\documentclass[notes]{beamer} \usetheme{Rochester} \usecolortheme{seagull} \usepackage{svg} \usepackage[export]{adjustbox} % \setbeameroption{show notes} \title{CTF — GNU Guix storefile mistake} \begin{document} \frame{ \titlepage \begin{figure}[h] \includesvg[height=0.25\textheight]{Guix_logo_with_flag.svg} \end{figure} } \begin{frame}{Functional package management in a pill} \begin{itemize} \item Dolstra, Eelco (2006). ``The Purely Functional Software Deployment Model'' (Ph.D.). Utrecht University \item pioneered by Nix \includesvg[height=\baselineskip]{Nix_logo.svg} \item also employed by GNU Guix \includesvg[height=\baselineskip]{Guix_logo.svg} \item no Filesystem Hierarchy Standard (no /usr/bin, /usr/share, etc.) \item packages live in a \textbf{store} directory, e.g. \begin{itemize} \item /gnu/store/y0d8ab1mi6lh0a3vpx5lyd4ksq9wbn4x-orc-0.4.32 \item /gnu/store/9pypr3c3y379shbwm9ilb4pik9mkfd83-mesa-22.2.4 \item /gnu/store/rv91v4s30kcjh7xq6k4l2njklk79frxk-freeglut-3.4.0 \item /gnu/store/30zfbjasrsk2wg8nhsd1xgi3q3n9796z-less-608 \end{itemize} \item a daemon \includesvg[height=\baselineskip]{Awesome_Demon.svg} builds packages from definitions and puts them in the store \end{itemize} \end{frame} \note{ \begin{itemize} \item we're using GNU Guix here (no, not the trademarked GUIX…) \item store filename determine by hash of package inputs + definition \item multiple versions of a package can coexist \item per-project development environments \item easy rollbacks \item emphasis on reproducible builds \end{itemize} } \begin{frame}[fragile]{Functional package management in a pill (sample package)} \small \begin{verbatim} $ cd /gnu/store/30zfbjasrsk2wg8nhsd1xgi3q3n9796z-less-608/ $ find . -type f ./bin/less ./bin/lessecho ./bin/lesskey ./etc/ld.so.cache ./share/doc/less-608/LICENSE ./share/doc/less-608/COPYING ./share/man/man1/lessecho.1.gz ./share/man/man1/lesskey.1.gz ./share/man/man1/less.1.gz $ ls -lh bin/less -r-xr-xr-x 2 root root 192K Jan 1 1970 bin/less \end{verbatim} \end{frame} \note{ \begin{itemize} \item store is read-only (only Nix/Guix daemon can write) \item store files are root-owned and world-readable => secrets must be managed differently \item dates set to Epoch (but ls -lch shows real creation time) \item the same package won't be built twice, even if requested by multiple users \item a package will built again (or grafted) when one of its dependencies gets updated \item a package not in use can be garbage-collected \item no support for quotas yet as of 2024 \end{itemize} } \begin{frame}[fragile]{Functional package management in a pill (declarative OS)} \begin{itemize} \item \textbf{packages} are defined declaratively \pause \item \textbf{services} are defined declaratively as well \pause \item service \textbf{configurations} are defined declaratively \textit{as well}… {\small \begin{verbatim} (service httpd-service-type (httpd-configuration (config (httpd-config-file (server-name "www.example.com") (document-root "/var/public_html"))))) \end{verbatim} } \begin{itemize} \item …and result in store files like /gnu/store/54ywa5x1b75simbvzhxqkfxsjk040ail-httpd.conf \end{itemize} \item Yay, we can replace Ansible! But what about secrets? \begin{itemize} \item option 1: keep private keys and passwords outside the store \item option 2: put them encrypted in the store \end{itemize} \end{itemize} \end{frame} \note{ \begin{itemize} \item GNU Guix and Nix have their DSLs (the first one is actually Scheme Lisp + some APIs) \item on Guix/Nix server packages and configurations are immutable (we can switch to different ones but not alter the existing ones) — convenient \item an application may require database credentials, some API token, a private key for TLS certificate, etc. \item encrypted secrets in store — one master key kept outside the store \end{itemize} } \begin{frame}{Sensitive information exposure scenario} challenge — password hunt in /gnu/store\\~\\ \textit{``You're an employee of a secret government agency. Analysis of wiretap recordings have lead the agency to believe that an individual known as Abdul Al-Inh-Ohn-Ih has come into possession of highly classified government documents. If this turn out true and Abdul blows the whistle on information from those materials, years of intelligence efforts shall be ruined.\\~\\} \textit{Abdul has been using the Matrix protocol for some of his communication. Your current task is to get access to his Matrix account. Start your investigation by taking a look at his blog.''} \end{frame} \note{ A user of certain shared GNU Guix system has put a secret (a password) in /gnu/store by mistake. The CTF competitioneer has to SSH into another account on said system and find the password. \begin{itemize} \item we have some lore \item real-world references might be intended or not… \item no direct info about the exposures (one needs to figure this out) \end{itemize} } \begin{frame}{Investigation (Abdul's blog)} \includegraphics[ height=\dimexpr\textheight-0.5cm\relax, center ]{screenshots/abdul-blog-index.png} \end{frame} \note{ \begin{itemize} \item language — itself a hint Abdul is likely to make mistakes \item only the few relevant blog entries (no misleading of competitioneers) \item mechanics of Guix relevant to the challenge are touched in the posts \item some extra effort required — obtaining a Gemini browser \end{itemize} } \begin{frame}[fragile]{Investigation (peeking through Gemini)} \includegraphics[ height=\dimexpr\textheight-0.5cm\relax, center ]{screenshots/gemini-capsule.png} \end{frame} \note{ \begin{itemize} \item most relevant parts of blog only accessible through Gemini (a lightweight alternative to HTTP) \item a Gemini browser ``Lagrage'' recommended in HTTP part of Abdul's blog \end{itemize} } \begin{frame}[fragile]{Investigation (Spotting mistakes)} configuration which hits a mistake is included in Abdul's blog \footnotesize \begin{verbatim} ;;; ... (list (shepherd-service (provision '(mattermost)) (modules '((shepherd support))) ;for '%user-log-dir' (start #~(make-forkexec-constructor '(#$(file-append matterbridge "/bin/matterbridge") "--conf" #$(local-file "config.toml")) #:log-file (string-append %user-log-dir "/matterbridge.log"))) (stop #~(make-kill-destructor)) (documentation "Start local matterbridge."))))) ;;; ... \end{verbatim} \end{frame} \note{ \begin{itemize} \item the config suggests Matrix password is in config.toml in /gnu/store \end{itemize} } \begin{frame}{Investigation (Account creation)} \includegraphics[ height=\dimexpr\textheight-0.5cm\relax, center ]{screenshots/account-creation.png} \end{frame} \note{ \begin{itemize} \item both Abdul's blog and the server's main website urge one to make an account and log in to the tilde server with SSH \item emails entered not actually used \end{itemize} } \begin{frame}{Hint 1} \includegraphics[ height=\dimexpr\textheight-0.5cm\relax, center ]{screenshots/hint1.png} \end{frame} \note{ \begin{itemize} \item page with the hint accessible through Gemini only \end{itemize} } \begin{frame}{Hint 2} \includegraphics[ height=\dimexpr\textheight-0.5cm\relax, center ]{screenshots/hint2.png} \end{frame} \note{ \begin{itemize} \item link to GNU Guix HTML documentation \item suggestion that it has sth to do with the local-file macro (used in Abdul's code) \end{itemize} } \begin{frame}[fragile]{Finding the flag} \begin{verbatim} ~$ (cd /gnu/store && ls -cht *config.toml*) qmdh299prllp4fygw893w00lv9ypi5z2-config.toml ~$ \end{verbatim} rather expected contents of qmdh299prllp4fygw893w00lv9ypi5z2-config.toml \small \begin{verbatim} # ... [matrix.noevil-pl] Server="https://matrix.noevil.pl" Login="abdul" Password="fla\u0067{full_source-bootstrap}" RemoteNickFormat="[{PROTOCOL}] <{NICK}> " NoHomeServerSuffix=false # ... \end{verbatim} \end{frame} \note{ \begin{itemize} \item ``g'' in flag replaced with unicode escape to make bypassing with recursive grepping harder \end{itemize} } \begin{frame}{Credits} \begin{itemize} \item GNU Guix logo — \copy 2015 Luis Felipe López Acevedo (CC BY-SA 4.0 International) \item red flag — by Wikipedia user Wereon, uploaded 2007 (released into public domain) \item Nix logo — \copy 2016 Tim Cuthbertson (CC BY-SA 4.0 International) \item Awesome Demon — by Openclipart user qubodup, uploaded 2014 (released into public domain with CC Zero v1.0) \end{itemize} \end{frame} \end{document}