From f4b89117bd33f4be581afb7494410919466d09b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ga=C5=A1per=20Spagnolo?= Date: Fri, 2 Feb 2024 12:18:11 +0100 Subject: [PATCH] Add ansible playbooks --- ansible/creds.txt | 19 ------ ansible/files/nginx_secure_config.j2 | 35 ++++++++++ ansible/notes.txt | 37 ----------- ansible/playbooks/01-secure-nginx-server.yml | 33 ++++++++++ ansible/playbooks/02-delete-podman-shell.yml | 7 ++ ansible/playbooks/03-unset-and-kill.yml | 13 ++++ ansible/playbooks/04-update-sshd-config.yml | 42 ++++++++++++ .../playbooks/05-remove-cron-rev-shell.yml | 15 +++++ .../playbooks/06-fix-mysqldb-permissions.yml | 19 ++++++ report/Report.md | 64 +++++++++++++++++++ 10 files changed, 228 insertions(+), 56 deletions(-) delete mode 100644 ansible/creds.txt create mode 100644 ansible/files/nginx_secure_config.j2 delete mode 100644 ansible/notes.txt create mode 100644 ansible/playbooks/01-secure-nginx-server.yml create mode 100644 ansible/playbooks/02-delete-podman-shell.yml create mode 100644 ansible/playbooks/03-unset-and-kill.yml create mode 100644 ansible/playbooks/04-update-sshd-config.yml create mode 100644 ansible/playbooks/05-remove-cron-rev-shell.yml create mode 100644 ansible/playbooks/06-fix-mysqldb-permissions.yml diff --git a/ansible/creds.txt b/ansible/creds.txt deleted file mode 100644 index 8d96bc6..0000000 --- a/ansible/creds.txt +++ /dev/null @@ -1,19 +0,0 @@ -Welcome to Locked Shields 2024 Linux challenge. Here are the credentials to your -VM with all the tasks described after first login. - -VM details: -- IP: 64.227.120.192 -- Username: root -- Password: Admin1Admin1 -- ssh access key: ------BEGIN OPENSSH PRIVATE KEY----- -b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW -QyNTUxOQAAACDvwy4nRU7fgRGvGGxShNQ8Mo24XcYYGSRmWAzrGxRlYQAAALAQAixuEAIs -bgAAAAtzc2gtZWQyNTUxOQAAACDvwy4nRU7fgRGvGGxShNQ8Mo24XcYYGSRmWAzrGxRlYQ -AAAEB7zUu4b0VNeTX7zTwE5DQNXABZ26tw1EhOMZ0B/yCmgu/DLidFTt BEa8YbFKE1Dwy -jbhdxhgZJGZYDOsbFGVhAAAAJm5lamNASmVybmVqLVBvcmVudGFzLU1hY0Jvb2stUHJvLm -xvY2FsAQIDBAUGBw== ------END OPENSSH PRIVATE KEY----- - - -This message can be viewed only once, so don't forget to store the credentials. diff --git a/ansible/files/nginx_secure_config.j2 b/ansible/files/nginx_secure_config.j2 new file mode 100644 index 0000000..86e2d53 --- /dev/null +++ b/ansible/files/nginx_secure_config.j2 @@ -0,0 +1,35 @@ +iserver { + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + + include snippets/snakeoil.conf; + + root /var/www/html; + index index.html index.htm index.php; + + listen 80 default_server; + server_name _; + + location /2048/ { + proxy_pass http://localhost:8018/; + proxy_set_header Host $host; + + # Add security headers + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-Content-Type-Options "nosniff"; + add_header X-XSS-Protection "1; mode=block"; + } + + location / { + try_files $uri $uri/ =404; + } + + location ~ \.php$ { + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/run/php/php-fpm.sock; + } + + location ~ /\. { + deny all; + } +} diff --git a/ansible/notes.txt b/ansible/notes.txt deleted file mode 100644 index 803d710..0000000 --- a/ansible/notes.txt +++ /dev/null @@ -1,37 +0,0 @@ -Last login: Thu Feb 1 14:51:05 2024 from 89.212.81.147 - _ _ _ _____ _ _ _ _ ___ _ _ -| | | | | |/ ____| | (_) | | | | |__ \| || | -| | ___ ___| | _____ __| | (___ | |__ _ ___| | __| |___ ) | || |_ -| | / _ \ / __| |/ / _ \/ _` |\___ \| '_ \| |/ _ \ |/ _` / __| / /|__ _| -| |___| (_) | (__| < __/ (_| |____) | | | | | __/ | (_| \__ \/ /_ | | -|______\___/ \___|_|\_\___|\__,_|_____/|_| |_|_|\___|_|\__,_|___/____| |_| - -Welcome to the very vulnerable VM, somewhat similar what we can expect at Locked -Shields. - -There are few tasks for you: -- protect the VM preserving the following services in running (and secure) - state: - - web server - - ssh server: all users (including root) should be allowed to login - - dns server -- identify as many vulnerabilities in the VM as possible -- all passwords are set to `Admin1Admin1`. You are encouraged to change them. -- write down the vulnerabilities with short explanation what this vulnerability - can cause -- write ansible playbook (preferred) or a bash script, which will mitigate the - vulnerabilities and will still serve the web, ssh and dns services -- share the "documentation" with description of identified vulnerabilities and - code to lockedshields@ssrd.io. Github links preferred. - -Some notes: -- the VM will be forcefully shutdown so make changes permanent -- root user should be allowed to login from 138.68.128.150 with the following ssh - keys: - - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC55vv1HAHwUOxZ+Zn4IcswclUkLEP2eA0tJG3BwE0pO - - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKOliO5L0TA84lclwmsdu+Wcm/r3LDQH9G2jICZ3ECC -- defense (and documentation, either through code or description) is more - important than finding vulnerabilities -- you do not need to go into details explaining vulnerabilities -- we will share the planted vulnerabilities afterwards - diff --git a/ansible/playbooks/01-secure-nginx-server.yml b/ansible/playbooks/01-secure-nginx-server.yml new file mode 100644 index 0000000..8b7d3b3 --- /dev/null +++ b/ansible/playbooks/01-secure-nginx-server.yml @@ -0,0 +1,33 @@ +--- +- name: Secure Nginx Web Server + hosts: your_web_server + become: yes + tasks: + - name: Copy nginx configuration file with XSS protection and dot file access denial + template: + src: nginx_secure_config.j2 + dest: /etc/nginx/sites-available/default + notify: + - Reload Nginx + + - name: Ensure nginx snakeoil.conf is included + lineinfile: + path: /etc/nginx/sites-available/default + regexp: '^include snippets/snakeoil.conf;' + line: 'include snippets/snakeoil.conf;' + notify: + - Reload Nginx + + - name: Ensure nginx PHP location is configured correctly + lineinfile: + path: /etc/nginx/sites-available/default + regexp: '^location ~ \.php\$ {' + line: 'location ~ \.php$ {' + notify: + - Reload Nginx + + handlers: + - name: Reload Nginx + systemd: + name: nginx + state: restarted diff --git a/ansible/playbooks/02-delete-podman-shell.yml b/ansible/playbooks/02-delete-podman-shell.yml new file mode 100644 index 0000000..36c34e0 --- /dev/null +++ b/ansible/playbooks/02-delete-podman-shell.yml @@ -0,0 +1,7 @@ +--- +- name: Delete shell.php in Podman container + hosts: localhost + gather_facts: no + tasks: + - name: Run Podman command to delete shell.php + command: "podman exec -it 4d05d4a1a404 rm -f /var/www/html/shell.php" diff --git a/ansible/playbooks/03-unset-and-kill.yml b/ansible/playbooks/03-unset-and-kill.yml new file mode 100644 index 0000000..48c05e3 --- /dev/null +++ b/ansible/playbooks/03-unset-and-kill.yml @@ -0,0 +1,13 @@ +--- +- name: Unset functions and kill processes + hosts: your_target_host + become: yes + tasks: + - name: Unset functions netstat, ps, pstree, and ss + shell: unset -f netstat ps pstree ss + ignore_errors: yes + + - name: Find and kill processes using port 2227 + shell: | + ss -ltnp | grep ':2227' | awk '{print $6}' | sed 's/.*pid=//;s/,.*//' | xargs kill -9 + ignore_errors: yes diff --git a/ansible/playbooks/04-update-sshd-config.yml b/ansible/playbooks/04-update-sshd-config.yml new file mode 100644 index 0000000..dfd305e --- /dev/null +++ b/ansible/playbooks/04-update-sshd-config.yml @@ -0,0 +1,42 @@ +--- +- name: Update SSH server configuration + hosts: your_target_host + become: yes + tasks: + - name: Disable empty password login + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^PermitEmptyPasswords' + line: 'PermitEmptyPasswords no' + notify: + - Restart SSH + + - name: Disable password authentication + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^PasswordAuthentication' + line: 'PasswordAuthentication no' + notify: + - Restart SSH + + - name: Update AuthorizedKeysFile + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^AuthorizedKeysFile' + line: 'AuthorizedKeysFile .ssh/authorized_keys' + notify: + - Restart SSH + + - name: Remove other AuthorizedKeysFile settings + replace: + path: /etc/ssh/sshd_config + regexp: '^AuthorizedKeysFile.*' + replace: '' + notify: + - Restart SSH + + handlers: + - name: Restart SSH + service: + name: sshd + state: restarted diff --git a/ansible/playbooks/05-remove-cron-rev-shell.yml b/ansible/playbooks/05-remove-cron-rev-shell.yml new file mode 100644 index 0000000..cd363d3 --- /dev/null +++ b/ansible/playbooks/05-remove-cron-rev-shell.yml @@ -0,0 +1,15 @@ +--- +- name: Remove and restart cron job + hosts: your_target_host + become: yes + tasks: + - name: Remove the specified cron job + lineinfile: + path: /etc/cron.d/e2scrub_all # Specify the path to your cron job file + regexp: '^(.*/sbin/xfsscrub_all.*)$' # Match the line containing /sbin/xfsscrub_all + state: absent # Remove the line if found + + - name: Restart the cron service + service: + name: cron + state: restarted diff --git a/ansible/playbooks/06-fix-mysqldb-permissions.yml b/ansible/playbooks/06-fix-mysqldb-permissions.yml new file mode 100644 index 0000000..23c234f --- /dev/null +++ b/ansible/playbooks/06-fix-mysqldb-permissions.yml @@ -0,0 +1,19 @@ +--- +- name: Fix MySQL systemd service and restart MySQL + hosts: your_target_host + become: yes + tasks: + - name: Remove --skip-grant-tables from mysql.service file + lineinfile: + path: /lib/systemd/system/mysql.service + regexp: '^ExecStart=/usr/sbin/mysqld --skip-grant-tables' + line: 'ExecStart=/usr/sbin/mysqld' + notify: + - Reload and Restart MySQL + + - name: Reload and Restart MySQL + systemd: + name: mysql + state: restarted + ignore_errors: yes + diff --git a/report/Report.md b/report/Report.md index b4b9f94..3ededc0 100644 --- a/report/Report.md +++ b/report/Report.md @@ -392,6 +392,8 @@ ss () } ``` + + Tried: ```bash @@ -417,6 +419,15 @@ root@ls-2024-9:/etc/ssh# ss -ltnp | grep ':2227' | awk '{print $6}' | sed 's/.*p 1673 ``` +After some time reverse shell is back. + +```bash +root 1672 0.0 0.1 4172 1952 ? Ss 08:01 0:00 SCREEN -d -m /usr/bin/socat TCP6-LISTEN:2227,reuseaddr,fork EXEC:/usr/bin/bash,stderr +root 1673 0.0 0.0 10292 900 pts/1 Ss+ 08:01 0:00 \_ /usr/bin/socat TCP6-LISTEN:2227,reuseaddr,fork EXEC:/usr/bin/bash,stderr +``` + +Killed it and I hope it does not come back. + ### e bit in pexec ```bash @@ -747,3 +758,56 @@ grep -R "meta l4proto tcp ip saddr 10.88.0.0/16 tcp dport 8018 counter packets" Returns empty match. But iguess this is just for the container to communicate. Nothing to worry about iguess. + + +### SMTP + + +```bash +# See /usr/share/postfix/main.cf.dist for a commented, more complete version + + +# Debian specific: Specifying a file name will cause the first +# line of that file to be used as the name. The Debian default +# is /etc/mailname. +#myorigin = /etc/mailname + +smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) +biff = no + +# appending .domain is the MUA's job. +append_dot_mydomain = no + +# Uncomment the next line to generate "delayed mail" warnings +#delay_warning_time = 4h + +readme_directory = no + +# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on +# fresh installs. +compatibility_level = 3.6 + + + +# TLS parameters +smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem +smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key +smtpd_tls_security_level=may + +smtp_tls_CApath=/etc/ssl/certs +smtp_tls_security_level=may +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache + + +smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination +myhostname = ls-2024-9 +alias_maps = hash:/etc/aliases +alias_database = hash:/etc/aliases +mydestination = $myhostname, ls-2024-9, localhost.localdomain, , localhost +relayhost = +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 +mailbox_size_limit = 0 +recipient_delimiter = + +inet_interfaces = all +inet_protocols = all +```