A short post to keep track of my work talking about Django App Development, MailGun, CGSCHacks.com, and my CANSec Talk.
- mjkranch.com email with MailGun
- updated cgschacks.com content
- CANSec 2018 Talk
- ShmooCon Proposal
Missed Weekly Updates
Long story short - I already missed my goal of posting every two weeks. The past month has been extremely busy. CGSC has become somewhat more demanding (lots of papers); however, the majority of my time has been devoted to the way too time consuming task of creating a CGSC hacking club including a Django CTF, the cgschacks.com website, the cgsc meetup, and the promotion (flyers, emails, etc.) of the club, and hosting the club’s first meeting. Other major events include transitioning my domain email, migrating my dad’s website to Gitlab (we are both now 100% free!), my paper/talk for CANSec 2018, and my proposal w/ madeye for ShmooCon. I learned a lot, particularly from the Django app despite the fact it did entirely not work, but I did a terrible job of documenting everything. I will [try to] do better in the future.
Domain Email with MailGun and Gmail
I added email support to my domain with MailGun. The good thing about MailGun is that it’s domain registrar or Nameserver independent. NameCheap previously managed my domain with Let’s Encrypt providing the cert. When I moved to Gitlab, I decided to use Cloudflare to manage both the domain and cert which required setting Cloudflare as my Nameserver instead of NameCheap, breaking my email forwarding. This breakage would also happen if I ever switched domain registrar (i.e. if I would it cheaper to go somewhere else). With MailGun as my email provider, I simply need to update add a domain MX record and email works regardless of the registrar or Nameserver.
Setting up MailGun was easy. I simply followed instructions to add the appropriate MX and CNAME DNS records. I then added a catchall MailGun route (this explains the various route filters) to forward to my gmail address. Finally, I created a custom SMTP credential for each account (not required, but you will need at least one to authenticate with Gmail). That link also provides your SMTP settings. Finally, I then added the appropriate accounts in Gmail account settings.
So I used reveal to create slides for my first club meeting. I already had a slide deck so converting to reveal was an unnecessary use of 2 hours of my time, but it was fun! I think the reveal slides are significantly more useful than a pdf as a resource so that is the only real saving grace. These slides are about 30% of the content I had as an intro to CTFing from madeye so I will be updating it here in the next month to also include web, binary exploitation, and reverse engineering.
To get reveal to work on an existing CTF theme, I simply built the site completely and then copied the published HTML (index.html) the static folder along with the main reveal css/js. What I should do is create a specific reveal layout that can be part of any other existing theme - task for future work.
Django CTF platform
Where I spent the most time the past month was building a Django CTF platform. I found miniCTF and decided to use it as the bias for my platform. I then did a bunch of research into various Django platforms (below in django extra) and decided to do it all in Google instead of heroku. I got everything working relatively quickly with Google, but there were some security / design issues with miniCTF. So I completely re-wrote the Team class to extend the User class to have proper account management, used Foreign Keys to represent the various relationships between tables, added captcha to the user account creation, and implemented email validation and password reset. All worked great until I pushed it to Google. I still have not figured out where the issue is but it all works perfectly locally (and I’m using the gcloud proxy so to the same database), but the app will not connect to the database for registration only (will connect in all other cases like to display challenges). I feel it somehow has to do with the model being pushed to the database with
runserver migrate. I also could not get my “uploads” to work (i.e when I added a challenge, the file that contains the challenge data). I tried troubleshooting for a while and just become burnt out. I will fix in the future, but I used an insecure old functioning version for the first meeting (no one seemed to notice) and have it down now until I fix it. I really did not do a good job of documenting so maybe I will start from scratch and document better to assist in the troubleshooting process.
CANSec 2018 / ShmooCon
Finally, I submitted a paper to CANSec2018 that was excepted and already presented at the conference. Here is the slides and proposal. The reaction was very positive so now planning on creating a more in-depth version for USENIX Security. The deadline is only 2 weeks. I also wrote a proposal for a talk at ShmooCon - will be interesting to see if that gets accepted.
Very unlikely to be useful notes:
DJANGO and gitlab ci
I set it all up, but all I was doing is
python manage.py test. I changed my ci to
python manage.py runserver and it worked, but I could not interact with the page. Long story short, GitLab is for static sites and not dynamic sites. If you want to set up Django, I was going to have to use something else.
I found this interesting blog on Django via Gitlab with Kubernetes. I have always been interested in learning more about using Kubernetes so I figured this was the time. I also looked the at recommended methods of hosting Django within Google Compute. The pros and cons of Kubernetes aligned pretty well with my goals. Finally, I just signed up for Google Compute so have 1 year free. A lot of the other recommended click-to-install Django projects have a cost so doing this for free was enticing. Time to blow through the 300 dollar credit. I ended up following this blog
The other very popular method is Heroku. I was interested in Heroku, but the non-persistent storage piece really got me. I would need to set up a bucket somewhere anyways so why not try to build it entirely that way.