Thunder CTF allows players to practice attacking vulnerable cloud projects on Google Cloud Platform (GCP). In each level, players are tasked with exploiting a cloud deployment to find a "secret" integer stored within it. Key to the CTF is a progressive set of hints that can be used by players when they are stuck so that levels can be solved by players of all levels from novices to experts.
Thunder CTF deploys level infrastructure on demand to a player's Google Cloud Platform project. Players new to Google Cloud can get a free $300 credit here. Thunder CTF is very cheap to run, with its resource consumption fitting almost entirely into GCP's free tier. To save cloud credits, we recommend deploying levels only while you are playing and destroying them as soon as levels are completed.
Thunder CTF was built to be extensible, and we encourage players to make their own levels. For more information on how to create a level, visit the Level Development Guide and the Thunder CTF framework documentation.
For more information about Thunder CTF, visit its website.
Least Privilege CTF (slides) is an extension of Thunder CTF. Least Privilege levels have been desgined to help understand Google Cloud Platform's IAM roles and permissions. Related GCP documentaion can be found here. Least Privilege levels do not have "secret". Instead, at each level you should get a "Congratulations" message
First, create a new google cloud project and enable billing for it. The deployment should ideally be done on a new to ensure that playing the levels won't affect your existing or future work on GCP. Players new to Google Cloud can get a free $300 credit here.
# Optional: Can skip if cloud shell is started from the project you want to use gcloud config set project [PROJECT-ID]
virtualenv -v env-tctf source env-tctf/bin/activate git clone https://github.com/NicholasSpringer/thunder-ctf.git cd thunder-ctf pip3 install -r requirements.txt gcloud services enable cloudresourcemanager.googleapis.com python3 thunder.py activate_project $GOOGLE_CLOUD_PROJECT
A full list of commands can be found by running:
python3 thunder.py help
You are now ready to play. Create each level individually.
# PrimitiveRole-Project python3 thunder.py create leastprivilege/pr # PredefinedRole-Storage python3 thunder.py create leastprivilege/pd1 # PredefinedRole-Compute python3 thunder.py create leastprivilege/pd2 # PredefinedRole-Logging python3 thunder.py create leastprivilege/pd3 # PredefinedRole-Datastore python3 thunder.py create leastprivilege/pd4 # PredefinedRole-Vision python3 thunder.py create leastprivilege/pd5 # CustomRole-Project python3 thunder.py create leastprivilege/ct1 # CustomRole-Storage python3 thunder.py create leastprivilege/ct2 # CustomRole-Compute python3 thunder.py create leastprivilege/ct3 # CustomRole-Logging python3 thunder.py create leastprivilege/ct4
Or, create all levels with command below.
python3 thunder.py create leastprivilege/roles
Once the deployment is successful, the Cloud Shell will display either a single function entrypoint or a list of function entrypoints. You can also locate this information in either start/LEVEL_ABBR.txt (e.g. pr.txt) or start/roles.txt. To access further guidance on each level, simply click on its respective link. It is important to note that if the level requires the creation of a custom role, you must create the role using the precise ID specified in the level instruction.
Don't forget to destroy levels after you are done using the command below:
python3 thunder.py destroy
We will be really apprecialte if you could rate our Least Privilege CTF here.
Your feedback is very important to us, since it will help developers optimize user experiences and extend level designs.