3

I have a tiny question, we are creating a ctf but we stumbled upoun a idea that we don't know how to solve.

As several websites that create ctf's as hack.me use sandboxes.

Due to the security and the ongoing flow in a ctf we also want to do this, however, we want to use an open source method to do so. But not having enough knowledge about this we want to ask you guys.

Is it possible to create a sandboxed environment on a dedicated server ? (we use root the box platform)

The reason that we want this is to make sure that others cannot abuse or disrupt others ctf. Thus creating a sandbox per team/user.

Can someone point me in the right direction?

Thank you very much!

NoFxor
  • 33
  • 3

1 Answers1

1

I see absolutely no issue in allowing people from one CTF session to meddle into the CTF of another. Since it is, in principle, a competition and that would be fair game.

Yet, if, for example, you want to make the CTF open to anyone and everyone (as in, to anyone on the internet) then maybe making sandboxes is actually a good idea. Someone may use your system as a phishing ground (by, e.g. scripting an invasion into other user's session and presenting links), shich would not be nice.

Fortunately Linux has an built-in sandbox system. You can simply use KVM and libvirt to give each session their own sandbox. There is even a virt-sandbox, which is an effort to make the use of KVM/QEMU easy to use.

Of course, sandboxes/VMs have bugs. And sometimes it is possible to cross over form a VM. As with everything else, there is no guarantee of security (e.g. there may be zero day attacks on KVM out there, but so may be with all other virtualisation software).

grochmal
  • 5,677
  • 2
  • 19
  • 30
  • Thank you for you thorough comment and suggestion! Im going to play with the given tips, thanks again. – NoFxor Mar 29 '17 at 07:10
  • @grochmal As far as I understand, these platforms create temporal sandboxes (isolated environments generated at that moment in a few seconds), these sandboxes are associated with the user id (and other details like IP address, etc.) allowing users to practice pentesting and learn about web security without affecting other users or the platform itself, some of these platforms also generate dynamic CTF flags, so every user gets its own flag avoiding answer sharing between participants. – galoget Jan 03 '18 at 19:52
  • @grochmal I want to know if is it possible to use containers for this project (e.g. docker) and what is the most recommended programming language or technologies that you might know based in your experience in order to build platforms like CTF365 or Hack.me, if you can share some documentation, tutorials or links, it will be very useful. – galoget Jan 03 '18 at 19:53
  • @galoget - I believe that containers would be a pretty bad idea: have a look at the [excellent answer by ThoriumBR](https://security.stackexchange.com/questions/169642/what-makes-docker-more-secure-than-vms-or-bare-metal) about docker containers and VMs. What you really care about is that your players would not get out of the game and act on the system that maintains the game, and that is pretty much honeypot design. If you search for "honeypot design" you will find several rather decent articles on it outlining the thing you need to care about. As of technology even plain ansible should do – grochmal Jan 04 '18 at 15:47
  • @grochmal Thanks for your answer, I'll search about it. – galoget Jan 06 '18 at 18:03