NorthSec 2021 - remote edition

Supported platforms

We currently have tested and confirmed those instructions on:

Overview of infrastructure

VPN

Every team has a dedicated VPN port on a shared VPN endpoint at ctf.remote.nsec.io
The VPN is OpenVPN and requires a minimal version of 2.4 to function.

The record at ctf.remote.nsec.io can change at any time as we may need to rotate addresses during the event.
Always use the DNS name or you'll have problems.

The TLDs ".nsec" and ".ctf" are resolved by our DNS infrastructure over the VPN.
If for some reason, you're not using our DNS servers, then you will be unable to access any of the CTF websites and challenges.

The VPN does not provide global routing. Only the 2001:470:b2b5::/48 and 9000::/16 subnets can be accessed through the VPN.

If connecting using something other than our recommended setup, you may need to configure your DNS with:

WARNING: Chrome and Chromium based web browsers refuse to connect to IPv6-only servers when you don't have a default IPv6 gateway.
Because of that, you may need to use alternative web browsers or artifically configure your system to have a bogus IPv6 default gateway.

CA

We operate our own Certificate Authority (CA) which can be used to validate all our internal websites.
It is very strongly recommended that you trust that CA in your browser if not system-wide.

This certificate authority is managed by the NorthSec infrastructure team and will only ever be used for internal domains.

The root certificate can be found here: ca.crt

If this isn't an option, here are the current fingerprints of the various TLS-enabled services this year:

https://askgod.nsec
SHA-256: EF:8F:02:40:1F:E5:1D:CF:01:77:39:66:CE:70:FF:9E:B9:8F:3C:AB:47:7B:96:D6:A1:8E:3F:83:FA:7E:4F:50
SHA-1:   77:E8:A4:D5:81:67:AB:23:B5:C7:1C:95:03:DC:E8:ED:DC:FB:BE:58

https://dl.nsec and https://www.nsec
SHA-256: 4E:E6:E1:84:42:DD:27:D3:70:2B:43:22:C6:E1:8C:8C:EB:63:C5:C9:74:3C:AE:3B:26:2D:BF:A7:C0:9E:4E:0B
SHA-1:   67:2B:14:33:86:6E:5F:D2:F5:93:21:6A:3E:58:FF:83:40:2E:81:A2

https://blackcattavern.nsec
SHA-256: C4:F4:F2:9B:DA:76:13:F4:DF:D3:91:08:A3:C5:B1:5E:35:75:D3:6B:F4:3A:BC:34:E0:D1:00:18:32:87:2F:A6
SHA-1:   5F:C7:49:8D:EB:E7:B8:75:7F:C7:57:9A:15:6A:0E:82:F0:15:13:EA

Support

If you find yourself unable to connect to the infrastructure, reach out to us.
We can be found in the #support channel on the NorthSec Discord.

Keep in mind that there are 3 people on the NorthSec infrastructure team for almost 1000 participants, so we'd kindly ask that you re-read the instructions and maybe check with one of your teammates before contacting us for support.

Once you're connected to the infrastructure, go to https://www.nsec.
After reading the rules, you'll find a link to the forum used during the CTF.
You'll login with your Discord account and will be granted access to your team shortly afterwards.

VPN instructions

Windows 10

  1. Download OpenVPN from https://openvpn.net/community-downloads/ (we tested 2.5.2)
  2. Install using the default set of components:
    OpenVPN components

  3. Right-click on the tray icon and select "Import file...", then pick the .ovpn file you'll have received by e-mail
    Import OpenVPN file
    OpenVPN file imported

  4. Right-click on the tray icon again and select "Connect"
    Connect OpenVPN
    OpenVPN connecting
    OpenVPN connected

NOTE: You may see some "netsh" failures during the connection. This is fine, it's a result of having a single cross-platform config.

macOS Catalina

  1. Unless you have native IPv6 connectivity, you need to trick macOS into thinking it has some.
    To do this, edit your network connection, switch "Configure IPv6" to "Manually" and set "ff03::1" as your router, "ff03::2" as your address and "48" as prefix.
    Network settings

  2. Download and open Tunnelblick from https://tunnelblick.net/downloads.html (we tested 3.8.2)
    Tunnelblick installer

  3. Once installed, click "I have configuration files" and then "Ok"
    Tunnelblick config
    Tunnelblick config continued

  4. Open the "team-XXX.ovpn" file you'll have received by e-mail, select "Only Me" and authenticate
    Tunnelblick add
    Tunnelblick auth

  5. The VPN has now been added, click on the "Settings" tab
    OpenVPN added

  6. And untick "Disable IPv6 unless the VPN server is accessed using IPv6" and "Check if the apparent public IP address changed after connecting"
    OpenVPN settings

  7. Then switch back to the "Log" tab and hit "Connect"
    OpenVPN connected

Ubuntu 18.04

  1. Start by installing the network-manager-gnome package

  2. Then open the system menu and click "Settings"
    OpenVPN system settings

  3. Select the "Network" panel and click the "+" sign next to "VPN"
    OpenVPN network settings

  4. Select "Import from file..." then pick the .ovpn file you'll have received by e-mail
    OpenVPN import
    OpenVPN select file

  5. The imported VPN configuration will open, allowing you to make some changes.
    OpenVPN settings

  6. Go to the "IPv4" tab and tick "Use this connection only for resources on its network"
    OpenVPN IPv4

  7. Go to the "IPv6" tab and tick "Use this connection only for resources on its network"
    OpenVPN IPv6

  8. Hit "Add" and you'll see your VPN listed in your network settings. Toggle it on and you'll be connected.
    OpenVPN created
    OpenVPN connected

Ubuntu 20.04

  1. Open the system menu and click "Settings"
    OpenVPN system settings

  2. Select the "Network" panel and click the "+" sign next to "VPN"
    OpenVPN network settings

  3. Select "Import from file..." then pick the .ovpn file you'll have received by e-mail
    OpenVPN import
    OpenVPN select file

  4. The imported VPN configuration will open, allowing you to make some changes.
    OpenVPN settings

  5. Go to the "IPv4" tab and tick "Use this connection only for resources on its network"
    OpenVPN IPv4

  6. Go to the "IPv6" tab and tick "Use this connection only for resources on its network"
    OpenVPN IPv6

  7. Hit "Add" and you'll see your VPN listed in your network settings. Toggle it on and you'll be connected.
    OpenVPN created
    OpenVPN connected

Generic Linux (NetworkManager CLI)

  1. Start by installing the network-manager-openvpn-gnome package

  2. Save the .ovpn file you'll have received by e-mail

  3. Import the configuration with sudo nmcli connection import type openvpn file /path/to/team-XXX.ovpn

  4. Configure split-tunneling with sudo nmcli connection modify team-XXX ipv4.never-default true ipv6.never-default true

Generic Linux (systemd)

  1. Start by installing the openvpn-systemd-resolved and openvpn packages

  2. Save the .ovpn file you'll have received by e-mail

  3. Adapt the configuration and put it into place with sed '/^## --- 8</,/^## --- >8/ s/^#//' /path/to/team-XXX.ovpn | sudo tee /etc/openvpn/client/team-XXX.conf

  4. Connect to the VPN with sudo systemctl start openvpn-client@team-XXX

CA instructions

Windows 10

Those instructions cover the system-wide installation of the certificate.
Some web browsers also have their own separate trust store that could be used instead of this.

  1. Download the root certificate from ca.crt and open it
    CA file open

  2. Click "Install Certificate"
    CA install

  3. Select "Place all certificats in the following store"
    CA store

  4. And pick "Trusted Root Certification Authorities"
    CA store list

  5. Continuing will prompt to confirm the installation
    CA trust

  6. Then complete the process
    CA confirm
    CA imported

  7. You can then hit https://www.nsec over the VPN to validate
    CA test

macOS Catalina

Those instructions cover the system-wide installation of the certificate.
Some web browsers also have their own separate trust store that could be used instead of this.

  1. Download the root certificate from ca.crt and open it, keep the default "login" keychain and click "Add"
    CA file open

  2. Select the certificate in the "login" keychain, double click on it to open
    CA keychain

  3. Expand the "Trust" section and set it to "Always Trust" then close the window
    CA store

  4. Authenticate when prompted
    CA auth

  5. You can then hit https://www.nsec over the VPN to validate
    CA test

Ubuntu 18.04 and Ubuntu 20.04

These instructions assume the default web browser (firefox).
They will differ for other we browsers.

  1. Download the root certificate from ca.crt

  2. Open the browser menu and click "Preferences"
    CA menu

  3. Select "Privacy & Security" from the list on the left
    CA settings

  4. Scroll down the page to the "Certificates" section and click "View Certificates..."
    CA security settings

  5. Click the "Import..." button
    CA store

  6. Select "ca.crt" file you downloaded early
    CA file open

  7. Tick "Trust this CA to identify websites." and click "Ok"
    CA trust

  8. You can then hit https://www.nsec over the VPN to validate
    CA test