fix: CTF challenge lifecycle status

.devcontainer/stm32/Dockerfile

@@ -36,6 +36,9 @@ RUN apt-get update && apt-get install -y \
     openssh-client \
     && rm -rf /var/lib/apt/lists/*
 
+# Allow root to use west extension commands in this workspace.
+RUN git config --system --add safe.directory '*'
+
 # Create user
 RUN addgroup --gid 1000 docker \
     && adduser --uid 1000 --ingroup docker --home /home/docker --disabled-password --gecos "" docker \

.devcontainer/stm32/docker-compose.yml

@@ -12,4 +12,5 @@ services:
       # Mount stm32 source into pre-baked Zephyr workspace
       - $CYBICS_ROOT/software/stm32:/home/docker/zephyrproject/app
       - ~/.ssh:/home/docker/.ssh/
-    user: ${HOST_UID:-1000}:${HOST_UID:-1000}
+    # Run as root to avoid bind-mount write failures on hosts with user namespace remapping.
+    user: root

.devcontainer/virtual/docker-compose.yml

@@ -5,7 +5,7 @@ services:
       context: ../../software/attack-machine
       dockerfile: Dockerfile
     hostname: attack-machine
-    restart: always
+    restart: "no"
     stdin_open: true
     tty: true
     cap_add:
@@ -33,7 +33,7 @@ services:
     build:
       context: ../../software/OpenPLC
       dockerfile: Dockerfile
-    restart: always
+    restart: "no"
     privileged: true
     ports:
       - 8080:8080
@@ -48,7 +48,7 @@ services:
     build:
       context: ../../software/opcua
       dockerfile: Dockerfile
-    restart: always
+    restart: "no"
     ports:
       - 4840:4840
     depends_on:
@@ -62,7 +62,7 @@ services:
     build:
       context: ../../software/s7com
       dockerfile: Dockerfile
-    restart: always
+    restart: "no"
     ports:
       - 1102:1102
     depends_on:
@@ -76,7 +76,7 @@ services:
     build:
       context: ../../software/FUXA
       dockerfile: Dockerfile
-    restart: always
+    restart: "no"
     ports:
       - 1881:1881
     depends_on:
@@ -90,7 +90,7 @@ services:
     build:
       context: ../../software/hwio-virtual
       dockerfile: Dockerfile
-    restart: always
+    restart: "no"
     ports:
       - 8090:8090
     depends_on:
@@ -105,6 +105,8 @@ services:
       context: ../..
       dockerfile: software/landing/Dockerfile
     restart: always
+    ports:
+      - 80:80
     network_mode: host
     cap_add:
       - NET_ADMIN
@@ -119,7 +121,7 @@ services:
     build:
       context: ../../software
       dockerfile: engineeringWS/Dockerfile
-    restart: always
+    restart: "no"
     ports:
       - 6080:6080
       - 5901:5901
@@ -137,9 +139,9 @@ services:
     build:
       context: ../../software/cybicsagent
       dockerfile: Dockerfile
-    restart: always
+    restart: "no"
     ports:
-      - 5000:5000
+      - 5001:5000
       - 11434:11434
     environment:
       # Recommended models: tinyllama (fast), phi3:mini (balanced), llama3.2:3b (quality)
@@ -166,13 +168,77 @@ services:
     build:
       context: ../../software/ids
       dockerfile: Dockerfile
-    restart: always
+    restart: "no"
     cap_add:
       - NET_ADMIN
       - NET_RAW
     network_mode: host
     depends_on:
       - openplc
+    profiles:
+      - ids
+      - full
+
+  firmware-updater:
+    image: mniedermaier1337/cybics-firmware-updater:${CYBICS_VERSION:-latest}
+    build:
+      context: ../../software/firmware-updater
+      dockerfile: Dockerfile
+    restart: "no"
+    depends_on:
+      - stm32
+    volumes:
+      - firmware_data:/opt/cybics/firmware
+      - firmware_keys:/opt/cybics/keys
+    environment:
+      - UPDATE_SERVER_URL=${UPDATE_SERVER_URL:-http://update.cybics:8080}
+      - OPENOCD_HOST=stm32
+      - OPENOCD_TELNET_PORT=4444
+    networks:
+      virt-cybics:
+        ipv4_address: 172.18.0.8
+    profiles:
+      - firmware-server
+      - hardware
+
+  update-server:
+    image: mniedermaier1337/cybics-update-server:${CYBICS_VERSION:-latest}
+    build:
+      context: ../../software/update-server
+      dockerfile: Dockerfile
+    restart: always
+    environment:
+      - FIRMWARE_VERSION=${FIRMWARE_VERSION:-1.2.1}
+      - FIRMWARE_MAC=${FIRMWARE_MAC:-extended-mac}
+      - FIRMWARE_PATH=/opt/cybics/update-server/firmware/firmware.bin
+    volumes:
+      - firmware_data:/opt/cybics/update-server/firmware
+    profiles:
+      - firmware-server
+    ports:
+      - 6689:6689
+    networks:
+      virt-cybics:
+        ipv4_address: 172.18.0.9
+
+  stm32:
+    image: mniedermaier1337/cybics-stm32:${CYBICS_VERSION:-latest}
+    build:
+      context: ../../software/stm32
+      dockerfile: Dockerfile
+    restart: "no"
+    ports:
+      - 3333:3333
+      - 4444:4444
+    volumes:
+      - firmware_data:/opt/cybics/firmware
+    environment:
+      - OPENOCD_MODE=${OPENOCD_MODE:-virtual}
+    networks:
+      virt-cybics:
+        ipv4_address: 172.18.0.7
+    profiles:
+      - hardware
 
 networks:
   virt-cybics:
@@ -183,3 +249,6 @@ networks:
         - subnet: 172.18.0.0/24
           gateway: 172.18.0.1
 
+volumes:
+  firmware_data:
+  firmware_keys:

.gitmodules

@@ -1,3 +1,3 @@
 [submodule "software/OpenPLC/OpenPLC_v3"]
 	path = software/OpenPLC/OpenPLC_v3
-	url = ../OpenPLC_v3
+	url = https://github.com/mniedermaier/openplc_v3

README.md

@@ -19,7 +19,7 @@
 
 ---
 
-## What is CybICS?
+## What is CybICS? ZERRRRRVUS
 
 CybICS (Cybersecurity for Industrial Control Systems) is an open-source training platform designed to help cybersecurity professionals, students, and researchers understand the unique challenges of securing industrial control systems (ICS) and SCADA environments.
 

software/build.sh

@@ -20,7 +20,8 @@ docker buildx build --platform linux/arm64 -t 172.17.0.1:5050/cybics-opcua:lates
 docker buildx build --platform linux/arm64 -t 172.17.0.1:5050/cybics-s7com:latest --push ./s7com
 docker buildx build --platform linux/arm64 -t 172.17.0.1:5050/cybics-fuxa:latest --push ./FUXA
 docker buildx build --platform linux/arm64 -t 172.17.0.1:5050/cybics-stm32:latest --push ./stm32
+docker buildx build --platform linux/arm64 -t 172.17.0.1:5050/cybics-update-server:latest --push ./update-server
 # Build landing service from root context
 docker buildx build --platform linux/arm64 -t 172.17.0.1:5050/cybics-landing:latest --push -f ./landing/Dockerfile ..
 
-# Note: Builder automatically switches back to default on EXIT via trap
+# Note: Builder automatically switches back to default on EXIT via trap

software/docker-compose.yaml

@@ -88,10 +88,29 @@ services:
     mem_limit: 32m
     ports:
       - 3333:3333
+    volumes:
+      - firmware_data:/opt/cybics/firmware
     networks:
       br-cybics:
         ipv4_address: 172.18.0.7
 
+  firmware-updater:
+    image: localhost:5000/cybics-firmware-updater:latest
+    restart: always
+    mem_limit: 64m
+    depends_on:
+      - stm32
+    volumes:
+      - firmware_data:/opt/cybics/firmware
+      - firmware_keys:/opt/cybics/keys
+    environment:
+      - UPDATE_SERVER_URL=${UPDATE_SERVER_URL:-http://update.cybics:8080}
+      - OPENOCD_HOST=stm32
+      - OPENOCD_TELNET_PORT=4444
+    networks:
+      br-cybics:
+        ipv4_address: 172.18.0.8
+
 networks:
   br-cybics:
     name: br-cybics
@@ -106,3 +125,5 @@ networks:
 
 volumes:
   fuxa_data:
+  firmware_data:
+  firmware_keys:

software/firmware-updater/Dockerfile

@@ -0,0 +1,21 @@
+FROM python:3.11-slim
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    openocd \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /opt/cybics/update-service
+
+COPY requirements.txt .
+RUN pip install --no-cache-dir -r requirements.txt
+
+COPY update_daemon.py .
+COPY config.yaml .
+COPY generate_mac.py .
+COPY entrypoint.sh .
+RUN chmod +x entrypoint.sh
+
+# Persistent directories (override via volume mounts)
+RUN mkdir -p /opt/cybics/firmware /opt/cybics/keys /opt/cybics/logs
+
+ENTRYPOINT ["/opt/cybics/update-service/entrypoint.sh"]

software/firmware-updater/config.yaml

@@ -0,0 +1,36 @@
+# CybICS Firmware Update Service configuration
+#
+# Environment variable overrides (highest priority):
+#   UPDATE_SERVER_URL   – base URL of the update server
+#   OPENOCD_HOST        – hostname/IP of the OpenOCD server
+#   OPENOCD_TELNET_PORT – OpenOCD telnet port (default: 4444)
+#   CONFIG_PATH         – path to this config file
+
+update_server:
+  # Base URL of the firmware update endpoint.
+  # Under normal CTF operation this server does not exist (returns 404).
+  # Attackers redirect this hostname to their rogue server.
+  url: "http://update.cybics:8080"
+  endpoint: "/api/v1/firmware/latest"
+  # Polling interval in seconds
+  poll_interval: 30
+
+firmware:
+  # Path to the currently running firmware binary
+  current: "/opt/cybics/firmware/current.bin"
+  # Path where a downloaded firmware is staged before flashing
+  pending: "/opt/cybics/firmware/pending.bin"
+
+openocd:
+  # Hostname of the container running OpenOCD (stm32 service)
+  host: "stm32"
+  # OpenOCD telnet interface port
+  telnet_port: 4444
+
+security:
+  # Path to the 16-byte MAC secret key (generated by entrypoint.sh)
+  key_path: "/opt/cybics/keys/update.key"
+  # Hash algorithm used for MAC: MD5(secret || firmware)
+  algorithm: "md5"
+  # Secret key length in bytes (provided as CTF hint)
+  secret_length: 16

software/firmware-updater/entrypoint.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+# CybICS Firmware Update Service – container entrypoint
+#
+# 1. Generates a random 16-byte MAC secret key on first run.
+# 2. Starts the Python update daemon.
+
+set -e
+
+KEY_FILE="/opt/cybics/keys/update.key"
+KEY_DIR="$(dirname "$KEY_FILE")"
+
+if [ ! -f "$KEY_FILE" ]; then
+    echo "[entrypoint] Generating 16-byte MAC secret key..."
+    mkdir -p "$KEY_DIR"
+    dd if=/dev/urandom bs=16 count=1 of="$KEY_FILE" 2>/dev/null
+    chmod 600 "$KEY_FILE"
+    echo "[entrypoint] MAC key written to $KEY_FILE"
+fi
+
+mkdir -p /opt/cybics/firmware /opt/cybics/logs
+
+exec python3 /opt/cybics/update-service/update_daemon.py

software/firmware-updater/generate_mac.py

@@ -0,0 +1,31 @@
+#!/usr/bin/env python3
+"""
+CTF setup helper – generate the initial MAC for a firmware binary.
+
+Usage:
+    python3 generate_mac.py <firmware.bin> <key_file>
+
+The resulting hex string is the MAC that update clients will verify.
+Participants receive the firmware binary and this MAC as their starting
+artefacts and must perform a Length Extension Attack to forge a valid
+MAC for a modified firmware.
+"""
+
+import hashlib
+import sys
+
+
+def generate_mac(firmware_path: str, key_path: str) -> str:
+    """Return MD5(secret || firmware) as a hex string."""
+    with open(firmware_path, "rb") as f:
+        firmware = f.read()
+    with open(key_path, "rb") as f:
+        secret = f.read()
+    return hashlib.md5(secret + firmware).hexdigest()
+
+
+if __name__ == "__main__":
+    if len(sys.argv) != 3:
+        print(f"Usage: {sys.argv[0]} <firmware.bin> <key_file>", file=sys.stderr)
+        sys.exit(1)
+    print(generate_mac(sys.argv[1], sys.argv[2]))

software/firmware-updater/requirements.txt

@@ -0,0 +1,2 @@
+requests>=2.31.0
+pyyaml>=6.0