diff --git a/.github/secret_scanning.yml b/.github/secret_scanning.yml new file mode 100644 index 00000000..b01bc285 --- /dev/null +++ b/.github/secret_scanning.yml @@ -0,0 +1,2 @@ +paths-ignore: + - "range/**" diff --git a/Cargo.lock b/Cargo.lock index ed251347..dc41d2cc 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1439,7 +1439,7 @@ dependencies = [ "idna", "ipnet", "once_cell", - "rand 0.9.2", + "rand 0.9.4", "ring", "thiserror 2.0.18", "tinyvec", @@ -1460,7 +1460,7 @@ dependencies = [ "moka", "once_cell", "parking_lot", - "rand 0.9.2", + "rand 0.9.4", "smallvec", "thiserror 2.0.18", "tokio", @@ -2453,7 +2453,7 @@ dependencies = [ "bytes", "getrandom 0.3.4", "lru-slab", - "rand 0.9.2", + "rand 0.9.4", "ring", "rustc-hash", "rustls", @@ -2502,9 +2502,9 @@ checksum = "f8dcc9c7d52a811697d2151c701e0d08956f92b0e24136cf4cf27b57a6a0d9bf" [[package]] name = "rand" -version = "0.8.5" +version = "0.8.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404" +checksum = "5ca0ecfa931c29007047d1bc58e623ab12e5590e8c7cc53200d5202b69266d8a" dependencies = [ "libc", "rand_chacha 0.3.1", @@ -2513,9 +2513,9 @@ dependencies = [ [[package]] name = "rand" -version = "0.9.2" +version = "0.9.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6db2770f06117d490610c7488547d543617b21bfa07796d7a12f6f1bd53850d1" +checksum = "44c5af06bb1b7d3216d91932aed5265164bf384dc89cd6ba05cf59a35f5f76ea" dependencies = [ "rand_chacha 0.9.0", "rand_core 0.9.5", @@ -2774,9 +2774,9 @@ dependencies = [ [[package]] name = "rustls-webpki" -version = "0.103.9" +version = "0.103.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d7df23109aa6c1567d1c575b9952556388da57401e4ace1d15f79eedad0d8f53" +checksum = "61c429a8649f110dddef65e2a5ad240f747e85f7758a6bccc7e5777bd33f756e" dependencies = [ "aws-lc-rs", "ring", @@ -3441,7 +3441,7 @@ dependencies = [ "indexmap 1.9.3", "pin-project", "pin-project-lite", - "rand 0.8.5", + "rand 0.8.6", "slab", "tokio", "tokio-util", @@ -3589,7 +3589,7 @@ dependencies = [ "http", "httparse", "log", - "rand 0.9.2", + "rand 0.9.4", "sha1", "thiserror 2.0.18", "utf-8", @@ -3792,7 +3792,7 @@ dependencies = [ "argh", "nu-ansi-term", "prost", - "rand 0.9.2", + "rand 0.9.4", "reedline", "serde", "serde_json", @@ -3821,7 +3821,7 @@ dependencies = [ "parking_lot", "prost", "quinn", - "rand 0.9.2", + "rand 0.9.4", "rcgen", "ring", "rustls", @@ -4460,7 +4460,7 @@ dependencies = [ "nohash-hasher", "parking_lot", "pin-project", - "rand 0.9.2", + "rand 0.9.4", "static_assertions", "web-time", ] diff --git a/range/CTF-NOTICE.md b/range/CTF-NOTICE.md new file mode 100644 index 00000000..6e8807aa --- /dev/null +++ b/range/CTF-NOTICE.md @@ -0,0 +1,18 @@ +# Cyber Range — Fictional Content Notice + +Everything under `range/` is content for a self-contained cyber range used to +test wallhack. The VMs run only inside an isolated, ephemeral pontoon network. +None of these credentials, keys, or hostnames are real and none of them grant +access to anything outside the range. + +This includes, but is not limited to: + +- Plaintext passwords in `range/layers/*/layer.yml` and discoverable "loot" + files (e.g. `intranet/.../creds.txt`, `app-api/.../ssh.conf`). +- The ed25519 private key at `range/layers/ftp-loot/ftp/backup/id_ed25519`, + generated specifically for the `ssh-leaked-key` challenge. +- Internal IPs in the `10.99.0.0/16` private range. + +If your secret scanner pointed you here: this directory is excluded via +`.github/secret_scanning.yml`. The credentials are part of the test fixture, +not a leak. diff --git a/range/layers/backup-ssh/layer.yml b/range/layers/backup-ssh/layer.yml index 25713ef3..2e917c7b 100644 --- a/range/layers/backup-ssh/layer.yml +++ b/range/layers/backup-ssh/layer.yml @@ -2,6 +2,7 @@ packages: - openssh - rsync start: | + # Fictional CTF range credentials. Not real passwords, not a leak. adduser -D backup 2>/dev/null || true echo "root:hacker" | chpasswd 2>/dev/null || true echo "backup:backup123" | chpasswd 2>/dev/null || true diff --git a/range/layers/ssh-bastion/layer.yml b/range/layers/ssh-bastion/layer.yml index 628e26d1..3c6ebd4f 100644 --- a/range/layers/ssh-bastion/layer.yml +++ b/range/layers/ssh-bastion/layer.yml @@ -1,6 +1,7 @@ packages: - openssh start: | + # Fictional CTF range credentials. Not a real password, not a leak. echo "pontoon:Tr0mb0n3!2024" | chpasswd ssh-keygen -A /usr/sbin/sshd -D & diff --git a/range/layers/ssh-leaked-key/layer.yml b/range/layers/ssh-leaked-key/layer.yml index 133ef0b4..9aa402bf 100644 --- a/range/layers/ssh-leaked-key/layer.yml +++ b/range/layers/ssh-leaked-key/layer.yml @@ -3,6 +3,8 @@ packages: configs: - home/deploy/.ssh/authorized_keys start: | + # Fictional CTF range key. The matching private key under ftp-loot/ + # is generated for this challenge and grants no real access. adduser -D deploy 2>/dev/null || true passwd -u deploy 2>/dev/null || true chown -R deploy:deploy /home/deploy/.ssh diff --git a/standards b/standards index 0c5d4544..39e0764f 160000 --- a/standards +++ b/standards @@ -1 +1 @@ -Subproject commit 0c5d45442a94aafa240ee7bd6cca746991c45761 +Subproject commit 39e0764f1327e417eb5cd8312f44482cdc767523 diff --git a/website/pnpm-lock.yaml b/website/pnpm-lock.yaml index 3972f6bc..401eaafb 100644 --- a/website/pnpm-lock.yaml +++ b/website/pnpm-lock.yaml @@ -1645,8 +1645,8 @@ packages: confbox@0.2.4: resolution: {integrity: sha512-ysOGlgTFbN2/Y6Cg3Iye8YKulHw+R2fNXHrgSmXISQdMnomY6eNDprVdW9R5xBguEqI954+S6709UyiO7B+6OQ==} - cookie-es@1.2.2: - resolution: {integrity: sha512-+W7VmiVINB+ywl1HGXJXmrqkOhpKrIiVZV6tQuV54ZyQC7MMuBt81Vc336GMLoHBq5hV/F9eXgt5Mnx0Rha5Fg==} + cookie-es@1.2.3: + resolution: {integrity: sha512-lXVyvUvrNXblMqzIRrxHb57UUVmqsSWlxqt3XIjCkUP0wDAf6uicO6KMbEgYrMNtEvWgWHwe42CKxPu9MYAnWw==} cookie@1.1.1: resolution: {integrity: sha512-ei8Aos7ja0weRpFzJnEA9UHJ/7XQmqglbRwnf2ATjcB9Wq874VKH9kfjjirM6UhU2/E5fFYadylyhFldcqSidQ==} @@ -1707,8 +1707,8 @@ packages: decode-named-character-reference@1.3.0: resolution: {integrity: sha512-GtpQYB283KrPp6nRw50q3U9/VfOutZOe103qlN7BPP6Ad27xYnOIWv4lPzo8HCAL+mMZofJ9KEy30fq6MfaK6Q==} - defu@6.1.4: - resolution: {integrity: sha512-mEQCMmwJu317oSz8CwdIOdwf3xMif1ttiM8LTufzc3g6kR+9Pe236twL8j3IYT1F7GfRgGcW6MWxzZjLIkuHIg==} + defu@6.1.7: + resolution: {integrity: sha512-7z22QmUWiQ/2d0KkdYmANbRUVABpZ9SNYyH5vx6PZ+nE5bcC0l7uFvEfHlyld/HcGBFTL536ClDt3DEcSlEJAQ==} dequal@2.0.3: resolution: {integrity: sha512-0je+qPKHEMohvfRTCEo3CrPG6cAzAYgmzKyxRiYSSDkS6eGJdyVJm7WaYA5ECaAD9wLB2T4EEeymA5aFVcYXCA==} @@ -1862,8 +1862,8 @@ packages: graceful-fs@4.2.11: resolution: {integrity: sha512-RbJ5/jmFcNNCcDV5o9eTnBLJ/HszWV0P73bc+Ff4nS/rJj+YaS6IGyiOL0VoBYX+l1Wrl3k63h/KrH+nhJ0XvQ==} - h3@1.15.8: - resolution: {integrity: sha512-iOH6Vl8mGd9nNfu9C0IZ+GuOAfJHcyf3VriQxWaSWIB76Fg4BnFuk4cxBxjmQSSxJS664+pgjP6e7VBnUzFfcg==} + h3@1.15.11: + resolution: {integrity: sha512-L3THSe2MPeBwgIZVSH5zLdBBU90TOxarvhK9d04IDY2AmVS8j2Jz2LIWtwsGOU3lu2I5jCN7FNvVfY2+XyF+mg==} hast-util-from-html@2.0.3: resolution: {integrity: sha512-CUSRHXyKjzHov8yKsQjGOElXy/3EKpyX56ELnkHH34vDVw1N1XSQ1ZcAvTyAPtGqLTuKP/uxM+aLkSPqF/EtMw==} @@ -4037,7 +4037,7 @@ snapshots: confbox@0.2.4: {} - cookie-es@1.2.2: {} + cookie-es@1.2.3: {} cookie@1.1.1: {} @@ -4096,7 +4096,7 @@ snapshots: dependencies: character-entities: 2.0.2 - defu@6.1.4: {} + defu@6.1.7: {} dequal@2.0.3: {} @@ -4273,11 +4273,11 @@ snapshots: graceful-fs@4.2.11: {} - h3@1.15.8: + h3@1.15.11: dependencies: - cookie-es: 1.2.2 + cookie-es: 1.2.3 crossws: 0.3.5 - defu: 6.1.4 + defu: 6.1.7 destr: 2.0.5 iron-webcrypto: 1.2.1 node-mock-http: 1.0.4 @@ -5418,7 +5418,7 @@ snapshots: anymatch: 3.1.3 chokidar: 5.0.0 destr: 2.0.5 - h3: 1.15.8 + h3: 1.15.11 lru-cache: 11.2.7 node-fetch-native: 1.6.7 ofetch: 1.5.1