the test files to the tester account
+COPY levels/tests /home/tester/tests
+RUN chown --recursive tester:tester /home/tester
+
+# Set up SSH
+RUN mkdir /var/run/sshd
+COPY build/sshd_config /etc/ssh/sshd_config
+COPY build/login_banner.txt /etc/motd
+
+RUN /etc/init.d/ssh start && ssh-keyscan -H localhost >> /home/player/.ssh/known_hosts && ssh-keyscan -H localhost >> /home/tester/.ssh/known_hosts
+
+# Set up the git server so that the player can run git clone gamemaster@localhost:/home/gamemaster/ctf-repo
+RUN git clone --bare https://github.com/TheCoreMan/make-git-better-levels.git /home/gamemaster/ctf-repo
+# Set up the other remote for the remote stages
+RUN git clone --bare https://github.com/sandspider2234/make-git-better-levels.git /home/gamemaster/forked-ctf-repo
+# This file adds the player's ssh public key from before
+COPY build/gamemaster_entrypoint.sh /home/gamemaster
+RUN chown gamemaster:gamemaster /home/gamemaster/gamemaster_entrypoint.sh
+RUN chmod 770 /home/gamemaster/gamemaster_entrypoint.sh
+# Make sure that gamemaster owns all of their files
+RUN chown --recursive gamemaster:gamemaster /home/gamemaster
+# This arg invalidates cache from here on forward. use the current time (no spaces) as a build arg.
+ARG CACHE_DATE
+RUN echo "This CTF server was built at "$CACHE_DATE"." >> /etc/motd
+RUN ls -la "/home/gamemaster"
+RUN su -c "/home/gamemaster/gamemaster_entrypoint.sh" - gamemaster
+# Set up the hooks for the actual gameplay in the repo
+COPY levels/checkers /home/gamemaster/ctf-repo/hooks/checkers
+COPY scripts/output/pre-receive /home/gamemaster/ctf-repo/hooks
+# Make sure that gamemaster owns all of their files
+RUN chown -R gamemaster:gamemaster /home/gamemaster
+
+# Now that we're done with gamemaster's setup we can change their shell to git shell and block their home directory
+RUN chsh gamemaster -s $(which git-shell)
+RUN chmod 700 -R /home/gamemaster
+
+# Cleanup
+RUN rm -rf /tmp/*
+RUN rm -rf /home/player/player_entrypoint.sh
+RUN rm -rf /root/.ssh/
+
+EXPOSE 22
+CMD ["/usr/sbin/sshd", "-D"]

README.md

@@ -1,2 +1,200 @@
 # make-git-better-2
-Git CTF 🚩 but good this time 
+
+Git CTF 🚩 but good this time.
+
+* [Dependencies](#dependencies)
+* [Build](#build)
+  * [Ansible](#ansible)
+  * [How to build the challenge Docker manually](#how-to-build-the-challenge-docker-manually)
+    * [Create the hook script](#create-the-hook-script)
+      * [powershell](#powershell)
+      * [sh](#sh)
+    * [Build and run docker image](#build-and-run-docker-image)
+      * [Build docker](#build-docker)
+      * [Run docker](#run-docker)
+      * [Copy ssh key (for outside cloning)](#copy-ssh-key-for-outside-cloning)
+      * [Useful oneliner](#useful-oneliner)
+      * [Connect to the running instance](#connect-to-the-running-instance)
+  * [How to build the web content](#how-to-build-the-web-content)
+    * [Build the level browser](#build-the-level-browser)
+  * [Set up docker-tcp-switchboard](#set-up-docker-tcp-switchboard)
+* [Test](#test)
+  * [Unit tests](#unit-tests)
+  * [Test levels](#test-levels)
+* [Develop](#develop)
+  * [Add a new stage](#add-a-new-stage)
+
+## Dependencies
+
+- Rust
+- Docker
+- Python 3.6 (for docker TCP switchboard)
+- Ansible (optional)
+
+## Build
+
+### Ansible
+
+Using Ansible, you can build and deploy the game server from nothing.
+
+```bash
+cd build/ansible
+sed -i 's/ctf.mrnice.dev/your.server.com/g' hosts
+ansible-playbook -v -i hosts build.yaml
+```
+
+Make sure that you have Ansible configured correctly with your SSH keys.
+[Here's the docs](https://docs.ansible.com/ansible/latest/inventory_guide/connection_details.html).
+
+> Note: Remember to expose 22 to your IP. If you're like me with AWS EC2, you
+> need to add a rule to the security group. Like this:
+>
+> `aws ec2 authorize-security-group-ingress --group-id PUT_HERE --protocol tcp --port 22 --cidr "$(curl -s https://wtfismyip.com/json | jq -r '.YourFuckingIPAddress')/32"`
+
+### How to build the challenge Docker manually
+
+#### Create the hook script
+
+`cd` to the `scripts` directory.
+
+##### powershell
+
+```powershell
+cargo run --bin generate-pre-receive-hook -- --verbose ..\levels\game-config.toml .\src\bin\templates\hook.tmpl
+```
+
+##### sh
+
+```sh
+cargo run --bin generate-pre-receive-hook -- --verbose ../levels/game-config.toml src/bin/templates/hook.tmpl
+```
+
+#### Build and run docker image
+
+##### Build docker
+
+```sh
+docker build --tag mgb:0.1 --build-arg CACHE_DATE=$(date +%Y-%m-%d:%H:%M:%S) --build-arg OWASP_FLAG_1="AppSec-IL{g1t_d035_P3rM1t_T0_c0mm1T}" --build-arg OWASP_FLAG_2="AppSec-IL{1f_y0u_w4n7_17_c0m3_4nd_917_17}" .
+```
+
+##### Run docker
+
+```sh
+docker run --detach --name mgbtest --publish 7777:22 mgb:0.1
+```
+
+##### Copy ssh key (for outside cloning)
+
+```sh
+docker cp mgbtest:/home/player/.ssh/id_rsa ./id_rsa.player
+```
+
+##### Useful oneliner
+
+```sh
+docker rm -f mgbtest; docker build --build-arg CACHE_DATE=$(date +%Y-%m-%d:%H:%M:%S%z) --build-arg OWASP_FLAG_1="AppSec-IL{g1t_d035_P3rM1t_T0_c0mm1T}" --build-arg OWASP_FLAG_2="AppSec-IL{1f_y0u_w4n7_17_c0m3_4nd_917_17}" --tag mgb:0.1 . && docker run --detach --name mgbtest --publish 7777:22 mgb:0.1
+```
+
+##### Connect to the running instance
+
+Password is `player`.
+
+```sh
+ssh player@localhost -p 7777
+```
+
+### How to build the web content
+
+#### Build the level browser
+
+```sh
+cargo run --bin generate-levels-graph -- -v ../levels/game-config.toml src/bin/templates/graph.tmpl
+```
+
+### Set up docker-tcp-switchboard
+
+*Only relevant for the game server, no need to do this for local build*.
+
+```sh
+git clone https://github.com/OverTheWireOrg/docker-tcp-switchboard.git
+# install deps and then
+touch /var/log/docker-tcp-switchboard.log
+chmod a+w /var/log/docker-tcp-switchboard.log
+```
+
+Copy `build/docker-tcp-switchboard.conf` to `/etc/docker-tcp-switchboard.conf`. Finally, run `python3 docker-tcp-switchboard.py`.
+
+## Test
+
+### Unit tests
+
+```sh
+cd scripts
+cargo test
+```
+
+### Test levels
+
+Login as user `tester` to the built Docker and then:
+
+```sh
+cd tests
+./run_all_tests.sh
+```
+
+Should print something like:
+
+```sh
+tester@ad6145e90679:~/tests
+> ./run_all_tests.sh
+TESTLOG: Testing /home/tester/tests/test-basic-1.sh
+TESTLOG: testing level basic-1 branch scorpion-treenware-gestatory
+TESTLOG: Test /home/tester/tests/test-basic-1.sh passed
+TESTLOG: Testing /home/tester/tests/test-basic-2.sh
+TESTLOG: testing level basic-2 branch sidespins-areae-regalio
+TESTLOG: Test /home/tester/tests/test-basic-2.sh passed
+TESTLOG: Testing /home/tester/tests/test-log-1.sh
+TESTLOG: testing level log-1 branch turbulator-feere-reinclined
+TESTLOG: Test /home/tester/tests/test-log-1.sh passed
+TESTLOG: Testing /home/tester/tests/test-log-2.sh
+TESTLOG: testing level log-2 branch insatiably-skyjackers-program
+TESTLOG: Test /home/tester/tests/test-log-2.sh passed
+TESTLOG: Testing /home/tester/tests/test-log-3.sh
+TESTLOG: testing level log-3 branch originates-anagyrine-untolerative
+TESTLOG: Test /home/tester/tests/test-log-3.sh passed
+TESTLOG: Testing /home/tester/tests/test-log-4.sh
+TESTLOG: testing level log-4 branch belialist-interlaying-mize
+TESTLOG: Test /home/tester/tests/test-log-4.sh passed
+TESTLOG: Testing /home/tester/tests/test-merge-1.sh
+TESTLOG: testing level merge-1 branch macrochiropteran-jupon-lutecium
+TESTLOG: Test /home/tester/tests/test-merge-1.sh passed
+TESTLOG: Testing /home/tester/tests/test-merge-2.sh
+TESTLOG: testing level merge-2 branch poseuse-citronwood-manganese
+TESTLOG: Test /home/tester/tests/test-merge-2.sh passed
+TESTLOG: Testing /home/tester/tests/test-merge-3.sh
+TESTLOG: testing level merge-3 branch twee-enfamish-stropharia
+TESTLOG: Test /home/tester/tests/test-merge-3.sh passed
+TESTLOG: Testing /home/tester/tests/test-merge-4.sh
+TESTLOG: testing level merge-4 branch multichord-ethicalism-fenestration
+TESTLOG: Test /home/tester/tests/test-merge-4.sh passed
+TESTLOG: Testing /home/tester/tests/test-merge-5.sh
+TESTLOG: testing level merge-5 branch reappraise-veratroyl-garfishes
+TESTLOG: Test /home/tester/tests/test-merge-5.sh passed
+TESTLOG: Testing /home/tester/tests/test-revert-1.sh
+TESTLOG: testing level revert-1 branch lomentaceous-mididae-hexadecane
+TESTLOG: Test /home/tester/tests/test-revert-1.sh passed
+TESTLOG: Testing /home/tester/tests/test-start-here.sh
+TESTLOG: testing level start-here branch start-here
+TESTLOG: Test /home/tester/tests/test-start-here.sh passed
+TESTLOG: Out of 13 tests, 13 passed and 0 failed.
+```
+
+> Note: Can also run with -v to see all `git` output and random `echo`s as well.
+
+## Develop
+
+### Add a new stage
+
+```powershell powershell
+cargo run --bin generate-new-level -- ..\levels\game-config.toml .\src\bin\templates\level_checker.tmpl .\src\bin\templates\level_test.tmpl .\src\bin\templates\level_page.tmpl .\src\bin\resources\words_alpha.txt ..\levels\ -v
+```

build/.gitignore

@@ -0,0 +1 @@
+id_rsa*

build/ansible/build.yaml

@@ -0,0 +1,55 @@
+- hosts: ctfservers
+  tasks:
+    - name: Pull CTF repo
+      git:
+        repo: "https://github.com/TheCoreMan/make-git-better-2.git"
+        dest: /home/{{ ansible_facts['user_id'] }}/make-git-better-2
+        version: dev
+        accept_hostkey: yes
+
+    - name: Compile rust
+      command: /home/{{ ansible_facts['user_id'] }}/.cargo/bin/cargo run --bin generate-pre-receive-hook -- --verbose /home/{{ ansible_facts['user_id'] }}/make-git-better-2/levels/game-config.toml src/bin/templates/hook.tmpl
+      args:
+        chdir: /home/{{ ansible_facts['user_id'] }}/make-git-better-2/scripts
+
+    - name: Build Docker image
+      shell: docker build --tag mgb:0.1 --build-arg CACHE_DATE=$(date +%Y-%m-%d:%H:%M:%S%z) --build-arg OWASP_FLAG_1="AppSec-IL{g1t_d035_P3rM1t_T0_c0mm1T}" --build-arg OWASP_FLAG_2="AppSec-IL{1f_y0u_w4n7_17_c0m3_4nd_917_17}" .
+      args:
+        chdir: /home/{{ ansible_facts['user_id'] }}/make-git-better-2
+
+    - name: Clone docker-tcp-switchboard
+      git:
+        repo: "https://github.com/OverTheWireOrg/docker-tcp-switchboard.git"
+        dest: /home/{{ ansible_facts['user_id'] }}/docker-tcp-switchboard
+        accept_hostkey: yes
+
+    - name: Install docker-tcp-switchboard requirements
+      pip:
+        requirements: /home/{{ ansible_facts['user_id'] }}/docker-tcp-switchboard/requirements.txt
+        executable: pip3
+
+    - name: Create switchboard log
+      file:
+        path: /var/log/docker-tcp-switchboard.log
+        mode: a+w
+        state: touch
+      become: yes
+
+    - name: Copy our switchboard conf to /etc
+      copy:
+        src: /home/{{ ansible_facts['user_id'] }}/make-git-better-2/build/docker-tcp-switchboard.conf
+        dest: /etc/docker-tcp-switchboard.conf
+        remote_src: yes
+      become: yes
+
+    - name: Kill docker-tcp-switchboard
+      command: pkill -f "python3 .*docker-tcp-switchboard.py"
+      ignore_errors: true
+      become: yes
+
+    - name: Start docker-tcp-switchboard
+      shell: nohup python3 /home/{{ ansible_facts['user_id'] }}/docker-tcp-switchboard/docker-tcp-switchboard.py </dev/null >/dev/null 2>&1 &
+      # This shell line is required because Ansible sends a kill signal to Python
+      # when it finishes running. The nohup is there to prevent it, and the redirections
+      # prevent breaking the process.
+      become: yes

build/ansible/hosts

@@ -0,0 +1,2 @@
+[ctfservers]
+[email protected]