isolet-cli
is a command line tool for isolet to manage challenges on isolet platform.
Use
--help
flag to know more about a particular command.
.
├── Dockerfiles
│ ├── chall-image-1
│ │ ├── Dockerfile
│ │ └── docker-files
│ │ └── file.txt
│ └── image-2
│ └── Dockerfile
├── chall.yaml
├── deployment.yaml (optional) # Refer custom deployment
└── resources
└── chall.zip
Note
The chall ls
command will help you list challenges in a particular directory. The directory can be the challenge directory or the parent directory of the challenge directories.
Caution
When defining Dockerfile
for dynamic challenges make sure to use port 80 for http challenges
, 22 for ssh challenges
and 6969 for nc challenges
.
chall.yaml
file must be of following format
chall_name: "SQL Injection Lab"
type: "dynamic"
category_name: "Web"
prompt: "Find the vulnerability in the login system to retrieve the flag."
points: 200
flag: "CTF{dynamic_sql_injection_flag}"
hints (optional):
- hint: "Start by trying simple ' OR '1'='1' payloads"
visible: false
- hint: "Use tools like sqlmap if stuck"
cost: 300
author: "Bob"
visible (optional): false
tags:
- "Web"
- "Beginner"
links (optional):
- "https://wiki.com/sql_injection"
files (optional):
- "file.txt" # Must match the file name in resources directory
# Only for dynamic challenges
deployment_type: http
deployment_port: 80
cpu (optional): 15
mem (optional): 32
The deploy
command is used to deploy dynamic challenge and expose it using a load-balancer and traefik. The usage is the exact same as load
command.
Similarly one can take down a deployment using undeploy
command
Important
Try to work on a challenge on a single device, since syncing might cause issues, make sure that the cli tool is not used to edit challenges after the event is started, all the challenges must be managed using admin panel (except deploying dynamic challenges) since mismatch of challenge metadata may cause issues
Typically a dynamic challenge must use a single docker container which will be run and specified port will be exposed, but there might be a case where author wants to use multiple containers.
One can use deployment.yaml
to define their deployment and run chall deploy
Following is a template for deployment.yaml
:
# DO NOT CHANGE ANYTHING, JUST ADD CONTAINERS, CHANGE PORTS AND EDIT INGRESS SPECS
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{.Subd}}
namespace: dynamic
spec:
replicas: 1
selector:
matchLabels:
app: {{.Subd}}
template:
metadata:
labels:
app: {{.Subd}}
spec:
imagePullSecrets:
- name: dynamic-registry-secret
containers:
- name: "container-1"
image: <registry/image-1>
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 72m
memory: 128Mi
ports:
- containerPort: 22 # The port of container you want to expose
---
apiVersion: v1
kind: Service
metadata:
name: {{.Subd}}-svc
namespace: dynamic
annotations:
"traefik.ingress.kubernetes.io/router.entrypoints": {{.Subd}}
spec:
selector:
app: {{.Subd}}
ports:
- port: 8008
targetPort: 22 # Change this to containerPort
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: {{.Subd}}-ingress
namespace: dynamic
spec:
entryPoints: # The entrypoints for http challenge will be web and websecure
- {{.Subd}}
tls: # Only for http challenges
certResolver: default
routes:
- match: HostSNI(`*`) # Make this Host(`subdomain.domain`) for http challenges
kind: Rule
middlewares: # Only for http challenges
- name: secure-headers
services:
- name: {{.Subd}}-svc
port: 8008
./configure --prefix=<install dir>
make install
# uninstall isolet
make uninstall