k3s+docker 部署gzctf过程记录
准备阶段
服务器x3
k3s-master 192.168.80.20
k3s-slave 192.168.80.27(26)
gzctfweb 192.168.80.28(63)
别用dhcp 弄个靠后的ip桥接
修改用户名
1
2
3
| hostnamectl set-hostname gzctfweb # gzctfweb服务器执行
hostnamectl set-hostname k3s-master
hostnamectl set-hostname k3s-slave
|
关闭防火墙 三台机器都执行
ubuntu 关闭防火墙
sudo ufw disable
清空iptables规则
iptables -F
配置hosts解析
在k3s master和 slave中执行
cat >>/etc/hosts<<EOF 192.168.80.20 k3s-master
192.168.80.27 k3s-slave EOF
安装docker【k3s master】
1
2
| curl https://releases.rancher.com/install-docker/20.10.sh | sh
systemctl enable --now docker # docker开启自启
|
k3s 部署 gzctf
1.安装k3s集群
按gzctf中 下载k3s
curl -sfL https://rancher-mirror.rancher.cn/k3s/k3s-install.sh |
INSTALL_K3S_MIRROR=cn sh -
但不加配置参数 加别的额外参数会报错
2.安装slave节点
在k3s-master中查看 token
1
2
| cat /var/lib/rancher/k3s/server/node-token
K1049517f32c21a31aac5b53e5423386b6b0ae9b0e706b06cc1baebfe3e474929a3::server:ab280ce6ccffbd6d5c97a9036f973072
|
将toekn和 master对应ip填入 配置slave端
1
2
3
4
| curl -sfL https://rancher-mirror.rancher.cn/k3s/k3s-install.sh | INSTALL_K3S_MIRROR=cn INSTALL_K3S_EXEC="--docker" K3S_URL=https://192.168.80.20:6443 K3S_TOKEN=K1049517f32c21a31aac5b53e5423386b6b0ae9b0e706b06cc1baebfe3e474929a3::server:ab280ce6ccffbd6d5c97a9036f973072 sh -
# 开机自启
systemctl enable --now k3s-agent.service
|
3.更改nodeport
端口范围【master执行】
vim /etc/systemd/system/k3s.service
在ExecStart = /usr/local/bin/k3s 最后写入
1
| --kube-apiserver-arg service-node-port-range=20000-50000
|
4.更改k3s容器数量限制【master/slave执行】
vim /etc/rancher/k3s/kubelet.config
1
2
3
| apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
maxPods: 500 # 容器数量限制
|
vim /etc/systemd/system/k3s.service
在ExecStart=/usr/local/bin/k3s最后写入如下内容:
1
| --kubelet-arg=config=/etc/rancher/k3s/kubelet.config
|
5.添加docker镜像仓库【master执行】
1
2
3
4
| mirrors:
"docker.io":
endpoint:
- "https://hub.docker.com"
|
6.配置完成后 重启k3s集群
1
2
| systemctl daemon-reload && systemctl restart k3s # master节点
systemctl daemon-reload && systemctl restart k3s-agent # slave节点
|
7.gzctfweb配置
- docker-compose.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
| version: '3.0'
services:
gzctf:
image: gztime/gzctf:latest
restart: always
environment:
- "GZCTF_ADMIN_PASSWORD=Admin123" # gzctf管理员初始密码
ports:
- "80:8080"
networks:
default:
volumes:
- "./data/files:/app/files"
- "./appsettings.json:/app/appsettings.json:ro"
- "./logs:/app/log"
# - "./data/keys:/root/.aspnet/DataProtection-Keys"
- "./kube-config.yaml:/app/kube-config.yaml:ro"
# - "/var/run/docker.sock:/var/run/docker.sock"
depends_on:
- db
db:
image: postgres:alpine
restart: always
environment:
- "POSTGRES_PASSWORD=admin123" # 数据库的密码
networks:
default:
volumes:
- "./data/db:/var/lib/postgresql/data"
networks:
default:
driver: bridge
ipam:
config:
- subnet: 192.168.12.0/24
|
- appsettings.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
| {
"AllowedHosts": "*",
"ConnectionStrings": {
"Database": "Host=db:5432;Database=gzctf;Username=postgres;Password=admin123" //数据库的信息
// redis is optional
//"RedisCache": "cache:6379,password=<Redis Password>"
},
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft": "Warning",
"Microsoft.Hosting.Lifetime": "Information"
}
},
"EmailConfig": {
"SendMailAddress": "a@a.com",
"UserName": "",
"Password": "",
"Smtp": {
"Host": "localhost",
"Port": 587
}
},
"XorKey": "z", //异或加密密钥
"ContainerProvider": {
"Type": "Kubernetes", // or "Kubernetes"
"PublicEntry": "192.168.80.20", // 写k3s-master的ip
"DockerConfig": {
// optional
"SwarmMode": false,
"Uri": "unix:///var/run/docker.sock"
}
},
"RequestLogging": false,
"DisableRateLimit": false,
"RegistryConfig": {
"UserName": "",
"Password": "",
"ServerAddress": ""
},
"GoogleRecaptcha": {
"VerifyAPIAddress": "https://www.recaptcha.net/recaptcha/api/siteverify",
"Sitekey": "",
"Secretkey": "",
"RecaptchaThreshold": "0.5"
}
}
|
- kube-config.yaml
在master机器中 cat /etc/rancher/k3s/k3s.yaml 在web机器中另存为
kube-config.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkekNDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdGMyVnkKZG1WeUxXTmhRREUzTVRZNE9ESTBNamN3SGhjTk1qUXdOVEk0TURjME56QTNXaGNOTXpRd05USTJNRGMwTnpBMwpXakFqTVNFd0h3WURWUVFEREJock0zTXRjMlZ5ZG1WeUxXTmhRREUzTVRZNE9ESTBNamN3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFRNm9sRE53c3RUN2k5S1A3VXUyZzdmNlRnZ3AycnVHMWxubWJMWFRNeSsKb3hHZmVBUDRGam0rYzBJd0JMY1JyRnVXcVZlZ1g2T0x4dzRvRkMzS3NRM2tvMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVXMvSUZtaGRNeGsrNGc2TkFXMnU3CjJGU1M3eXN3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUlnR1lqYkFUYnBrWGQydEZ6c3FUamdFc0VWdmx6UWNsK1EKdzV6SWIvWC9ZZkVDSVFDc3dtek1rSVhYbEJ2dm51OTQxNS9rNFdoY2p2aEhyWThCRTRzQkZtMWZjZz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
server: https://192.168.80.20:6443 //写k3s-master的ip:porthttps://127.0.0.1:6443
name: default
contexts:
- context:
cluster: default
user: default
name: default
current-context: default
kind: Config
preferences: {}
users:
- name: default
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJrVENDQVRlZ0F3SUJBZ0lJYS8xZEwxMXNkUkV3Q2dZSUtvWkl6ajBFQXdJd0l6RWhNQjhHQTFVRUF3d1kKYXpOekxXTnNhV1Z1ZEMxallVQXhOekUyT0RneU5ESTNNQjRYRFRJME1EVXlPREEzTkRjd04xb1hEVEkxTURVeQpPREEzTkRjd04xb3dNREVYTUJVR0ExVUVDaE1PYzNsemRHVnRPbTFoYzNSbGNuTXhGVEFUQmdOVkJBTVRESE41CmMzUmxiVHBoWkcxcGJqQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJISFlIbDMvL0EybnZ3alAKNDUxeHU0REhDbUtacTY4aXRqUHhJSkdaaE5MWU1yY1pXWnZjZWFZN1FXeERvZi9KcVJUekdGY3RPUXV3V1NNOQpvd1NJd1IralNEQkdNQTRHQTFVZER3RUIvd1FFQXdJRm9EQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0RBakFmCkJnTlZIU01FR0RBV2dCUll1YmlPTUZNZHhFb0Z2bVRDeGFIaHdhODBkVEFLQmdncWhrak9QUVFEQWdOSUFEQkYKQWlBOU5tL0lPdTBqQ25aNGtjaWJqTEdCSUgyRFllMmdLNklWb3ppQXdrZXQxZ0loQU5qdlJSUzEvYitRU1c3eAp3TktBYUQrTkdTbXhmd1dHZWJ5aGtmZVJvMGhuCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJlRENDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdFkyeHAKWlc1MExXTmhRREUzTVRZNE9ESTBNamN3SGhjTk1qUXdOVEk0TURjME56QTNXaGNOTXpRd05USTJNRGMwTnpBMwpXakFqTVNFd0h3WURWUVFEREJock0zTXRZMnhwWlc1MExXTmhRREUzTVRZNE9ESTBNamN3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFSa29zNWYyU2pWNWhHWHhTMERoMlZUR01FMktYV3gzb0NWSWhzY3JCYXQKdlRaZjJmSi9oRHZNeTlOTmdpMHlTMW9CWnBvNVQwTkJLY25YZ0lnNlN1ZnFvMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVVdMbTRqakJUSGNSS0JiNWt3c1doCjRjR3ZOSFV3Q2dZSUtvWkl6ajBFQXdJRFNRQXdSZ0loQUlXbHcraUNkL25uZjRJaittekFlSHZNbDc0Q2o4V0kKRnBYM3djcjcyTytxQWlFQXZiT2dRT0RVNExFdWdxRCtGSHRYdWVtTHBSeHdDK2thTjJNN3JyVEJzRzA9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
client-key-data: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUVOQUJ1bktoZk5BNzVoUlVrMmF2Y0lHb2xJcXM3Ymp1ckk1aEhRdWNhTEJvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFY2RnZVhmLzhEYWUvQ00vam5YRzdnTWNLWXBtcnJ5SzJNL0Vna1ptRTB0Z3l0eGxabTl4NQpwanRCYkVPaC84bXBGUE1ZVnkwNUM3QlpJejJqQklqQkh3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
|
配置完成后 启动 gzctf
docker-compose -f docker-compose.yml up #前台运行【-d 后台运行】
docker-compose -f docker-compose.yml stop #停止
docker-compose -f docker-compose.yml rm #删除
Admin/Admin123
题目配置
部署web pwn
https://blog.csdn.net/qq_52820087/article/details/127851116
CTF本地靶场搭建——基于阿里云ACR实现动态flag题型的创建
https://developer.aliyun.com/article/1526499
如何优雅的使用Docker出一道动态flag的CTF题-GZCTF
https://sj1t.cn/2024/01/04/%E5%8A%A8%E6%80%81Flag%E5%AE%9E%E7%8E%B0/
在k3s master中 构建题目 然后上穿到docker中
具体方法参考https://blog.csdn.net/qq_52820087/article/details/127851116
目前存在问题 配置的为 k3s主的ip 然后生成的为 主的ip 但是实际上开的所
slave机器的
拓展
GZCTF隐藏积分榜记录 https://www.zhaoj.in/read-8947.html
GZCTF平台对接QQ机器人 https://www.cnblogs.com/Joooook/p/18152428
https://github.com/CTF-Archives/GZCTFBOT
开启流量捕获
捕获队伍解题流量 需开启平台代理
平台代理配置 https://docs.ctf.gzti.me/zh/guide/platform-proxy
在 appsettings.json 中,找到 ContainerProvider
节点,进行如下配置:
{ "ContainerProvider": { "PortMappingType": "PlatformProxy",
"EnableTrafficCapture": false } }
然后使用 websocket进行连接