OWASP WrongSecrets: Multi-Tenant CTF Party Setup

Welcome to OWASP WrongSecrets CTF Party, where Capture The Flag tasks meet scalability without any problems. Our platform is made for dynamic, multi-tenant CTF games.

It was made possible by the pioneering work of the OWASP MultiJuicer. Whether you’re a contestant who wants to take on the tasks or an organizer who wants a simple setup, this guide will show you how to create an integrated, user-friendly environment while giving credit to the important people who made this possible.

Powered by MultiJuicer    

Want to play OWASP WrongSecrets in a large group in CTF mode, but not go over all the hassle of setting up local copies of OWASP WrongSecrets? Here is OWASP WrongSecrets CTF Party! This is a fork of OWASP MultiJuicer, which is adapted to become a dynamic multi-tenant setup for doing a CTF together!

Note that we:

• Have a Webtop integrated for each player.
• Have a WrongSecrets instance integrated for each player.
• A working admin interface which can restart both or delete both (by deleting the full namespace).
• Do not support any progress watchdog as you will have access to it, we therefore disabled it.
• It can cleanup old & unused namespaces automatically.

Special thanks

Special thanks to @commjoen, @madhuakula, @bendehaan, and @mikewoudenberg, and @osamamagdy for making this port a reality!

Sponsorships

We would like to thank the following parties for helping us out:

GitGuardian for their sponsorship which allows us to pay the bills for our cloud-accounts.

Jetbrains for licensing an instance of Intellij IDEA Ultimate edition to the project leads. We could not have been this fast with the development without it!

Docker for granting us their Docker Open Source Sponsored program.

1Password for granting us an open source license to 1Password for the secret detection testbed.

What you need to know

This environment uses a webtop and an instance of wrongsecrets per user. This means that you need per user:

• 1.5 CPU (min = 0.5 , limit = 2.5)
• 2 GB RAM (min 1 GB, limit = 3.5GB)
• 4GB HD (min 3 GB, limit = 8GB)

Running this on minikube

A 4-10 contestant game can be played on a local minikube with updated cpu & memory settings (e.g. 6 virtual CPUs, 9 GB ram).

Running this on AWS EKS with larger groups

Small Game

We recently played a small CTF with 40 relatively active players using version 1.5.10 of wrongSecrets and the T6 version of the virtualdesktop-k8s. This could have easily ran on 5 T3A-X2large nodes for a day.

Large Numbers

A 100 contestant game can be played on the AWS setup, which will require around 150 (100-250) CPUs, 200 (150-350) GB Ram, and 400 GB of storage available in the cluster. Note that we have configured everything based on autoscaling in AWS. This means that you can often start with a cluster about 20% of the size of the “limit” numbers and then see how things evolve. You will hardly hit those limits, unless all players are very actively fuzzing the WrongSecrets app, while runnign heavy appss on their Webtops. Instead, you will see that you are using just 25% of what is provided in numbers here. So, by using our terraform (including an autoscaling managed nodegroup), you can reduce the cost of your CTF by a lot!

Status – Experimental release

This is an experimental release. It showed to work at 2 CTFs already, we just did not complete the documentation and the cleaning up of the Helm chart yet. However: it is working in its basis, and can support a good crowd. Currently, we only support using Minikube and AWS EKS (Please follow the readme in the AWS folder if you want to use EKS, as the guides section is not updated yet).

How to use it

The different setups are explained in OWASP WrongSecrets CTF-instructions. With the 3-domain approach you generate flags for CTFD automatically, while with the 2-domain setup you need to set it up manually.

Approach 1: 3-domain setup

You need 3 things:

• This infrastructure
• The actual place where correct answers are exchanged for CTFD-flags. This can be your fly.dev/heroku/etc. or local container of WrongSecrets running in CTF mode with the additional key setup for challenge 8.
• A CTFD/Facebook-CTF host which is populated with the challenges based on your secondary hosted WrongSecrets application.

Approach 2: 2-domain setup

You need 2 things:

• This infrastructure
• A CTFD/Facebook-CTF host which is populated with the challenges based on your secondary hosted WrongSecrets application (this can be the helm chart included in the EKS installation script)

To use the 2 domain setup with CTFD:

1. Set up the CTFD and WrongSecrets instances using your preferred method and docs e.g. AWS and the docs here.
2. Set up a team with spoilers available (On AWS this can be done by changing the deployment of a team you have created and setting ctf-mode=false).
3. Use these spoilers to manually copy the answers from WrongSecrets to CTFD.]
4. Delete the team used to get these spoilers (On AWS you can delete the entire namespace of the team).

General Helm usage

This setup works best if you have Calico installed as your CNI, if you want to use the helm directly, without the AWS Challenges, do:

helm repo add wrongsecrets https://wrongsecrets.github.io/wrongsecrets-ctf-party

helm upgrade --install my-wrongsecrets-ctf-party wrongsecrets/wrongsecrets-ctf-party

Play with Minikube:

** NOTE: The below steps require at least minikube version v1.30.1 and yq (https://github.com/mikefarah/yq/) version v4.34.1. **

For minikube, run:

minikube start  --cpus=6 --memory=10000MB --network-plugin=cni --cni=calico --driver=docker --kubernetes-version=1.25.6
eval $(minikube docker-env)
./build-and-deploy-container.sh
kubectl port-forward service/wrongsecrets-balancer 3000:3000

or use build-and-deploy-container-minikube.sh to do all of the above in one script.

Want to know whether your system is holding up? useminikube addons enable metrics-server kubectl top nodes kubectl top pods.

Develop with Minikube

minikube start  --cpus=6 --memory=10000MB --network-plugin=cni --cni=calico --driver=docker --kubernetes-version=1.25.6
eval $(minikube docker-env)
./build-and-deploy.sh
kubectl port-forward service/wrongsecrets-balancer 3000:3000

or use build-and-deploy-minikube.sh to do all of the above in one script.

Play with AWS EKS:

** NOTE: SEE SECTIONS ABOVE ABOUT WHAT YOU NEED AND THE COST OF THINGS: This project is not responsible, and will not pay for any part of your AWS bill. **

For AWS EKS follow the instructions in the /aws folder. This setup also includes a helm installation of CTFd.

Then open a browser and go to localhost:3000 and have fun 😀 .

Some production notes

See production notes for a checklist of values you’ll likely need to configure before using Wrongsecrets-ctf-party in proper events.

Customizing the Setup

You got some options on how to setup the stack, with some option to customize the WrongSecrets and Virtual desktop instances to your own liking. You can find the default config values under: helm/wrongsecrets-ctf-party/values.yaml.

The default ctfd config values are here: aws/k8s/ctfd-values.yaml. Note that these values are not used, and instead only se in the file aws/build-and-deploy-aws.sh.

Download & Save the file and tell helm to use your config file over the default by running:

helm repo add wrongsecrets https://wrongsecrets.github.io/wrongsecrets-ctf-party

helm install -f values.yaml my-wrongsecrets-ctf-party wrongsecrets/wrongsecrets-ctf-party

Deinstallation

helm delete my-wrongsecrets-ctf-party

And if you are running AWS (including CTFd):

helm delete ctfd -n ctfd