In part one of this series, we covered the idea and development behind the creation of a portable cyber exercise system. Part two laid the foundation for the architecture required, and got our base system setup.
For this part of the series, we will be delving further into the setup and configuration of the majority of the services. Afterwhich, we will have a fully-fledged system ready to either deliver a full exercise, or provide a platform that will give an existing cyber security tabletop exercise that extra piece of interactivity and realism.
One more tool that we will need to install on the device will be unzip
sudo apt install unzipNext, we will configure Nginx, and Bind so that we can provide websites and DNS to any one that connects to the system (NOTE: It’s also at this point it’s worth configuring your wireless access point connected to the system to use the IP address of your server for DNS).
sudo mkdir /etc/bind/zones
vi /etc/bind/zones/.localI’m using .local for DNS here, but feel free to use what works for you
My zone looks like the following (where ctf-ttx is my hostname and 192.168.1.100 is the IP address I have configured for this machine). If you’re using something different, you will ned to update the relevant values.
$TTL 3D
$ORIGIN local.
local. IN SOA ctf-ttx.local. hostmaster.local. (
202407718 ; serial
8H ; refresh
4H ; retry
4W ; expire
1D ; minimum
)
NS ctf-ttx.local.
MX 10 mail.local.
localhost A 127.0.0.1
ctf-ttx A 192.168.1.100
mail A 192.168.1.100
cyberchef A 192.168.1.100
ctf A 192.168.1.100
fakebook A 192.168.1.100
cert A 192.168.1.100
why A 192.168.1.100
things A 192.168.1.100The first website we will configure will be to host a local copy of GCHQ’s excellent CyberChef tool (10.19.4 was the latest version at the time of this post – you can find the latest version at https://gchq.github.io/CyberChef/ and clicking the ‘Download CyberChef’ link at the top of the page.
sudo wget https://gchq.github.io/CyberChef/CyberChef_v10.19.4.zipOnce it’s downloaded, confirm the SHA256 hash
sha256sum CyberChef_v10.19.4.zipNext step is getting the website in the apache directory
cd /var/www/html/
mkdir cyberchef.local
cp ~/CyberChef_v10.19.4.zip ./cyberchef.local/
cd cyberchef.local
unzip CyberChef_v10.19.4.zip
rm CyberChef_v10.19.4.zip
mv CyberChef_v10.19.4.html ./index.htmlWe’ve already configured the cyberchef.local domain within bind for DNS resolution, but now we need to configure nginx so that we’re able to serve this web page to a user.
cd /etc/nginx/sites-available/
vi cyberchef.localThe configuration file for this site should more or less mirror the default nginx setup. Since CyberChef doesn’t utilise PHP, we don’t require any further configuration here.
server {
listen 80;
listen [::]:80;
root /var/www/html/cyberchef.local;
index index.html index.htm index.nginx-debian.html;
server_name cyberchef.local
location / {
try_files $uri $uri/ =404;
}
}With the above configuration in place, we will need to enable to site within nginx
cd ../sites-enabled/
sudo ln-s /etc/nginx/sites-available/cyberchef.local ./cyberchef.localFinally, we will restart both Apache and Nginx. (NOTE: Before restarting, you may want to run the command nginx -t to test the configuration is valid)
sudo systemctl restart nginx bind9When connected to your new Wi-Fi network, you should now be able to visit http://cyberchef.local in your web browser and the website will load.
With the website now up and running, the next piece we will configure is a docker container for CTF (NOTE: it’s possible you have moved into a different directory at this point – so head back to your home directory by typing cd ~ before proceeding).
sudo git clone https://github.com/CTFd/CTFd.git
cd CTFd/
sudo head -c 64 /dev/urandom > .ctfd_secret_keyLike our environment, CTFd also uses nginx listening on port 80 by default, so we will need to change this to something else.
vi /docker-compose.ymlUnder the nginx configuration we will need to update the following line:
ports:
- 80:80To something that our version of nginx isn’t already listening to
ports:
- 81:81With that change made, we can now bring the container up (it’s configured by default to start on boot, so there’s no other changes to be made here)
docker compose up --detachIf everything has gone according to plan, the docker container will start running without any issues. The final step is to make this available on a more friendly domain. The configuration supplied for bind at the start already included the necessary entry, so it’s just nginx that needs to be told what to do. For this, we will need to setup a reverse proxy for the container.
vi /etc/nginx/sites-available/ctf.localThe configuration for this site will look a little different to the usual websites.
server {
listen 80;
listen [::]:80;
server_name ctf.local;
location / {
proxy_pass http://127.0.0.1:8000; }
}Once again, we will need to enable to site and then restart nginx and bind.
sudo ln -s /etc/nginx/sites-available/ctf.local /etc/nginx/sites-enabled/ctf.local
sudo systemctl restart nginx bind9If there are no errors – then you should be able to connect to http://ctf.local when connected to the attached Wi-Fi network.
At this stage, the system can be usedas a portable system for creating and hosting local capture the flag events that don’t require internet connectivity. This is particularly handy when delivering to audiences in remote locations where reliable internet access may not be possible.
In the final part, we will setup some further websites that can be used to help simulate cyber incidents, or provide a new level of interactivity to your existing exercises.
DFIR.Dog 