10: Red v Blue: Another Linux Web Server

What You Need for This Project

SCOREBOARD

Scenario

CCSF has a new improved Web server, faster than before!

The BLUE TEAM needs to get the server running and keep it working. The server image is here:

p10_140RB_1.ova
Size: 897,992,704 bytes
SHA-256: ef27683b4061d393a340288aa8eb81a3cf4130ee28d838215195318002de2e40

Blue Team

Get your server up. In SCIE 37, install VirtualBox. Click File, "Import Appliance" and import the OVA file.

Start the virtual machine. The console shows the IP address and login information, as shown below.

Tell your instructor your TEAM NAME and IP ADDRESS to get onto the scoreboard.

The BLUE TEAM needs to get the box up, find the problems, and patch them before the evil RED TEAM does bad things, like defacing the web page.

Your CCDC playbook should be helpful.

Injects

For additional points, complete these tasks:
  1. Configure SSH certificate-based authentication. Demonstrate a login using this method. (1000 pts)
  2. Upgrade the Web server to use HTTPS as well as HTTP. (1000 pts)
  3. Configure mod_security to protect the Web server. Demonstrate its function. (1000 pts)
  4. List all the users who have authenticated today and when they did. (1000 pts)
  5. Configure Apache forensic logging. Demonstrate it recording a complete requested URL. (1000 pts)
  6. Provide a list of all user accounts, specifying which accounts are able to run commands as root. (1000 pts)

Red Team

You get points by accomplishing these tasks:
  1. Adding up to three PWNED files to the server, in the Web root, with the names listed below. Each such file is worth +20 points every 10 seconds. Each file must contain the text HINT: followed by a clue telling the Blue Team. how you got in, and each file must be produced by getting in a different way.
  2. Locking the Blue Team out so badly that they need to wipe the machine and load a clean image is worth 1000 points
  3. Totally destroying the server so it must be reloaded is worth 100 pts
  4. Other epic feats of pwnage (variable points)

Post-Mortem

After an hour or two of combat, there will be a discusion of what worked, what didn't work, and how to write better documentation to preserve what has been learned for CCDC in the future.


Posted 12-5-18