diff options
author | W. Kosior <koszko@koszko.org> | 2024-05-27 12:19:19 +0200 |
---|---|---|
committer | W. Kosior <koszko@koszko.org> | 2024-05-27 12:29:59 +0200 |
commit | ee8fac8ab8529e2d105c7e55c2c9b28aefd19b46 (patch) | |
tree | 7f7559d0ba91710624eb2c76a9765587595d8153 /presentation/ctf-guix-store.tex | |
parent | 2d05ae83321cdf8aa3abab6acdd69f331ef4b89a (diff) | |
download | AGH-ctf-course-2024-ee8fac8ab8529e2d105c7e55c2c9b28aefd19b46.tar.gz AGH-ctf-course-2024-ee8fac8ab8529e2d105c7e55c2c9b28aefd19b46.zip |
Diffstat (limited to 'presentation/ctf-guix-store.tex')
-rw-r--r-- | presentation/ctf-guix-store.tex | 295 |
1 files changed, 295 insertions, 0 deletions
diff --git a/presentation/ctf-guix-store.tex b/presentation/ctf-guix-store.tex new file mode 100644 index 0000000..65ecebd --- /dev/null +++ b/presentation/ctf-guix-store.tex @@ -0,0 +1,295 @@ +\documentclass[notes]{beamer} +\usetheme{Rochester} +\usecolortheme{seagull} +\usepackage{svg} +\usepackage[export]{adjustbox} + +% \setbeameroption{show notes} + +\title{CTF — GNU Guix storefile mistake} + +\begin{document} + +\frame{ + \titlepage + \begin{figure}[h] + \includesvg[height=0.25\textheight]{Guix_logo_with_flag.svg} + \end{figure} +} + + +\begin{frame}{Functional package management in a pill} + \begin{itemize} + \item Dolstra, Eelco (2006). ``The Purely Functional Software Deployment + Model'' (Ph.D.). Utrecht University + \item pioneered by Nix \includesvg[height=\baselineskip]{Nix_logo.svg} + \item also employed by GNU Guix + \includesvg[height=\baselineskip]{Guix_logo.svg} + \item no Filesystem Hierarchy Standard (no /usr/bin, /usr/share, etc.) + \item packages live in a \textbf{store} directory, e.g. + \begin{itemize} + \item /gnu/store/y0d8ab1mi6lh0a3vpx5lyd4ksq9wbn4x-orc-0.4.32 + \item /gnu/store/9pypr3c3y379shbwm9ilb4pik9mkfd83-mesa-22.2.4 + \item /gnu/store/rv91v4s30kcjh7xq6k4l2njklk79frxk-freeglut-3.4.0 + \item /gnu/store/30zfbjasrsk2wg8nhsd1xgi3q3n9796z-less-608 + \end{itemize} + \item a daemon \includesvg[height=\baselineskip]{Awesome_Demon.svg} builds + packages from definitions and puts them in the store + \end{itemize} +\end{frame} + +\note{ + \begin{itemize} + \item we're using GNU Guix here (no, not the trademarked GUIX…) + \item store filename determine by hash of package inputs + definition + \item multiple versions of a package can coexist + \item per-project development environments + \item easy rollbacks + \item emphasis on reproducible builds + \end{itemize} +} + +\begin{frame}[fragile]{Functional package management in a pill (sample package)} + \small +\begin{verbatim} +$ cd /gnu/store/30zfbjasrsk2wg8nhsd1xgi3q3n9796z-less-608/ +$ find . -type f +./bin/less +./bin/lessecho +./bin/lesskey +./etc/ld.so.cache +./share/doc/less-608/LICENSE +./share/doc/less-608/COPYING +./share/man/man1/lessecho.1.gz +./share/man/man1/lesskey.1.gz +./share/man/man1/less.1.gz +$ ls -lh bin/less +-r-xr-xr-x 2 root root 192K Jan 1 1970 bin/less +\end{verbatim} +\end{frame} + +\note{ + \begin{itemize} + \item store is read-only (only Nix/Guix daemon can write) + \item store files are root-owned and world-readable => secrets must be managed + differently + \item dates set to Epoch (but ls -lch shows real creation time) + \item the same package won't be built twice, even if requested by multiple + users + \item a package will built again (or grafted) when one of its dependencies + gets updated + \item a package not in use can be garbage-collected + \item no support for quotas yet as of 2024 + \end{itemize} +} + +\begin{frame}[fragile]{Functional package management in a pill (declarative OS)} + \begin{itemize} + \item \textbf{packages} are defined declaratively + \pause + \item \textbf{services} are defined declaratively as well + \pause + \item service \textbf{configurations} are defined declaratively \textit{as + well}… {\small +\begin{verbatim} +(service httpd-service-type + (httpd-configuration + (config + (httpd-config-file + (server-name "www.example.com") + (document-root "/var/public_html"))))) +\end{verbatim} + } + \begin{itemize} + \item …and result in store files like + /gnu/store/54ywa5x1b75simbvzhxqkfxsjk040ail-httpd.conf + \end{itemize} + \item Yay, we can replace Ansible! But what about secrets? + \begin{itemize} + \item option 1: keep private keys and passwords outside the store + \item option 2: put them encrypted in the store + \end{itemize} + \end{itemize} +\end{frame} + +\note{ + \begin{itemize} + \item GNU Guix and Nix have their DSLs (the first one is actually Scheme Lisp + + some APIs) + \item on Guix/Nix server packages and configurations are immutable (we can + switch to different ones but not alter the existing ones) — convenient + \item an application may require database credentials, some API token, a + private key for TLS certificate, etc. + \item encrypted secrets in store — one master key kept outside the store + \end{itemize} +} + +\begin{frame}{Sensitive information exposure scenario} + challenge — password hunt in /gnu/store\\~\\ + + \textit{``You're an employee of a secret government agency. Analysis of + wiretap recordings have lead the agency to believe that an individual known + as Abdul Al-Inh-Ohn-Ih has come into possession of highly classified + government documents. If this turn out true and Abdul blows the whistle on + information from those materials, years of intelligence efforts shall be + ruined.\\~\\} + + \textit{Abdul has been using the Matrix protocol for some of his + communication. Your current task is to get access to his Matrix account. + Start your investigation by taking a look at his blog.''} +\end{frame} + +\note{ + A user of certain shared GNU Guix system has put a secret (a password) in + /gnu/store by mistake. The CTF competitioneer has to SSH into another account + on said system and find the password. + + \begin{itemize} + \item we have some lore + \item real-world references might be intended or not… + \item no direct info about the exposures (one needs to figure this out) + \end{itemize} +} + +\begin{frame}{Investigation (Abdul's blog)} + \includegraphics[ + height=\dimexpr\textheight-0.5cm\relax, + center + ]{screenshots/abdul-blog-index.png} +\end{frame} + +\note{ + \begin{itemize} + \item language — itself a hint Abdul is likely to make mistakes + \item only the few relevant blog entries (no misleading of competitioneers) + \item mechanics of Guix relevant to the challenge are touched in the posts + \item some extra effort required — obtaining a Gemini browser + \end{itemize} +} + +\begin{frame}[fragile]{Investigation (peeking through Gemini)} + \includegraphics[ + height=\dimexpr\textheight-0.5cm\relax, + center + ]{screenshots/gemini-capsule.png} +\end{frame} + +\note{ + \begin{itemize} + \item most relevant parts of blog only accessible through Gemini (a lightweight + alternative to HTTP) + \item a Gemini browser ``Lagrage'' recommended in HTTP part of Abdul's blog + \end{itemize} +} + +\begin{frame}[fragile]{Investigation (Spotting mistakes)} + configuration which hits a mistake is included in Abdul's blog + \footnotesize +\begin{verbatim} +;;; ... +(list (shepherd-service + (provision '(mattermost)) + (modules '((shepherd support))) ;for '%user-log-dir' + (start #~(make-forkexec-constructor + '(#$(file-append matterbridge "/bin/matterbridge") + "--conf" + #$(local-file "config.toml")) + #:log-file (string-append %user-log-dir + "/matterbridge.log"))) + (stop #~(make-kill-destructor)) + (documentation "Start local matterbridge."))))) +;;; ... +\end{verbatim} +\end{frame} + +\note{ + \begin{itemize} + \item the config suggests Matrix password is in config.toml in /gnu/store + \end{itemize} +} + +\begin{frame}{Investigation (Account creation)} + \includegraphics[ + height=\dimexpr\textheight-0.5cm\relax, + center + ]{screenshots/account-creation.png} +\end{frame} + +\note{ + \begin{itemize} + \item both Abdul's blog and the server's main website urge one to make an + account and log in to the tilde server with SSH + \item emails entered not actually used + \end{itemize} +} + +\begin{frame}{Hint 1} + \includegraphics[ + height=\dimexpr\textheight-0.5cm\relax, + center + ]{screenshots/hint1.png} +\end{frame} + +\note{ + \begin{itemize} + \item page with the hint accessible through Gemini only + \end{itemize} +} + +\begin{frame}{Hint 2} + \includegraphics[ + height=\dimexpr\textheight-0.5cm\relax, + center + ]{screenshots/hint2.png} +\end{frame} + +\note{ + \begin{itemize} + \item link to GNU Guix HTML documentation + \item suggestion that it has sth to do with the local-file macro (used in + Abdul's code) + \end{itemize} +} + +\begin{frame}[fragile]{Finding the flag} +\begin{verbatim} +~$ (cd /gnu/store && ls -cht *config.toml*) +qmdh299prllp4fygw893w00lv9ypi5z2-config.toml +~$ +\end{verbatim} + +rather expected contents of qmdh299prllp4fygw893w00lv9ypi5z2-config.toml + +\small +\begin{verbatim} +# ... +[matrix.noevil-pl] +Server="https://matrix.noevil.pl" +Login="abdul" +Password="fla\u0067{full_source-bootstrap}" +RemoteNickFormat="[{PROTOCOL}] <{NICK}> " +NoHomeServerSuffix=false +# ... +\end{verbatim} +\end{frame} + +\note{ + \begin{itemize} + \item ``g'' in flag replaced with unicode escape to make bypassing with + recursive grepping harder + \end{itemize} +} + +\begin{frame}{Credits} + \begin{itemize} + \item GNU Guix logo — \copy 2015 Luis Felipe López Acevedo (CC BY-SA 4.0 + International) + \item red flag — by Wikipedia user Wereon, uploaded 2007 (released into + public domain) + \item Nix logo — \copy 2016 Tim Cuthbertson (CC BY-SA 4.0 International) + \item Awesome Demon — by Openclipart user qubodup, uploaded 2014 (released + into public domain with CC Zero v1.0) + \end{itemize} +\end{frame} + +\end{document} |