Overview

A Challenge Pod is a multi-container Kubernetes pod that provides an isolated environment where users can interact with and solve cybersecurity challenges. These pods are dynamically created and managed by the Instance Manager based on Challenge Definition Format (CDF) specifications and Challenge Type Definitions (CTDs).

Pod Structure

Modern challenge pods consist primarily of three containers:

1. Challenge OS Container: The actual challenge environment where users solve problems.

• Can be a Linux OS, web server, database, or any specialized environment
• Defined by the container component in the CDF
• May include specific flags, tools, and configurations for the challenge

2. WebOS Container: A Next.js web application that provides a simulated desktop interface.

• Includes apps like Terminal, Challenge Prompt, Editor, Browser, and more
• Loads configuration defined by webosApp components in the CDF
• Provides a consistent user experience across different challenge types

3. Remote-Terminal Container: Provides secure terminal access to the Challenge OS container.

• Uses Kubernetes API for secure command execution
• Exposes a WebSocket interface for real-time interaction
• Requires specific service account permissions
• Connected to WebOS via environment variables

Challenge Type Specialization

The specific structure and content of a Challenge Pod varies significantly depending on the challenge type defined in the CTD. Each challenge type has specialized containers, applications, and integrations:

Note: The EDURange Cloud platform is actively expanding its challenge type ecosystem. The types listed above represent the current implementation status, with many more specialized challenge types coming soon. Challenge types in Alpha or Beta stages are available for testing but may have limited features or stability.

Challenge Type Examples

1. FullOS Challenge Type:

   • Primary focus: Linux command-line challenges
   • Main container: Ubuntu/Debian with SSH server
   • Required application: Remote-Terminal for command execution
   • User interaction: Primarily via Terminal app in WebOS
   • Example challenges: File system exploration, user permissions, service configuration

2. Web Challenge Type:

   • Primary focus: Web application vulnerabilities
   • Main container: Web server (Apache/Nginx) with application code
   • Optional database container: MySQL/PostgreSQL for data storage
   • Required application: Browser app in WebOS
   • User interaction: Through Browser app accessing the web server
   • Example challenges: XSS, CSRF, SQL injection, improper authentication

3. PacketAnalysis Challenge Type: (Alpha Stage)

   • Primary focus: Network traffic analysis
   • Main container: WebShark (browser-based Wireshark)
   • Data: Pre-captured PCAP files
   • Required application: WebShark app in WebOS
   • User interaction: Through WebShark interface for packet inspection
   • Example challenges: Network protocol analysis, traffic inspection, intrusion detection
   • Note: This challenge type is currently in alpha and under active development

4. Metasploit Challenge Type: (Beta Stage)

   • Primary focus: Exploitation techniques
   • Main containers: Attack container + Target container
   • Required applications: Terminal with Metasploit Framework
   • User interaction: Terminal-based command line for exploits
   • Example challenges: Vulnerability scanning, exploitation, post-exploitation

Future Challenge Types

The EDURange platform roadmap includes several additional challenge types currently in development:

• Cryptography: Specialized environment for cryptographic challenges with tools for encryption/decryption
• Digital Forensics: File system analysis, memory forensics, and artifact extraction
• Mobile Security: Android/iOS security challenges with emulated mobile environments
• IoT Security: Simulated IoT devices and protocols for security analysis
• Cloud Security: AWS/Azure/GCP security configuration challenges

These upcoming challenge types will follow the same architecture pattern with specialized containers and WebOS applications tailored to their specific requirements.

Deployment Architecture

Challenge pods are deployed through a multi-step process:

1. The dashboard sends a CDF to the Instance Manager
2. The Instance Manager identifies the challenge type and loads the appropriate CTD
3. The CTD provides the base pod structure and Kubernetes resource templates
4. CDF components are processed to customize the pod for the specific challenge
5. Kubernetes resources (Pod, Service, Ingress, ConfigMap, Secret) are created
6. URLs are generated and returned to the dashboard for user access

Challenge Components

The Challenge Definition Format (CDF) includes several component types that define different aspects of the challenge pod:

1. Container Components

Container components define the environments within the challenge pod:

{
  "type": "container",
  "id": "challenge-container",
  "config": {
    "image": "registry.edurange.cloud/challenges/ubuntu-flags:latest",
    "env": [
      {
        "name": "DIFFICULTY",
        "value": "easy"
      }
    ],
    "resources": {
      "limits": {
        "cpu": "0.5",
        "memory": "512Mi"
      }
    },
    "ports": [
      {
        "containerPort": 22,
        "name": "ssh"
      }
    ],
    "securityContext": {
      "runAsUser": 0,
      "privileged": false
    }
  }
}

Container Configuration Options

• image: Docker image for the container
• env: Environment variables
• resources: CPU, memory, and other resource constraints
• ports: Container port definitions
• securityContext: Security settings like privileged mode and user ID
• volumes: Volume mounts (emptyDir, configMap, secret)
• initScripts: Scripts to run during container initialization

2. WebOS App Components

WebOS app components define applications in the WebOS interface:

{
  "type": "webosApp",
  "id": "terminal",
  "config": {
    "title": "Terminal",
    "icon": "./icons/terminal.svg",
    "width": 800,
    "height": 600,
    "screen": "terminal",
    "favourite": true,
    "desktop_shortcut": true,
    "launch_on_startup": true
  }
}

WebOS App Configuration Options

• title: App title displayed in the window header
• icon: Path to the app icon
• width/height: Default window dimensions
• screen: Component name to render (e.g., “terminal”, “displayChrome”, “displayChallengePrompt”)
• favourite: Whether to include in favorites dock
• desktop_shortcut: Whether to display on desktop
• launch_on_startup: Whether to launch automatically when WebOS starts

3. Question Components

Question components define assessment questions for the challenge:

{
  "type": "question",
  "id": "file-flag",
  "config": {
    "type": "flag",
    "prompt": "Find the flag hidden in the home directory.",
    "points": 10
  }
}

Question Configuration Options

• type: Question type (“flag”, “text”, “multiple_choice”)
• prompt: Question text displayed to the user
• points: Point value for correct answers
• answer: For non-flag questions, the correct answer
• options: For multiple choice questions, the available options

4. ConfigMap Components

ConfigMap components create Kubernetes ConfigMaps for configuration data:

{
  "type": "configmap",
  "id": "challenge-config",
  "config": {
    "data": {
      "hints.txt": "Check hidden files in the system",
      "instructions.md": "# Challenge Instructions\n\nFind all the flags..."
    }
  }
}

5. Secret Components

Secret components create Kubernetes Secrets for sensitive data:

{
  "type": "secret",
  "id": "challenge-secret",
  "config": {
    "data": {
      "username": "admin",
      "password": "base64:cGFzc3dvcmQxMjM="
    }
  }
}

Challenge Type-Specific Containers

Each challenge type requires specialized containers to create the appropriate learning environment. Below are details for different challenge types:

FullOS Challenges

FullOS challenges provide a complete operating system environment for command-line based challenges.

Key characteristics:

• Linux-based container with shell access
• SSH server for Remote-Terminal connectivity
• User accounts and permissions
• Task-specific file structure and permissions
• Network services and configurations
• Custom flags hidden throughout the system

Example FullOS Dockerfile

FROM ubuntu:22.04
 
# Install necessary packages
RUN apt-get update && \
    apt-get install -y --no-install-recommends \
    openssh-server \
    vim \
    nano \
    curl \
    wget \
    sudo \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*
 
# Create users
RUN useradd -m -s /bin/bash student && \
    echo "student:student" | chpasswd && \
    useradd -m -s /bin/bash admin && \
    echo "admin:adminpassword" | chpasswd
 
# Set up challenge files
COPY ./challenge-files/ /opt/challenge/
RUN chmod 755 /opt/challenge/setup.sh && \
    /opt/challenge/setup.sh
 
# Configure SSH
RUN mkdir -p /var/run/sshd
RUN sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin no/' /etc/ssh/sshd_config
RUN sed -i 's/#PasswordAuthentication yes/PasswordAuthentication yes/' /etc/ssh/sshd_config
 
# Start SSH server
EXPOSE 22
CMD ["/usr/sbin/sshd", "-D"]

Web Challenges

Web challenges provide a web server environment for exploring web application vulnerabilities.

Key characteristics:

• Web server (Apache, Nginx) container
• Application code (PHP, Node.js, etc.)
• Optional database container
• Web application vulnerabilities
• Exposed HTTP/HTTPS ports
• Flag storage within web application components

Example Web Challenge Dockerfile

FROM php:7.4-apache
 
# Install dependencies
RUN apt-get update && \
    apt-get install -y --no-install-recommends \
    libpng-dev \
    libjpeg-dev \
    libfreetype6-dev \
    && docker-php-ext-configure gd --with-freetype --with-jpeg \
    && docker-php-ext-install -j$(nproc) gd mysqli pdo pdo_mysql \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*
 
# Copy web application files
COPY ./web-app/ /var/www/html/
RUN chown -R www-data:www-data /var/www/html/
 
# Configure Apache
COPY ./apache-config/000-default.conf /etc/apache2/sites-available/000-default.conf
RUN a2enmod rewrite
 
# Expose web port
EXPOSE 80
CMD ["apache2-foreground"]

PacketAnalysis Challenges

PacketAnalysis challenges provide a browser-based Wireshark-like interface (WebShark) for analyzing network traffic.

Key characteristics:

• WebShark container (browser-based packet analyzer)
• Pre-captured PCAP files with network traffic
• No Remote-Terminal necessary
• Flags embedded within packet data
• Focus on network protocol analysis

Example PacketAnalysis Dockerfile

FROM nikolaik/python-nodejs:python3.9-nodejs16-slim
 
# Install dependencies
RUN apt-get update && \
    apt-get install -y --no-install-recommends \
    tshark \
    tcpdump \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*
 
# Copy WebShark application
COPY ./webshark/ /app/
WORKDIR /app
 
# Install Node.js dependencies
RUN npm install
 
# Copy PCAP files
COPY ./pcap-files/ /pcap/
RUN chmod 644 /pcap/*.pcap
 
# Expose application port
EXPOSE 3000
CMD ["npm", "start"]

Metasploit Challenges

Metasploit challenges provide an attack/defend environment with intentionally vulnerable targets.

Key characteristics:

• Attack container with Metasploit Framework
• Target container with vulnerabilities
• Network connectivity between containers
• Flag generation upon successful exploitation
• Segmented network for safety

Example Metasploit Attack Container

FROM kalilinux/kali-rolling:latest
 
# Install necessary packages
RUN apt-get update && \
    apt-get install -y --no-install-recommends \
    metasploit-framework \
    nmap \
    curl \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*
 
# Set up workspace
WORKDIR /root
RUN mkdir -p /root/workspace
 
# Start Metasploit console
CMD ["/bin/bash"]

WebOS Container

The WebOS container provides a browser-based desktop environment for interacting with challenges. It loads application configurations from the CDF and presents a consistent user interface regardless of the underlying challenge type.

Key features:

• Window management system
• Application framework
• Terminal integration
• Challenge prompt with questions and assessment
• File browser and editor
• Other utility applications

The WebOS container is configured via environment variables that define:

• Available applications
• Default window sizes and positions
• Application startup behavior
• URLs for accessing other parts of the challenge pod

Challenge Type-Specific WebOS Applications

Different challenge types require different WebOS applications:

1. FullOS Challenges

   • Terminal (required)
   • File Browser (optional)
   • Challenge Prompt (required)
   • Text Editor (optional)

2. Web Challenges

   • Browser (required)
   • Challenge Prompt (required)
   • Terminal (optional)
   • Developer Tools (optional)

3. PacketAnalysis Challenges

   • WebShark (required)
   • Challenge Prompt (required)
   • Text Editor (optional)
   • Network Diagram (optional)

4. Metasploit Challenges

   • Terminal (required)
   • Challenge Prompt (required)
   • Browser (optional)
   • Network Scanner (optional)

Remote-Terminal Container

The Remote-Terminal container provides secure access to the Challenge OS container through the Kubernetes API. It uses a WebSocket interface to provide real-time terminal interaction from the browser.

Key features:

• Authentication via Kubernetes service account
• Secure command execution in the target container
• WebSocket communication for real-time interaction
• Support for terminal features (copy/paste, resize, etc.)
• No direct access to the host system

Security Considerations

Challenge pods implement several security measures:

1. Container Isolation: Each challenge runs in its own isolated pod
2. Network Policies: Restrict communication between pods
3. RBAC: Service accounts with limited permissions
4. Seccomp Profiles: Restrict system calls
5. Resource Limits: Prevent resource exhaustion
6. Pod Security Context: Control user permissions and capabilities
7. Ingress Controls: Restrict external access to specific paths

For more information on the Instance Manager that creates and manages these challenge pods, see the Instance Manager documentation.