Expected Behaviour

For HTTPS certificates to be acquired and used

Actual Behaviour

Using the .env template's default ([email protected], which is an invalid domain), the certificate acquisiton process fails due to invalid domain

E0410 09:32:12.711413       1 setup.go:271] cert-manager/controller/clusterissuers "msg"="skipping retrying account registration as a BadRequest response was returned from the ACME server" "error"="400 urn:ietf:params:acme:error:invalidContact: Error creating new account :: contact email \"[email protected]\" has invalid domain : Domain name does not end with a valid public suffix (TLD)"

Steps to Reproduce

Describe Problem

Currently, the generate-challenges.sh script does one thing - it generates the CTFd challenges CSV by wrapping the various steps involved in running juice-shop-ctf-cli into a single command.

• This requires that an active instance of juice-shop is created in the multi-juicer cluster (from which the challenges are retrieved), which must be done by creating a team in the multi-juicer balancer. This currently blocks a fully automated setup.

• When deploying the services (with manage-multijuicer.sh), the CTFd instance is deployed in an unconfigured state. This means that manual configuration has to be done, including creating the admin account. Theoretically, this could be hijacked by some other party (although we could wipe it, having control of the infrastructure/kubernetes cluster).

• The admin must also manually import the generated challenges (as well as the guides).

Suggest Solution

Extend the generate-challenges.sh script to:

• Support fully automated CTFd challenges generation:
  • create an instance of juice-shop by creating a team in the multi-juicer balancer
• Support automated configuration (setup) of the CTFd instance
  • Issue an HTTP request to the /setup endpoint of CTFd, similarly to how interaction is done via the browser by an administrator configuring the instance
  • Issue an HTTP request to the /admin/import/csv endpoint, importing the generated challenges CSV
  • Automate the uploading of the custom pages containing guides, etc.
• Allow the user (executing the script) to choose which command to run, i.e.
  • gen: generate challenges (producing a CSV)
  • import: import challenges (importing the specified CSV)
  • cfg: configure the CTFd instance
  • pages: import the custom pages, such as the guides/tips pages (./guides-and-tips)
  • run: All of the above

Additional Details

• Replaces the un-resolvable issue #54

See MultiJuicer docs

Expected Behaviour

Receiving an AuthorizationFailed error should cause the script to abort.

Actual Behaviour

Creating Resource Group 'MultiJuicerTest' in 'norwayeast'
ERROR: (AuthorizationFailed) The client '<REDACTED>' with object id '<REDACTED>' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/write' over scope '/subscriptions/<REDACTED>/resourcegroups/MultiJuicerTest' or the scope is invalid. If access was recently granted, please refresh your credentials.
Code: AuthorizationFailed

Creating AKS cluster 'juicy-k8s'
ERROR: (AuthorizationFailed) The client '<REDACTED>' with object id '<REDACTED>' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/read' over scope '/subscriptions/<REDACTED>/resourcegroups/MultiJuicerTest' or the scope is invalid. If access was recently granted, please refresh your credentials.
Code: AuthorizationFailed

[...]

Steps to Reproduce

• Run the script manage-azure-delpoyment.sh as a user without permission to create resources (e.g. as the Service Principal)

Describe Problem

Deploy to test upon merging to main, in order to ensure that deployment succeeds.

Suggest Solution

• Blocked by #63

Additional Details

Tasks

• https://github.com/octo-org/octo-repo/issues/45
• #9

Install MultiJuicer using Helm and configure values specified in their production checklist. Clone the repo.
Read Medium post - MultiJuicer.

Settings:

• use https only
• allow maximum 5 instances for testing (default is 10)
• set balancer replicas 2

https://github.com/equinor/juiceshop-ctfd/blob/main/ctfd.yaml
https://github.com/CTFd/CTFd/blob/master/docker-compose.yml

Subtasks:

• #24
• #25
• #27

July 6th at 16:00 - https://event.bouvet.no/events/view/29409fdf-392b-4124-96ed-47bf60f6c4c6

• Order food through Håkon
• Order the prize through Håkon
• Plan the introduction - what to say and who should say it
• Learn the first challenges to be able to help
• Make sure the summer student know that this is happening
• Invite the people who will start in Bouvet after the summer

Describe Problem

Each time we set up a new instance of the CTFd service (typically every time we deploy), we have to manually intervene by completing the configuration steps in CTFd. This includes creating a new user, configuring the settings, and importing the custom pages defined in guides-and-tips/. Rather than doing this manually, we should consider generating the user JSON and config JSON to reduce the amount of manual work required.

Currently, we generate the challenges file for CTFd with the script generate-challenges.sh, which produces a ZIP file containing challenges.json, among other things. This is manually uploaded to CTFd after configuration has taken place.

By extending this script, we could potentially include all common configurations in the zip file and upload it directly, eliminating the need for manual steps.

Suggest Solution

• Look at the contents of a backed up ZIP file exported from CTFd to identify how to generate such files
• Implement logic in generate-challenges.sh to
  • generate these JSON files, and add them to the ZIP file produced by juice-shop-ctf-cli
  • upload the ZIP file to the CTFd instance

Additional Details

The following GitHub Actions are needed and need to be set up. While the exact MultiJuicer setup script is not yet ready, the setup of the actions can still be made.

• Configure OpenID Connect in Azure #16
• Action for authenticating against AAD (Entra ID)
• Run the AKS creation script (manage-azure-deployment.sh)
• Run the deployment script (manage-multijuicer.sh) (blocked by #5 and #14)
• Run the script for importing the challenges to configuring CTFd (generate-challenges.sh) (manage-ctfd.sh) (blocked by #58) (awaits #60)

The actions should both be triggered manually and after a merge to the master branch.

The github actions also need to be allowed to deploy resources in azure. Look into federated credentials for connecting github actions to azure.

https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Clinux
https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure
https://github.com/marketplace/actions/azure-cli-action#workflow-to-execute-an-az-cli-script-of-a-specific-cli-version-via-file-present-in-your-repository

• Create service principal
• Add federated credentials
• Script the setup
• Add documentation

In order to manage the CTFd deployment, we should incorporate it into our preexisting deployment script so that all resources are created/destroyed upon deployment/taking it down.

1. Deploy & Destroy:
   • Spin-up: deploy_ctfd() (see here for an example)
   • Tear-down: destroy_ctfd() (see here for an example)
2. Configure INGRESS & TLS:
   • TLS: Add a host (see here for an example)
   • Ingress: Add a rule (see here for an example)
3. Configure DNS:
   • Add record (see here for an example)
   • Remove record (see here for an example)

Favicon + logo

Guide here

Expected Behaviour

Actual Behaviour

[...]
Waiting for juice-shop instance to be ready...
pod/t-ctfd-config-gen-juiceshop-67b75dd6f5-mtflv condition met
Opening temporary tunnel to a juice-shop pod
    SUCCESS
Writing juice-shop-ctf config to file
    SUCCESS
Importing challenges from JuiceShop

Generate OWASP Juice Shop challenge archive for setting up CTFd, FBCTF or RootTheBox score server

Failed to fetch snippet from API! AggregateError
ERROR: juice-shop-ctf-cli failed to generate the CTFd config file

Steps to Reproduce

Describe Problem

Suggest Solution

Additional Details

We have several ways to choose from when it comes to the deployment of the CTFd instance for our multi-juicer CTF setup. In short, the three alternatives are

1. helm chart (as with multi-juicer itself);
2. our own setup in k8s, i.e. writing a fair amount of YAML; or
3. our own setup without k8s, e.g. Azure Container Instances

We've previously landed on going for the Helm chart, as it aligns well with our current setup, is maintained, and significantly reduces the workload incl. manual labor we'd need for the other two options. Details can be seen in the comments of issue #8.

Tasks

Use the bman46/CTFd-Helm helm chart

1. Override default values (config) defined in values.yml:
   1. Identify values to override (e.g. passwords, etc.)
   2. Create ctfd.yml containing the values to override
   3. Determine secret values to override using --set, such as --set redis.auth.password=$REDIS_PASS

Example

We've made a similar approach with our multi-juicer setup:

Based on the default values defined in the multi-juicer configuration values.yml, we firstly identified the values we wished to override.

Next, we created juicer.yml and proceeded to override the values from values.yml.

Finally, we identified the secret values we wished to override (such as passwords and other information we want to keep secret), and added them to the deployment using the --set flag. The task here is to identify and make a list of the variables. They will be consumed in the deployment script which is part of #25 (see https://github.com/bouvet/nord-juice-shop/blob/feat/monitoring-setup-script/manage-multijuicer.sh#L119-L127 for an example with multi-juicer variables)

JuiceShop uses a secret value, CTF_KEY, which is used as a seed for CTF flags. This should be passed to CTFd in order to ensure that flags submitted on CTFd are successfully validated.

See https://github.com/juice-shop/juice-shop-ctf#configuration-file for more information

Describe Problem

We currently expect the user to have full access to the Azure subscription in question (i.e. Owner), as we have not outlined the required permission set for deployment.

We should identify and document all required permissions, in order to ensure that we use Azure IAM role grants with the permissions that are strictly required.

Suggest Solution

• Identify by trial and error (documentation lacks)
• Produce JSON representing the custom role.
• Create documentation explaining the requirements

Additional Details

Present the CTF stuff on the tech-meeting

Need these things ready by the tech-meeting:

• Create agenda (intro, food, CTF, walkthrough?)
• Get security people from Øst to hold the intro?
• Set a date
• Set a location (office, Jotunheimen)

Describe Problem

Create a workflow for execution of the manage-ctfd.sh script. Should be separated from deploy-ctf.yml (due to differing purpose and the need to wait for TLS cert propagation post-deployment)

Suggest Solution

Additional Details

Create presentation to present to participants during MulitJuicer workshops (before hacking begins).
Depending on skill level of participants, presentation should include a short tutorial on using the JuiceShop and also tips on how to start hacking (SQL injections, XSS, etc)
Must be ready for #6

Link to PowerPoint is found in OneDrive folder, bookmarked in slack-channel

Describe Problem

We should consider setting up release-please to assist in creating versioned releases with automatically generated changelogs.

Suggest Solution

Set up release-please to create releases with automatically generated changelogs.

Additional Details

Describe Problem

Requirements include:

• Service principal
  • with permission to create resources (relates to #57)
  • with federated credential grants for
    • the specific branch(es)
    • the specific environment(s)
• Organization/repository/environment variables and secrets required to run

Suggest Solution

Document the requirements

Additional Details

The MultiJuicer setup automatically creates a NSG for the cluster, ref the medium post. After it is created we need to add rules that block all incoming traffic and then whitelist/allow the specific IP ranges we want. This process needs to be scripted. We also need to figure out how to specify 'Norwegian IPs' or otherwise identify the IPs we want.

Script has to do the following:

• Find the id/name of the newly created NSG in Azure
• Add the IP rules to the NSG