Intentionally weak CI/CD surroundings. Hack CI/CD pipelines, seize the flags.
Created by Cider Safety.
Description
The CI/CD Goat venture permits engineers and safety practitioners to be taught and follow CI/CD safety by means of a set of 10 challenges, enacted towards an actual, full blown CI/CD surroundings. The situations are of various issue ranges, with every situation specializing in one main assault vector.
The challenges cowl the High 10 CI/CD Safety Dangers, together with Inadequate Stream Management Mechanisms, PPE (Poisoned Pipeline Execution), Dependency Chain Abuse, PBAC (Pipeline-Primarily based Entry Controls), and extra.
The completely different challenges are impressed by Alice in Wonderland, each is themed as a special character.
The venture’s surroundings relies on Docker pictures and will be run domestically. These pictures are:
- Gitea (minimal git server)
- Jenkins
- Jenkins agent
- LocalStack (cloud service emulator that runs in a single container)
- Lighttpd
- CTFd (Seize The Flag framework).
The photographs are configured to interconnect in a approach that creates totally practical pipelines.
Obtain & Run
There is not any must clone the repository.
Linux & Mac
curl -o cicd-goat/docker-compose.yaml --create-dirs https://uncooked.githubusercontent.com/cider-security-research/cicd-goat/primary/docker-compose.yaml
cd cicd-goat && docker-compose up -d
Home windows (Powershell)
mkdir cicd-goat; cd cicd-goat
curl -o docker-compose.yaml https://uncooked.githubusercontent.com/cider-security-research/cicd-goat/primary/docker-compose.yaml
get-content docker-compose.yaml | %{$_ -replace "bridge","nat"}
docker-compose up -d
Utilization
Directions
- Spoiler alert! Keep away from shopping the repository information as they include spoilers.
- To configure your git consumer for accessing non-public repositories we recommend cloning utilizing the http url.
- In every problem, discover the flag – within the format of flag# (e.g flag2), or one other format if talked about particularly.
- Every problem stands by itself. Don’t use entry gained in a single problem to unravel one other problem.
- If wanted, use the hints on CTFd.
- There isn’t a want to use CVEs.
- No must hijack admin accounts of Gitea or Jenkins (named “admin” or “red-queen”).
Take the problem
-
After beginning the containers, it would take as much as 5 minutes till the containers configuration course of is full.
-
Login to CTFd at http://localhost:8000 to view the challenges:
- Username:
alice
- Password:
alice
- Username:
-
Hack:
-
Insert the flags on CTFd and discover out should you acquired it proper.
Troubleshooting
- If Gitea reveals a clean web page, refresh the web page.
- When forking a repository, do not change the title of the forked repository.
Options
Warning: Spoilers!
See Options.
Contributing
Growth
-
Clone the repository.
-
Rename .git folders to make them usable:
-
Set up testing dependencies:
pip3 set up pipenv==2022.8.30
pipenv set up --deploy -
Run the event surroundings to experiment with new adjustments:
rm -rf tmp tmp-ctfd/
cp -R ctfd/information/ tmp-ctfd/
docker-compose -f docker-compose-dev.yaml up -d -
Make the specified adjustments:
- All providers besides CTFd are fully configured as code so desired adjustments must be made to the information within the applicable folders.
- To make adjustments in CTFd, use the admin credentials.
-
Shutdown the surroundings, transfer adjustments made in CTFd and rebuild it:
docker-compose -f docker-compose-dev.yaml down
./apply.sh # save CTFd adjustments
docker-compose -f docker-compose-dev.yaml up -d --build -
Run exams:
-
Rename .git folders to permit push:
-
Commit and push!
Guidelines
Comply with the guidelines under so as to add a problem:
- CTFd:
- Write problem description.
- Select class in line with issue stage.
- Ensure that the problem is seen and has worth in line with issue.
- Write hints so as of utilization.
- Add a flag. Ensure that to pick if it is case-insensitive.
- Gitea:
- Configure a brand new repository in gitea.yaml.
- Create the repository underneath gitea/repositories. Use an open-source repository that use the MIT license as a template for the problem repository.
- Jenkins:
- Configure Jenkins and add new jobdsl information within the casc.yaml file.
- Ensure that jobs do not run periodically. Jobs must be triggered by occasions / polling.
- Validate that the brand new problem would not intervene with different challenges.
- Ensure that the flag just isn’t accessible when fixing different challenges.
- Write exams.
- Write the answer.
- Replace README.md if wanted.
- As a way to run the CI, be sure to have a CircleCI account and that you just’ve clicked “Set Up Mission” in your fork of the venture.