docker-tcp-switchboard is pretty good, but it has two problems for me:

  • Doesn't support non-ssh connections
  • Containers, not virtual machines

I am setting up a simple CTF for my college's cybersecurity club, and I want each competitor to be isolated to their own virtual machine. Normally I'd use containers, but they don't really work for this, because it's a container escape ctf...

My idea is to deploy linuxserver/webtop, as the entry point for the CTF, (with the insecure option enabled, if you know what I mean), but but it only supports one user at a time, if multiple users attempt to connect, they all see the same X session.

I don't have too much time, so I don't want to write a custom solution. If worst comes to worst, then I will just put a virtual machine on each of the desktops in the shared lab.

Any ideas?

  • pezhore@lemmy.ml
    ·
    1 year ago

    I throw CTFs for a living (among other things), and I'm happy to help out a fellow Infosec person.

    What kind of infrastructure can you deploy? Is this going to be in the cloud, on-prem (via a hypervisor like Proxmox/vSphere, or hosted on a single laptop/server?

    • moonpiedumplings@programming.dev
      hexagon
      ·
      1 year ago

      Nothing in the cloud.

      We have a proxmox cluster, which is where this would probably go, but I would prefer a non-integrated solution, rather a single thing I can either put within a proxmox vm (nested virtualization) or on an on premise piece of physical hardware.

      • pezhore@lemmy.ml
        ·
        1 year ago

        So first, let me be clear - I don't know if an alternative to that software you first brought up. But some of our earlier CTFs had a similar issue with isolation.

        We ended up spinning up new VLANs per contestant, each having a single Kali Linux VM with xrdp, along with each contestants target systems. Our router/fw blocked all access in/out of those VLANs, save for RDP/SSH traffic from our Apache Guacamole server on the DMZ.

        So contestants would hit our portal (Guacamole), then from there connect into their own dedicated Kali instance and environment.

        Later, we had to make additional fw exemptions for our scoreboard/docs, etc.