Setting Up a Server

Attention

If you haven’t participated in a CDC before, read the Getting Started document first. It will explain why some of this setup is needed. The Remote Setup Guide document will show you how to access your servers to set them up as well as how to test them out.

Introduction and Overview

At this point, you’ve read the Getting Started document, logged in to IScorE and vCenter and powered on your VMs. But wait, IScorE is showing all red for your services! Don’t Panic! There is usually just a little bit of setup needed so that IScorE knows where to find your services.

This guide is not intended to show the best way to set up your servers, only the quickest and easiest. If you want to do anything fancy like firewalling, NAT, or reverse proxying, you will probably have to disregard most of this document (Protip: Google those terms for some cool ideas on setting up complex networks). Some scenario VMs will need additional configuration; this may be mentioned in the scenario, or it may be up to you to discover it on your own.

The basic network configuration in this guide puts all of the servers directly on the Competition Network and does not use the Internal Network at all. The steps will go as follows:

  1. Power on and connect to Competition Network
  2. Set up the static network configuration (OS specific)
  3. Set up the proxy so you can download packages from the Real Internet (OS specific)
  4. Set up DNS records in IScorE

Connect to Competition Network

Follow the instructions in the Remote Setup Guide document to log in to vCenter. Make sure the VM has its network interface (NIC) connected to the Competition Network. You can access the Network Adapter settings of a VM by right-clicking the virtual machine and choosing “Edit Settings”.

Static IP Configuration

Anything connected to the Competition Network must have a static IP assigned and have the default gateway and DNS statically configured. See OS-Specific Instructions for Static IP.

  • Find your team’s IP range in IScorE
  • You are free to choose any IP address in your range except x.x.x.250-254. Make sure there are no conflicts between two or more of your servers. Record these IP addresses, since they are very important for further configuration and documentation.
  • Your default route (gateway) is the IP sitting at .254 of your range (check IScorE). For example, Team 1’s gateway is 64.39.3.254
  • The netmask is 255.255.255.0 (a /24 subnet)
  • The DNS server is located at 199.100.16.100
  • If your network is set up correctly, you should always be able to ping the DNS server and get a response. Note that due to the way the ISEAGE network is structured you will not be able to ping the real-world (e.g. google.com).

Proxy Server

Once on the competition range, you will not have access to the internet. Instead, you must use our proxy server, located at 199.100.16.100 port 3128.

Note

Due to the way the proxy works, you will not be able to access your systems by IP address from a web browser that is configured to use the proxy; the server’s FQDN must be used. To circumvent this, modify your web browser’s settings to not use the proxy for your team’s IP address range (in Firefox, this setting is called “No proxy for” and appears on the “Connection Settings” page).

Note

The proxy server provides an NTP server for the competition environment. To use it, configure your NTP client to point to 199.100.16.100.

Setting the proxy in a Linux/Unix system

Run the following commands to set the appropriate environment variables:

export http_proxy="http://199.100.16.100:3128"
export https_proxy=$http_proxy
export ftp_proxy=$http_proxy

This will configure the proxy for just about any command (sudo being an exception, see the next section). Note that these environment variables will not persist across reboots or even shell sessions. You can place these lines at the end of the file /etc/profile which will automatically set the variables for you when a user logs in.

Sudo

By default, environment variables are ignored when running commands with sudo for security reasons. This makes it difficult to run commands like apt-get without being the root user. To configure sudo to keep the proxy settings, edit the sudoers file using visudo and add the following line:

Defaults env_keep += "http_proxy https_proxy ftp_proxy"
Apt (optional)

ISEAGE has an apt-cache server that allows packages to be downloaded and upgraded quicker than usual.

On Debian and Ubuntu-based systems, you can optionally add the following to /etc/apt/apt.conf.d/cache:

Acquire::http { Proxy "http://apt-cache.isucdc.net:3142"; };
Setting the proxy in Windows

Windows is easy: Just set the proxy in “Internet Options” for everything.

Attention

You will still not be able to ping google.com! You will NEVER be able to ping google.com or any real world website!

IScorE DNS Records

Setting up the DNS Records is very easy. For each server, find out what its domain name should be from the scenario, for example www.teamN.isucdc.com (replace N with your team number). Then, under DNS Records in IScorE, add a record for www with the IP address you statically assigned to the server.

Once DNS records are assigned, your service should begin to turn green for the service scanner within 5 minutes. Document your network setup for the White Team documentation.

Troubleshooting

Server Isn’t Working

From the server (Server doesn’t work right):

  • Ping 199.100.16.100 (The proxy)
  • Ping x.x.x.254 (Your default gateway)
  • Install/update a package
Ping Gateway Ping Proxy Update Package Probable Issue
Doesn’t work N/A N/A Static IP address not set up or wrong.
Works Doesn’t Work N/A Default gateway not set or wrong, check routing table
Works Works Doesn’t work Proxy not set up right.

Server Is Red

From the RDP Hop:

  • Wait 5 minutes
  • Ping the server’s domain name (www.teamN.isucdc.com)
  • Ping the server’s IP address
  • Try protocol-specific tools (Web browser for HTTP, SSH for SSH, etc.)
Ping IP Address Ping Domain Name Unable to Connect Probable Issue
Doesn’t Work N/A N/A IP address or default gateway of server wrong or not set; tried to ping wrong IP address
Works Doesn’t Work N/A Wrong or missing IP address or domain in IScorE - did ping resolve the host to the right IP address?
Works Works Doesn’t Work Service not running or domain name given to wrong server; server has a firewall
Works Works Works Wait for service scanner to run ( 5 minutes); read service scanner error message.

OS-Specific Instructions for Static IP

OpenSUSE

OpenSUSE

Debian/Ubuntu

Debian/Ubuntu

Fedora

Fedora

Windows

Windows

Setup Resources

ISEAGE maintains some services to aid you in setting up a server in our environment. These are offered to you at our discretion, and are considered to be safe and out of scope for Red Team.

  • paste.iseage.org is a pastebin style application to allow you to easily move configuration files and flags in and out of our environment. Note that there is a rather conservative file size limit.
  • There is an apt cache server provided to you. Using this allows your services to update more quickly, and reduces load on our uplink. See Apt for more info.