Spawn2Pwn - RingZer0 Online CTF

The Spawn2Pwn project

Description

The Spawn2Pwn project was originally created to address destructive NorthSec challenges, as many of them require the user to gain elevated privileges or modify an asset on the server. Needless to say, this is problematic in an environment like RingZer0 where every container is shared among all participants. This is where this project comes into play. It allows a user to spawn a track of any available track and start hacking it without any interference from other participants.

Requirements

The participant must install WireGuard.
The participant must have an account on RingZer0 CTF.
The participant must have a Discord account.
The participant must be registered on our Discord server using their API key.

Usage

The following commands must be sent to the bot on Discord. Either in the #r0-bot channel or by communicating directly with the bot (direct messages).

$[spawn2pwn|s2p]

Commands related to the Spawn2Pwn Project.

Commands:
  credits   Obtain credit statuses (spawn/reset/extend).
  destroy   Destroy specified spawned track.
  extend    Extend specified spawned track lifespan.
  reset     Reset specified spawned track.
  spawn     Spawn a track.
  status    Obtain all or specified spawned track statuses.
  tracks    Obtain all or specified available tracks.
  wireguard Commands related to your wireGuard profile for Spawn2Pwn Project.

Credits

To see the amount of credits that you have to extend or spawn a track. The credits are completely free and will recharge overtime. Don't worry about lacking credits, it's very permissive.

$[spawn2pwn|s2p] [credits] delpsk

Examples:
$spawn2pwn credits

Destroy

To destroy a spawned track.

$[spawn2pwn|s2p] [destroy|delete] {availableTrackId|spawnedTrackId}

Examples:
$spawn2pwn destroy 1
$spawn2pwn destroy 4d3d147405a7

Extend

To extend the life span of a spawned track. This does NOT add more time but rather set the spawned date to now, and thus resetting the counter to 0.

$[spawn2pwn|s2p] extend {availableTrackId|spawnedTrackId}

Examples:
$spawn2pwn extend 1
$spawn2pwn extend 4d3d147405a7

Reset

To reset the spawned track to its former glory. Meaning that it will restore every instance of the spawned track to the original snapshot (use only if your track is broken).

$[spawn2pwn|s2p] [reset|restore] {availableTrackId|spawnedTrackId}

Examples:
$spawn2pwn reset 1
$spawn2pwn reset 4d3d147405a7

Spawn

To spawn a track from available tracks.

$[spawn2pwn|s2p] [spawn|deploy] {availableTrackId}

Examples:
$spawn2pwn spawn 1

Status

To display every spawned tracks or a specific track when {availableTrackId|spawnedTrackId} is provided.

$[spawn2pwn|s2p] [status] {availableTrackId|spawnedTrackId}

Examples:
    $spawn2pwn status
    $spawn2pwn status 1
    $spawn2pwn status 4d3d147405a7

Tracks

To display every available tracks to spawn or a specific track when {availableTrackId} is provided.

$[spawn2pwn|s2p] [tracks] {availableTrackId}

Examples:
$spawn2pwn tracks
$spawn2pwn tracks 1

WireGuard

This project uses WireGuard to let the participant connect to their spawned track environment. You can start by downloading and installing WireGuard (https://www.wireguard.com/install/ or search it online if you don't trust this link).

Then, you can either let the bot generate your private/public key pair or generate your own pair.

If you choose to let the bot generate your key pair, you don't have to do anything. The pair will be generated on your first time spawning a track.
If you choose to create your own key pair, use WireGuard as root with the command line
# wg genkey | tee /etc/wireguard/spawn2pwn.priv | wg pubkey > /etc/wireguard/spawn2pwn.pub.
- Once this is done, you can send your public key to the bot using the Set Public Key command.

If you wish to create a preshared key as well, which increase the strength of the encryption, you can either use the bot to generate one for you or create your own.

If you choose to let the bot generate your preshared key, use the Generate Preshared Key command.
If you choose to create your own preshared key, use WireGuard as root with the command line # wg genpsk > /etc/wireguard/spawn2pwn.psk.
- Once this is done, you can send your preshared key to the bot using the Set Preshared Key command.

Everytime you spawn a track, the bot will give you your WireGuard configuration. Once you get that configuration:

Save it to /etc/wireguard/spawn2pwn.conf;
Activate the tunnel as root with the command line # wg-quick up spawn2pwn;
Profit.

$[spawn2pwn|s2p] [wireguard|wg]

Commands related to your wireGuard profile for Spawn2Pwn Project.

Commands:
  delpsk    Delete your WireGuard preshared key.
  genkey    Generate WireGuard private key.
  genpsk    Generate WireGuard preshared key (PSK).
  setpsk    Set your own WireGuard preshared key (PSK).
  setpubkey  Set your own WireGuard public key.
  status    Obtain WireGuard status.

Delete Preshared Key

To delete the preshared key from your configuration.

$[spawn2pwn|s2p] [wireguard|wg] delpsk

Examples:
$spawn2pwn wireguard delpsk

Generate Private/Public keys

This command will let the bot generate a set of private/public keys for you to use. If you prefer using your own generated private key, you can simply send your public key using the Set Public Key command.

$[spawn2pwn|s2p] [wireguard|wg] genkey

Examples:
$spawn2pwn wireguard genkey

Generate Preshared Key

This command will let the bot generate a preshared key for you to use. If you prefer using your own generated preshared key, you can simply send your preshared key using the Set Preshared Key command.

$[spawn2pwn|s2p] [wireguard|wg] genpsk

Examples:
$spawn2pwn wireguard genpsk

Set Preshared Key

To set a preshared key for your configuration. Important note: This command can only be used by directly messaging the bot on Discord.

$[spawn2pwn|s2p] [wireguard|wg] setpsk {presharedKey}

Examples:
$spawn2pwn wireguard setpsk aNvqzLZsy8HqUWY2uWcV67zDyg5HHUxxZSGytq6ZmmM=

Set Public Key

To set a public key for your configuration.

$[spawn2pwn|s2p] [wireguard|wg] setpubkey {publicKey}

Examples:
$spawn2pwn wireguard setpubkey aNvqzLZsy8HqUWY2uWcV67zDyg5HHUxxZSGytq6ZmmM=

Status/Configuration

To view your WireGuard configuration. Can only be used if you have a active spawned track.

$[spawn2pwn|s2p] [wireguard|wg] status

Examples:
$spawn2pwn wireguard status

Glossary

Available Track: In a CTF, we can often see a track that contains multiple flags or challenges. Since this project contains tracks to deploy and deployed tracks, we had to come up for two different names. Available Track stands for a template track ready to be deployed.

CTF: Capture The Flag. In a context of cyber security, it represents a form of competition where a participant has to find a string that proves the completion of a challenge.

Credits: For this project, a participant has two types of credit. Spawn credits are used to spawn or reset a spawned track. Extend credits are used to extend a spawned track.

Delete: Same as Destroy.

Deploy: Same as Spawn.

Discord: Social platform used by RingZer0 CTF community to exchange about cyber security, ask for help or use the Spawn2Pwn project. More information here.

Destroy: To entirely destroy a track that was spawned by the participant. If the participant does not have any more spawned track, their WireGuard access will be deleted as well.

Extend: To extend the life span of a spawned track. This effectively set the spawned date to now and thus reset the life span counter. Meaning that you can't exceed the maximum life span by using the extend command. Using this command will use an extend credit.

Preshared Key: This key should remain private between the participant and the server. They both need to have the same exact key in order for this to work. One can view this as a symmetric encryption/decryption key. This key is used to strengthen the WireGuard encrypted communications.

Private Key: One of two keys necessary in an asymmetric cryptography. This key is the one that should remain obviously private. This key is used to decrypt WireGuard encrypted communications.

Public Key: One of two keys necessary in an asymmetric cryptography. This key is the one that one would want to share for others to encrypt messages that only one could decrypt with their private key. This key is used to encrypt WireGuard communications. The participant must know the server's public key and vice versa for the communications to properly works.

Reset: To reset a spawned track to what it was when spawned. Meaning that when a track is spawned, a snapshot is taken before the firewall rules and when the participant uses this command, it will restore the snapshot for every instance of the spawned track. Using this command will use an spawn credit.

Restore: Same as Reset.

Spawn: To spawn a track from the available tracks. This command copies an available track in addition to creation of the participant WireGuard configuration and every firewall rules necessary to restrict the participant to the newly created spawned track. Plus the restriction for the spawned track to only be able to access the participant's WireGuard dedicated IP address. Using this command will use an spawn credit.

Spawn2Pwn: Name of the project. Spawn a track to pwn it.

Spawned Track: In a CTF, we can often see a track that contains multiple flags or challenges. Since this project contains tracks to deploy and deployed tracks, we had to come up for two different names. Spawned Track stands for a track that was deployed by a participant.

Status: To obtain the status of one or multiple spawned tracks.

Track: A set of one or multiple machines that contains one or multiple challenges.

WireGuard: A free-to-use VPN product that RingZer0 CTF decided to use for this project for it's flexibility, speed and ease to use. More information here.