Tuesday, November 1, 2022
HomeHackerGoat - A Intentionally Susceptible CI/CD Atmosphere

Goat – A Intentionally Susceptible CI/CD Atmosphere




Intentionally weak CI/CD surroundings. Hack CI/CD pipelines, seize the flags.

Created by Cider Safety.

Description

The CI/CD Goat venture permits engineers and safety practitioners to be taught and follow CI/CD safety by means of a set of 10 challenges, enacted towards an actual, full blown CI/CD surroundings. The situations are of various issue ranges, with every situation specializing in one main assault vector.

The challenges cowl the High 10 CI/CD Safety Dangers, together with Inadequate Stream Management Mechanisms, PPE (Poisoned Pipeline Execution), Dependency Chain Abuse, PBAC (Pipeline-Primarily based Entry Controls), and extra.
The completely different challenges are impressed by Alice in Wonderland, each is themed as a special character.

The venture’s surroundings relies on Docker pictures and will be run domestically. These pictures are:

  1. Gitea (minimal git server)
  2. Jenkins
  3. Jenkins agent
  4. LocalStack (cloud service emulator that runs in a single container)
  5. Lighttpd
  6. CTFd (Seize The Flag framework).

The photographs are configured to interconnect in a approach that creates totally practical pipelines.

Obtain & Run

There is not any must clone the repository.

Linux & Mac

curl -o cicd-goat/docker-compose.yaml --create-dirs https://uncooked.githubusercontent.com/cider-security-research/cicd-goat/primary/docker-compose.yaml
cd cicd-goat && docker-compose up -d

Home windows (Powershell)

mkdir cicd-goat; cd cicd-goat
curl -o docker-compose.yaml https://uncooked.githubusercontent.com/cider-security-research/cicd-goat/primary/docker-compose.yaml
get-content docker-compose.yaml | %{$_ -replace "bridge","nat"}
docker-compose up -d

Utilization

Directions

  • Spoiler alert! Keep away from shopping the repository information as they include spoilers.
  • To configure your git consumer for accessing non-public repositories we recommend cloning utilizing the http url.
  • In every problem, discover the flag – within the format of flag# (e.g flag2), or one other format if talked about particularly.
  • Every problem stands by itself. Don’t use entry gained in a single problem to unravel one other problem.
  • If wanted, use the hints on CTFd.
  • There isn’t a want to use CVEs.
  • No must hijack admin accounts of Gitea or Jenkins (named “admin” or “red-queen”).

Take the problem

  1. After beginning the containers, it would take as much as 5 minutes till the containers configuration course of is full.

  2. Login to CTFd at http://localhost:8000 to view the challenges:

    • Username: alice
    • Password: alice
  3. Hack:

  4. Insert the flags on CTFd and discover out should you acquired it proper.

Troubleshooting

  • If Gitea reveals a clean web page, refresh the web page.
  • When forking a repository, do not change the title of the forked repository.

Options

Warning: Spoilers!

See Options.

Contributing

Growth

  1. Clone the repository.

  2. Rename .git folders to make them usable:

  3. Set up testing dependencies:

    pip3 set up pipenv==2022.8.30
    pipenv set up --deploy
  4. Run the event surroundings to experiment with new adjustments:

    rm -rf tmp tmp-ctfd/
    cp -R ctfd/information/ tmp-ctfd/
    docker-compose -f docker-compose-dev.yaml up -d
  5. Make the specified adjustments:

    • All providers besides CTFd are fully configured as code so desired adjustments must be made to the information within the applicable folders.
    • To make adjustments in CTFd, use the admin credentials.
  6. Shutdown the surroundings, transfer adjustments made in CTFd and rebuild it:

    docker-compose -f docker-compose-dev.yaml down
    ./apply.sh # save CTFd adjustments
    docker-compose -f docker-compose-dev.yaml up -d --build
  7. Run exams:

  8. Rename .git folders to permit push:

  9. Commit and push!

Guidelines

Comply with the guidelines under so as to add a problem:

  1. CTFd:
    1. Write problem description.
    2. Select class in line with issue stage.
    3. Ensure that the problem is seen and has worth in line with issue.
    4. Write hints so as of utilization.
    5. Add a flag. Ensure that to pick if it is case-insensitive.
  2. Gitea:
    1. Configure a brand new repository in gitea.yaml.
    2. Create the repository underneath gitea/repositories. Use an open-source repository that use the MIT license as a template for the problem repository.
  3. Jenkins:
    1. Configure Jenkins and add new jobdsl information within the casc.yaml file.
    2. Ensure that jobs do not run periodically. Jobs must be triggered by occasions / polling.
    3. Validate that the brand new problem would not intervene with different challenges.
  4. Ensure that the flag just isn’t accessible when fixing different challenges.
  5. Write exams.
  6. Write the answer.
  7. Replace README.md if wanted.
  8. As a way to run the CI, be sure to have a CircleCI account and that you just’ve clicked “Set Up Mission” in your fork of the venture.



RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments