This is the setup used in our BambiCTF and ENOWARS competitions.
It uses ansible and packer to prepare images for Hetzner Cloud and terraform to create the infrastructure.
This setup combines a lot of other services/repositories.
Due to implementation details, currently you have to be aware of the following limits:
type=admin
in your project (HETZNER's WEBSITE)HCLOUD_TOKEN
and HETZNERDNS_TOKEN
./ansible/config_bambi.yml
vulnerable_services:
WASP: git@github.com:enowars/service-wasp.git
djbooth: git@github.com:enowars/service-DJ_Booth.git
switzerland: git@github.com:enowars/service-switzerland.git
teapot: git@github.com:enowars/service-teapot.git
github_ssh_keys:
- Trolldemorted
- domenukk
- ldruschk
- MMunier
cp ~/.ssh/id_ed25519 .
)docker compose up -d
)docker compose exec bambictf bash
)chmod 400 ./id_ed25519
cd /bambictf/configgen
poetry install
(once)poetry run configgen --teams 4 --routers 2 --dns test.bambi.ovh
cp -r ./export/portal /services/EnoCTFPortal/data/teamdata
(or whereever it is)cd /bambictf/packer
packer build bambichecker.json
curl -H "Authorization: Bearer $HCLOUD_TOKEN" 'https://api.hetzner.cloud/v1/images?type=snapshot'
)./terraform/terraform.tfvars
(see ./terraform/terraform.tfvars.sample
for reference)cd /bambictf/terraform
terraform init
terraform apply
iptables -A FORWARD -o router -j ACCEPT
(on every gateway)iptables -A INPUT -i internal -p tcp -m tcp --dport 5001 -j ACCEPT
on engine
iptables -A FORWARD -d 192.168.1.0/32 -i team+ -o internal -p tcp -m tcp --dport 5001 -j ACCEPT
iptables -A FORWARD -d 192.168.1.0/32 -i router -o internal -p tcp -m tcp --dport 5001 -j ACCEPT
on every router
while true; do rsync /services/data/*.json benni@bambi.enoflag.de:/services/EnoCTFPortal_bambi7/scoreboard; sleep 5; done
TODO ask Lucas about loops and stuff