Merge pull request #132 from OWASP/quick_fixes

commjoen · web-flow · commit 700cd13d0448 · 2022-12-14T14:27:19.000+01:00
Quick fixes for future usage
diff --git a/aws/README.md b/aws/README.md
@@ -32,6 +32,7 @@ terraform apply
 ```
 
 The bucket name should be in the output. Please use that to configure the Terraform backend in `main.tf`.
+The bucket ARN will be printed, make a note of this as it will be used in the next steps.
 
 ## Installation
 
@@ -44,11 +45,12 @@ The terraform code is loosely based on [this EKS managed Node Group TF example](
 1. export your AWS credentials (`export AWS_PROFILE=awsuser`)
 2. check whether you have the right profile by doing `aws sts get-caller-identity` and make sure you have enough rights with the caller its identity and that the actual accountnumber displayed is the account designated for you to apply this TF to.
 3. Do `terraform init` (if required, use tfenv to select TF 0.13.1 or higher )
-4. Do `terraform plan`
-5. Do `terraform apply`. Note: the apply will take 10 to 20 minutes depending on the speed of the AWS backplane.
-6. When creation is done, do `aws eks update-kubeconfig --region eu-west-1 --name wrongsecrets-exercise-cluster --kubeconfig ~/.kube/wrongsecrets`
-7. Do `export KUBECONFIG=~/.kube/wrongsecrets`
-8. Run `./build-an-deploy-aws.sh` to install all the required materials (helm for calico, secrets management, autoscaling, etc.)
+4. The bucket ARN will be asked for in the next 2 steps. Take the one provided to you and add `arn:aws:s3:::` to the start. e.g. ``arn:aws:s3:::terraform-20221208123456789100000001`
+5. Do `terraform plan`
+6. Do `terraform apply`. Note: the apply will take 10 to 20 minutes depending on the speed of the AWS backplane.
+7. When creation is done, do `aws eks update-kubeconfig --region eu-west-1 --name wrongsecrets-exercise-cluster --kubeconfig ~/.kube/wrongsecrets`
+8. Do `export KUBECONFIG=~/.kube/wrongsecrets`
+9. Run `./build-an-deploy-aws.sh` to install all the required materials (helm for calico, secrets management, autoscaling, etc.)
 
 Your EKS cluster should be visible in [EU-West-1](https://eu-west-1.console.aws.amazon.com/eks/home?region=eu-west-1#/clusters) by default. Want a different region? You can modify `terraform.tfvars` or input it directly using the `region` variable in plan/apply.
 
@@ -81,17 +83,17 @@ Now visit the CTFd instance and setup your CTF. If you haven't set up a load bal
 _!!NOTE:_ **The following can be dangerous if you use CTFd `>= 3.5.0` with wrongsecrets `< 1.5.11`. Check the `challenges.json` and make sure it's 1-indexed - a 0-indexed file will break CTFd!** _/NOTE!!_
 
 Then use the administrative backup function to import the zipfile you created with the juice-shop-ctf command.
-After that you will still need to override the flags with their actual values if you do use the 2-domain configuration.
+After that you will still need to override the flags with their actual values if you do use the 2-domain configuration. For a guide on how to do this see the 2-domain setup steps in the general [README](../readme.md)
 Want to setup your own? You can! Watch out for people finding your key though, so secure it properly: make sure the running container with the actual ctf-key is not exposed to the audience, similar to our heroku container.
 
-Want to make the CTFD instance look pretty? Include the fragment logated at [./k8s/ctfd_resources/index_fragment.html](/k8s/ctfd_resources/index_fragment.html) in your index.html via the admin panel.
+Want to make the CTFD instance look pretty? Include the fragment located at [./k8s/ctfd_resources/index_fragment.html](/k8s/ctfd_resources/index_fragment.html) in your index.html via the admin panel.
 
 ### Clean it up
 
 When you're done:
 
 1. Kill the port forward.
-2. Run the cleanup script: `cleanup-aws-autoscaling-and-helm.sh`
+2. Run the cleanup script: `./cleanup-aws-autoscaling-and-helm.sh`
 3. Run `terraform destroy` to clean up the infrastructure.
    1. If you've deployed the `shared-state` s3 bucket, also `cd shared-state` and `terraform destroy` there.
 4. Run `unset KUBECONFIG` to unset the KUBECONFIG env var.
@@ -112,8 +114,8 @@ We added additional scripts for adding an ALB and ingress so that you can use yo
 Do the following:
 
 1. Follow the installation section first.
-2. Run `k8s-aws-alb-script.sh` and the script will return the url at which you can reach the application.
-3. When you are done, before you do cleanup, first run `k8s-aws-alb-script-cleanup.sh`.
+2. Run `./k8s-aws-alb-script.sh` and the script will return the url at which you can reach the application. (Be aware this opens the url's to the internet in general, if you'd like to limit the access please do this using the security groups in AWS)
+3. When you are done, before you do cleanup, first run `./k8s-aws-alb-script-cleanup.sh`.
 
 Note that you might have to do some manual cleanups after that.
 
diff --git a/aws/build-an-deploy-aws.sh b/aws/build-an-deploy-aws.sh
@@ -28,6 +28,20 @@ else
   echo "CLUSTERNAME is not set or empty, defaulting to ${CLUSTERNAME}"
 fi
 
+echo "Checking for compatible shell"
+case "$SHELL" in
+*bash*)
+    echo "BASH detected"
+    ;;
+*zsh*)
+    echo "ZSH detected"
+    ;;
+*)
+    echo "🛑🛑 Unknown shell $SHELL, this script has only been tested on BASH and ZSH. Please be aware there may be some issues 🛑🛑"
+    sleep 2
+    ;;
+esac
+
 ACCOUNT_ID=$(aws sts get-caller-identity | jq '.Account' -r)
 echo "ACCOUNT_ID=${ACCOUNT_ID}"
 
@@ -128,8 +142,8 @@ helm upgrade --install mj ../helm/wrongsecrets-ctf-party \
 export HELM_EXPERIMENTAL_OCI=1
 kubectl create namespace ctfd
 helm -n ctfd install ctfd oci://ghcr.io/bman46/ctfd/ctfd \
-  --set="redis.auth.password=${$(openssl rand -base64 24)}" \
-  --set="mariadb.auth.rootPassword=${$(openssl rand -base64 24)}" \
-  --set="mariadb.auth.password=${$(openssl rand -base64 24)}" \
-  --set="mariadb.auth.replicationPassword=${$(openssl rand -base64 24)}" \
+  --set="redis.auth.password=$(openssl rand -base64 24)" \
+  --set="mariadb.auth.rootPassword=$(openssl rand -base64 24)" \
+  --set="mariadb.auth.password=$(openssl rand -base64 24)" \
+  --set="mariadb.auth.replicationPassword=$(openssl rand -base64 24)" \
   --set="env.open.SECRET_KEY=test" # this key isn't actually necessary in a setup with CTFd
diff --git a/aws/k8s-aws-alb-script.sh b/aws/k8s-aws-alb-script.sh
@@ -4,7 +4,7 @@
 # set -o nounset
 
 source ../scripts/check-available-commands.sh
-checkCommandsAvailable helm jq vault sed grep docker grep cat aws curl eksctl kubectl
+checkCommandsAvailable helm jq sed grep docker grep cat aws curl eksctl kubectl
 
 if test -n "${AWS_REGION-}"; then
   echo "AWS_REGION is set to <$AWS_REGION>"
diff --git a/aws/k8s/secret-challenge-vault-deployment.yml b/aws/k8s/secret-challenge-vault-deployment.yml
@@ -37,7 +37,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "wrongsecrets-aws-secretsmanager"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.5.3-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.5.12-no-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080
diff --git a/build-an-deploy-container.sh b/build-an-deploy-container.sh
@@ -31,4 +31,4 @@ docker pull $WRONGSECRETS_BALANCER_IMAGE:$WRONGSECRETS_BALANCER_TAG &
 docker pull $WRONGSECRETS_CLEANER_IMAGE:$WRONGSECRETS_CLEANER_TAG
 wait
 
-helm upgrade --install mj ./helm/wrongsecrets-ctf-party --set="imagePullPolicy=Never"
+helm upgrade --install mj ./helm/wrongsecrets-ctf-party --set="imagePullPolicy=IfNotPresent"
diff --git a/helm/wrongsecrets-ctf-party/values.yaml b/helm/wrongsecrets-ctf-party/values.yaml
@@ -184,7 +184,7 @@ virtualdesktop:
   maxInstances: 500
   # -- Juice Shop Image to use
   image: jeroenwillemsen/wrongsecrets-desktop-k8s
-  tag: 1.5.12
+  tag: ctf-party1
   repository: commjoenie/wrongSecrets
   resources:
     request:
diff --git a/readme.md b/readme.md
@@ -85,6 +85,13 @@ You need 2 things:
 - This infrastructure
 - A CTFD/Facebook-CTF host which is populated with the challenges based on your secondary hosted WrongSecrets application (this can be the helm chart included in the EKS installation script)
 
+To use the 2 domain setup with CTFD:
+
+1. Set up the CTFD and WrongSecrets instances using your preferred method and docs e.g. AWS and the docs [here](aws/README.md).
+2. Set up a team with spoilers available (On AWS this can be done by changing the deployment of a team you have created and setting ctf-mode=false).
+3. Use these spoilers to manually copy the answers from WrongSecrets to CTFD.]
+4. Delete the team used to get these spoilers (On AWS you can delete the entire namespace of the team)
+
 ### General Helm usage
 
 This setup works best if you have Calico installed as your CNI, if you want to use the helm directly, without the AWS Challenges, do:
