Have a working example of mounting gcsfuse for web tasks (#273)

* Update README.md

* refactor web task

* add mounts

* update readme

Author: sirdarckcat

dist/challenge-templates/web/README.md

@@ -10,6 +10,16 @@ The basic steps when preparing a challenge are:
 * To access the challenge, create a port forward with `kctf chal debug port-forward` and connect to it via `nc localhost PORT` using the printed port.
 * Check out `kctf chal <tab>` for more commands.
 
+## Sandboxing
+
+In order to make it possible to have RCE-style web challenges, kCTF provides two ways to sandbox a web server:
+ 1. **CGI-sandbox**: You can configure PHP (or any other CGI) to be sandboxed.
+ 2. **Proxy sandbox**: You can configure an HTTP server that sandboxes every HTTP request.
+
+A Proxy sandbox is a bit expensive, it starts an HTTP server on every TCP connection, hence it is a bit slow. A CGI sandbox is cheaper, and it just calls the normal CGI endpoint but with nsjail.
+
+The template challenge has an example of both (NodeJS running as a proxy, and PHP running as CGI). It is recommended that static resources are served with only Apache, as to save CPU and RAM.
+
 ## Directory layout
 
 The following files/directories are available:
@@ -24,6 +34,7 @@ For documentation on the available fields, you can run `kubectl explain challeng
 
 If you would like to have a shared directory (for sessions, or uploads), you can mount it using:
 
+
 ```yaml
 spec:
   persistentVolumeClaims:
@@ -35,16 +46,18 @@ spec:
       volumeMounts:
       - name: gcsfuse
         subPath: sessions # this this a folder inside volume
-        mountPath: /where-to-mount/sessions
+        mountPath: /mnt/disks/sessions
       - name: gcsfuse
         subPath: uploads
-        mountPath: /where-to-mount/uploads
+        mountPath: /mnt/disks/uploads
     volumes:
     - name: gcsfuse
       persistentVolumeClaim:
         claimName: $PUT_THE_NAME_OF_THE_CHALLENGE_HERE
 ```
 
+This will mount a file across all challenges in that directory. You can test this setup on a remote cluster using the PHP/CGI sandbox.
+
 ### /challenge
 
 The `challenge` directory contains a Dockerfile that describes the challenge and

dist/challenge-templates/web/challenge/Dockerfile

@@ -17,7 +17,7 @@ RUN /usr/sbin/useradd -u 1000 user
 
 RUN apt-get update \
     && apt-get install -yq --no-install-recommends \
-       curl ca-certificates socat gnupg lsb-release software-properties-common \
+       curl ca-certificates socat gnupg lsb-release software-properties-common php-cgi \
     && rm -rf /var/lib/apt/lists/*
 
 RUN curl -sSL https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add - \
@@ -29,35 +29,44 @@ RUN curl -sSL https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add
     && apt-get install -yq --no-install-recommends nodejs socat \
     && rm -rf /var/lib/apt/lists/*
 
-RUN mkdir -p /home/user/chroot
+VOLUME /mnt/disks/sessions
+VOLUME /mnt/disks/uploads
 
-FROM gcr.io/kctf-docker/challenge@sha256:e550af5df266cb89a26ace1ba5dcc685981f01d1cb61e45a898cce0c9753de7a
-
-COPY --from=chroot / /chroot
+COPY web-apps /web-apps
+COPY web-servers /web-servers
 
-RUN touch /chroot/dev/null
+COPY flag /
 
-COPY flag /chroot/
+FROM gcr.io/kctf-docker/challenge@sha256:e550af5df266cb89a26ace1ba5dcc685981f01d1cb61e45a898cce0c9753de7a
 
 RUN apt-get update \
-    && DEBIAN_FRONTEND=noninteractive apt-get install -yq --no-install-recommends tzdata \
+    && DEBIAN_FRONTEND=noninteractive apt-get install -yq --no-install-recommends tzdata apache2 \
     && ln -fs /usr/share/zoneinfo/Europe/Berlin /etc/localtime \
     && dpkg-reconfigure --frontend noninteractive tzdata \
     && rm -rf /var/lib/apt/lists/*
 
-RUN apt-get update && apt-get install -yq --no-install-recommends apache2 && rm -rf /var/lib/apt/lists/*
-
 RUN service apache2 start
 
+COPY --from=chroot / /chroot
+
+# For Proxy
 RUN ln -s /etc/apache2/mods-available/proxy.load /etc/apache2/mods-enabled/
 RUN ln -s /etc/apache2/mods-available/proxy_http.load /etc/apache2/mods-enabled/
-COPY apache2-nsjail-others.conf /etc/apache2/conf-enabled/
 
-COPY chroot /home/user/chroot
-COPY node /home/user/node
-COPY nsjail.cfg /home/user/nsjail.cfg
+# For CGI sandboxing
+RUN ln -s /etc/apache2/mods-available/cgi.load /etc/apache2/mods-enabled/cgi.load
+RUN ln -s /etc/apache2/mods-available/actions.load /etc/apache2/mods-enabled/actions.load
+RUN ln -s /chroot/web-apps /web-apps
+COPY cgi-bin /usr/lib/cgi-bin
+
+COPY apache2-kctf-nsjail.conf /etc/apache2/conf-enabled/
+
+COPY web-servers.nsjail.cfg /home/user/web-servers.nsjail.cfg
+COPY cgi-bin.nsjail.cfg /home/user/cgi-bin.nsjail.cfg
+
+VOLUME /var/log/apache2
+VOLUME /var/run/apache2
 
 CMD kctf_setup \
-    && /home/user/node/start.sh \
-    && mount -t tmpfs none /var/run/apache2 \
+    && (kctf_drop_privs nsjail --config /home/user/web-servers.nsjail.cfg --port 8081 -- /web-servers/nodejs.sh &) \
     && bash -c 'source /etc/apache2/envvars && APACHE_RUN_USER=user APACHE_RUN_GROUP=user /usr/sbin/apache2 -D FOREGROUND'

dist/challenge-templates/web/challenge/apache2-kctf-nsjail.conf

@@ -0,0 +1,20 @@
+ServerName kctf-nsjail
+Listen 1337
+User user
+
+# This is only necessary for CGI sandboxing
+<Directory "/web-apps/php">
+ Options +ExecCGI
+ Options +FollowSymLinks
+ Action application/x-nsjail-httpd-php /cgi-bin/nsjail-php-cgi
+ AddHandler application/x-nsjail-httpd-php php
+ Require all granted
+</Directory>
+
+<VirtualHost *:1337>
+ # For proxy sandboxing use the two lines below
+ ProxyPreserveHost On
+ ProxyPass "/nodejs" "http://localhost:8081/"
+ # For CGI sandboxing use the line below
+ DocumentRoot "/web-apps/php"
+</VirtualHost>

dist/challenge-templates/web/challenge/apache2-nsjail-others.conf

@@ -0,0 +1,68 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# See options available at https://github.com/google/nsjail/blob/master/config.proto
+
+name: "apache2-proxy-nsjail"
+description: "Example nsjail configuration for containing a web server."
+
+mode: ONCE
+uidmap {inside_id: "1000"}
+gidmap {inside_id: "1000"}
+mount_proc: true
+keep_env: true
+rlimit_as_type: HARD
+rlimit_cpu_type: HARD
+rlimit_nofile_type: HARD
+rlimit_nproc_type: HARD
+
+mount: [
+  {
+    src: "/chroot"
+    dst: "/"
+    is_bind: true
+  },
+  {
+    src: "/dev"
+    dst: "/dev"
+    is_bind: true
+  },
+  {
+    src: "/dev/null"
+    dst: "/dev/null"
+    is_bind: true
+  },
+  {
+    src: "/etc/resolv.conf"
+    dst: "/etc/resolv.conf"
+    is_bind: true
+  },
+  {
+    src: "/mnt/disks/sessions"
+    dst: "/mnt/disks/sessions"
+    is_bind: true
+    rw: true
+  },
+  {
+    src: "/mnt/disks/uploads"
+    dst: "/mnt/disks/uploads"
+    is_bind: true
+    rw: true
+  },
+  {
+    dst: "/tmp"
+    fstype: "tmpfs"
+    rw: true
+  }
+]

dist/challenge-templates/web/challenge/cgi-bin.nsjail.cfg

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+/usr/bin/nsjail --config /home/user/cgi-bin.nsjail.cfg -- /usr/lib/cgi-bin/php $@

dist/challenge-templates/web/challenge/cgi-bin/nsjail-php-cgi

@@ -10,6 +10,5 @@ const server = http.createServer((req, res) => {
 });
 
 server.listen(port, hostname, () => {
-  // Send something to STDOUT to signal we are ready to accept connections
   console.log(`Server running at http://${hostname}:${port}/`);
 });

dist/challenge-templates/web/challenge/chroot/node/run.sh

@@ -0,0 +1,27 @@
+<?php
+session_start();
+
+if (isset($_REQUEST['session_data'])) {
+   $_SESSION['session_data'] = $_REQUEST['session_data'];
+}
+?>
+<pre>
+<?php
+if (isset($_FILES['file'])) {
+   print_r($_FILES['file']);
+   $filename = uniqid('file_', true);
+   echo $filename;
+   move_uploaded_file($_FILES['file']['tmp_name'], '/mnt/disks/uploads/'. $filename);
+}
+?>
+</pre>
+<hr/>
+<form method=post enctype=multipart/form-data>
+<input name=session_data value="<?=$_SESSION['session_data'];?>">
+<input name=file type=file>
+<input type=submit>
+</form>
+<hr/>
+<?php
+  phpinfo();
+?>

dist/challenge-templates/web/challenge/node/start.sh

@@ -32,21 +32,22 @@ mount: [
     dst: "/"
     is_bind: true
   },
+  {
+    src: "/dev"
+    dst: "/dev"
+    is_bind: true
+  },
   {
     src: "/dev/null"
     dst: "/dev/null"
     is_bind: true
+    rw: true
   },
   {
     src: "/etc/resolv.conf"
     dst: "/etc/resolv.conf"
     is_bind: true
   },
-  {
-    src: "/home/user/chroot"
-    dst: "/home/user/chroot"
-    is_bind: true
-  },
   {
     dst: "/tmp"
     fstype: "tmpfs"

dist/challenge-templates/web/challenge/chroot/node/app.js renamed to dist/challenge-templates/web/challenge/web-apps/nodejs/app.js

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# Start node web server
+(&>/dev/null node /web-apps/nodejs/app.js)&
+
+# Proxy stdin/stdout to web server
+socat - TCP:127.0.0.1:8080,forever