Add ansible playbooks
parent
9dca42d692
commit
f4b89117bd
|
@ -1,19 +0,0 @@
|
||||||
Welcome to Locked Shields 2024 Linux challenge. Here are the credentials to your
|
|
||||||
VM with all the tasks described after first login.
|
|
||||||
|
|
||||||
VM details:
|
|
||||||
- IP: 64.227.120.192
|
|
||||||
- Username: root
|
|
||||||
- Password: Admin1Admin1
|
|
||||||
- ssh access key:
|
|
||||||
-----BEGIN OPENSSH PRIVATE KEY-----
|
|
||||||
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
|
|
||||||
QyNTUxOQAAACDvwy4nRU7fgRGvGGxShNQ8Mo24XcYYGSRmWAzrGxRlYQAAALAQAixuEAIs
|
|
||||||
bgAAAAtzc2gtZWQyNTUxOQAAACDvwy4nRU7fgRGvGGxShNQ8Mo24XcYYGSRmWAzrGxRlYQ
|
|
||||||
AAAEB7zUu4b0VNeTX7zTwE5DQNXABZ26tw1EhOMZ0B/yCmgu/DLidFTt BEa8YbFKE1Dwy
|
|
||||||
jbhdxhgZJGZYDOsbFGVhAAAAJm5lamNASmVybmVqLVBvcmVudGFzLU1hY0Jvb2stUHJvLm
|
|
||||||
xvY2FsAQIDBAUGBw==
|
|
||||||
-----END OPENSSH PRIVATE KEY-----
|
|
||||||
|
|
||||||
|
|
||||||
This message can be viewed only once, so don't forget to store the credentials.
|
|
|
@ -0,0 +1,35 @@
|
||||||
|
iserver {
|
||||||
|
listen 443 ssl default_server;
|
||||||
|
listen [::]:443 ssl default_server;
|
||||||
|
|
||||||
|
include snippets/snakeoil.conf;
|
||||||
|
|
||||||
|
root /var/www/html;
|
||||||
|
index index.html index.htm index.php;
|
||||||
|
|
||||||
|
listen 80 default_server;
|
||||||
|
server_name _;
|
||||||
|
|
||||||
|
location /2048/ {
|
||||||
|
proxy_pass http://localhost:8018/;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
|
||||||
|
# Add security headers
|
||||||
|
add_header X-Frame-Options "SAMEORIGIN";
|
||||||
|
add_header X-Content-Type-Options "nosniff";
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
try_files $uri $uri/ =404;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~ \.php$ {
|
||||||
|
include snippets/fastcgi-php.conf;
|
||||||
|
fastcgi_pass unix:/run/php/php-fpm.sock;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~ /\. {
|
||||||
|
deny all;
|
||||||
|
}
|
||||||
|
}
|
|
@ -1,37 +0,0 @@
|
||||||
Last login: Thu Feb 1 14:51:05 2024 from 89.212.81.147
|
|
||||||
_ _ _ _____ _ _ _ _ ___ _ _
|
|
||||||
| | | | | |/ ____| | (_) | | | | |__ \| || |
|
|
||||||
| | ___ ___| | _____ __| | (___ | |__ _ ___| | __| |___ ) | || |_
|
|
||||||
| | / _ \ / __| |/ / _ \/ _` |\___ \| '_ \| |/ _ \ |/ _` / __| / /|__ _|
|
|
||||||
| |___| (_) | (__| < __/ (_| |____) | | | | | __/ | (_| \__ \/ /_ | |
|
|
||||||
|______\___/ \___|_|\_\___|\__,_|_____/|_| |_|_|\___|_|\__,_|___/____| |_|
|
|
||||||
|
|
||||||
Welcome to the very vulnerable VM, somewhat similar what we can expect at Locked
|
|
||||||
Shields.
|
|
||||||
|
|
||||||
There are few tasks for you:
|
|
||||||
- protect the VM preserving the following services in running (and secure)
|
|
||||||
state:
|
|
||||||
- web server
|
|
||||||
- ssh server: all users (including root) should be allowed to login
|
|
||||||
- dns server
|
|
||||||
- identify as many vulnerabilities in the VM as possible
|
|
||||||
- all passwords are set to `Admin1Admin1`. You are encouraged to change them.
|
|
||||||
- write down the vulnerabilities with short explanation what this vulnerability
|
|
||||||
can cause
|
|
||||||
- write ansible playbook (preferred) or a bash script, which will mitigate the
|
|
||||||
vulnerabilities and will still serve the web, ssh and dns services
|
|
||||||
- share the "documentation" with description of identified vulnerabilities and
|
|
||||||
code to lockedshields@ssrd.io. Github links preferred.
|
|
||||||
|
|
||||||
Some notes:
|
|
||||||
- the VM will be forcefully shutdown so make changes permanent
|
|
||||||
- root user should be allowed to login from 138.68.128.150 with the following ssh
|
|
||||||
keys:
|
|
||||||
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC55vv1HAHwUOxZ+Zn4IcswclUkLEP2eA0tJG3BwE0pO
|
|
||||||
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKOliO5L0TA84lclwmsdu+Wcm/r3LDQH9G2jICZ3ECC
|
|
||||||
- defense (and documentation, either through code or description) is more
|
|
||||||
important than finding vulnerabilities
|
|
||||||
- you do not need to go into details explaining vulnerabilities
|
|
||||||
- we will share the planted vulnerabilities afterwards
|
|
||||||
|
|
|
@ -0,0 +1,33 @@
|
||||||
|
---
|
||||||
|
- name: Secure Nginx Web Server
|
||||||
|
hosts: your_web_server
|
||||||
|
become: yes
|
||||||
|
tasks:
|
||||||
|
- name: Copy nginx configuration file with XSS protection and dot file access denial
|
||||||
|
template:
|
||||||
|
src: nginx_secure_config.j2
|
||||||
|
dest: /etc/nginx/sites-available/default
|
||||||
|
notify:
|
||||||
|
- Reload Nginx
|
||||||
|
|
||||||
|
- name: Ensure nginx snakeoil.conf is included
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/nginx/sites-available/default
|
||||||
|
regexp: '^include snippets/snakeoil.conf;'
|
||||||
|
line: 'include snippets/snakeoil.conf;'
|
||||||
|
notify:
|
||||||
|
- Reload Nginx
|
||||||
|
|
||||||
|
- name: Ensure nginx PHP location is configured correctly
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/nginx/sites-available/default
|
||||||
|
regexp: '^location ~ \.php\$ {'
|
||||||
|
line: 'location ~ \.php$ {'
|
||||||
|
notify:
|
||||||
|
- Reload Nginx
|
||||||
|
|
||||||
|
handlers:
|
||||||
|
- name: Reload Nginx
|
||||||
|
systemd:
|
||||||
|
name: nginx
|
||||||
|
state: restarted
|
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
- name: Delete shell.php in Podman container
|
||||||
|
hosts: localhost
|
||||||
|
gather_facts: no
|
||||||
|
tasks:
|
||||||
|
- name: Run Podman command to delete shell.php
|
||||||
|
command: "podman exec -it 4d05d4a1a404 rm -f /var/www/html/shell.php"
|
|
@ -0,0 +1,13 @@
|
||||||
|
---
|
||||||
|
- name: Unset functions and kill processes
|
||||||
|
hosts: your_target_host
|
||||||
|
become: yes
|
||||||
|
tasks:
|
||||||
|
- name: Unset functions netstat, ps, pstree, and ss
|
||||||
|
shell: unset -f netstat ps pstree ss
|
||||||
|
ignore_errors: yes
|
||||||
|
|
||||||
|
- name: Find and kill processes using port 2227
|
||||||
|
shell: |
|
||||||
|
ss -ltnp | grep ':2227' | awk '{print $6}' | sed 's/.*pid=//;s/,.*//' | xargs kill -9
|
||||||
|
ignore_errors: yes
|
|
@ -0,0 +1,42 @@
|
||||||
|
---
|
||||||
|
- name: Update SSH server configuration
|
||||||
|
hosts: your_target_host
|
||||||
|
become: yes
|
||||||
|
tasks:
|
||||||
|
- name: Disable empty password login
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/ssh/sshd_config
|
||||||
|
regexp: '^PermitEmptyPasswords'
|
||||||
|
line: 'PermitEmptyPasswords no'
|
||||||
|
notify:
|
||||||
|
- Restart SSH
|
||||||
|
|
||||||
|
- name: Disable password authentication
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/ssh/sshd_config
|
||||||
|
regexp: '^PasswordAuthentication'
|
||||||
|
line: 'PasswordAuthentication no'
|
||||||
|
notify:
|
||||||
|
- Restart SSH
|
||||||
|
|
||||||
|
- name: Update AuthorizedKeysFile
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/ssh/sshd_config
|
||||||
|
regexp: '^AuthorizedKeysFile'
|
||||||
|
line: 'AuthorizedKeysFile .ssh/authorized_keys'
|
||||||
|
notify:
|
||||||
|
- Restart SSH
|
||||||
|
|
||||||
|
- name: Remove other AuthorizedKeysFile settings
|
||||||
|
replace:
|
||||||
|
path: /etc/ssh/sshd_config
|
||||||
|
regexp: '^AuthorizedKeysFile.*'
|
||||||
|
replace: ''
|
||||||
|
notify:
|
||||||
|
- Restart SSH
|
||||||
|
|
||||||
|
handlers:
|
||||||
|
- name: Restart SSH
|
||||||
|
service:
|
||||||
|
name: sshd
|
||||||
|
state: restarted
|
|
@ -0,0 +1,15 @@
|
||||||
|
---
|
||||||
|
- name: Remove and restart cron job
|
||||||
|
hosts: your_target_host
|
||||||
|
become: yes
|
||||||
|
tasks:
|
||||||
|
- name: Remove the specified cron job
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/cron.d/e2scrub_all # Specify the path to your cron job file
|
||||||
|
regexp: '^(.*/sbin/xfsscrub_all.*)$' # Match the line containing /sbin/xfsscrub_all
|
||||||
|
state: absent # Remove the line if found
|
||||||
|
|
||||||
|
- name: Restart the cron service
|
||||||
|
service:
|
||||||
|
name: cron
|
||||||
|
state: restarted
|
|
@ -0,0 +1,19 @@
|
||||||
|
---
|
||||||
|
- name: Fix MySQL systemd service and restart MySQL
|
||||||
|
hosts: your_target_host
|
||||||
|
become: yes
|
||||||
|
tasks:
|
||||||
|
- name: Remove --skip-grant-tables from mysql.service file
|
||||||
|
lineinfile:
|
||||||
|
path: /lib/systemd/system/mysql.service
|
||||||
|
regexp: '^ExecStart=/usr/sbin/mysqld --skip-grant-tables'
|
||||||
|
line: 'ExecStart=/usr/sbin/mysqld'
|
||||||
|
notify:
|
||||||
|
- Reload and Restart MySQL
|
||||||
|
|
||||||
|
- name: Reload and Restart MySQL
|
||||||
|
systemd:
|
||||||
|
name: mysql
|
||||||
|
state: restarted
|
||||||
|
ignore_errors: yes
|
||||||
|
|
|
@ -392,6 +392,8 @@ ss ()
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Tried:
|
Tried:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
|
@ -417,6 +419,15 @@ root@ls-2024-9:/etc/ssh# ss -ltnp | grep ':2227' | awk '{print $6}' | sed 's/.*p
|
||||||
1673
|
1673
|
||||||
```
|
```
|
||||||
|
|
||||||
|
After some time reverse shell is back.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
root 1672 0.0 0.1 4172 1952 ? Ss 08:01 0:00 SCREEN -d -m /usr/bin/socat TCP6-LISTEN:2227,reuseaddr,fork EXEC:/usr/bin/bash,stderr
|
||||||
|
root 1673 0.0 0.0 10292 900 pts/1 Ss+ 08:01 0:00 \_ /usr/bin/socat TCP6-LISTEN:2227,reuseaddr,fork EXEC:/usr/bin/bash,stderr
|
||||||
|
```
|
||||||
|
|
||||||
|
Killed it and I hope it does not come back.
|
||||||
|
|
||||||
### e bit in pexec
|
### e bit in pexec
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
|
@ -747,3 +758,56 @@ grep -R "meta l4proto tcp ip saddr 10.88.0.0/16 tcp dport 8018 counter packets"
|
||||||
Returns empty match.
|
Returns empty match.
|
||||||
|
|
||||||
But iguess this is just for the container to communicate. Nothing to worry about iguess.
|
But iguess this is just for the container to communicate. Nothing to worry about iguess.
|
||||||
|
|
||||||
|
|
||||||
|
### SMTP
|
||||||
|
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
|
||||||
|
|
||||||
|
|
||||||
|
# Debian specific: Specifying a file name will cause the first
|
||||||
|
# line of that file to be used as the name. The Debian default
|
||||||
|
# is /etc/mailname.
|
||||||
|
#myorigin = /etc/mailname
|
||||||
|
|
||||||
|
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
|
||||||
|
biff = no
|
||||||
|
|
||||||
|
# appending .domain is the MUA's job.
|
||||||
|
append_dot_mydomain = no
|
||||||
|
|
||||||
|
# Uncomment the next line to generate "delayed mail" warnings
|
||||||
|
#delay_warning_time = 4h
|
||||||
|
|
||||||
|
readme_directory = no
|
||||||
|
|
||||||
|
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
|
||||||
|
# fresh installs.
|
||||||
|
compatibility_level = 3.6
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# TLS parameters
|
||||||
|
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||||
|
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
|
||||||
|
smtpd_tls_security_level=may
|
||||||
|
|
||||||
|
smtp_tls_CApath=/etc/ssl/certs
|
||||||
|
smtp_tls_security_level=may
|
||||||
|
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
||||||
|
|
||||||
|
|
||||||
|
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
|
||||||
|
myhostname = ls-2024-9
|
||||||
|
alias_maps = hash:/etc/aliases
|
||||||
|
alias_database = hash:/etc/aliases
|
||||||
|
mydestination = $myhostname, ls-2024-9, localhost.localdomain, , localhost
|
||||||
|
relayhost =
|
||||||
|
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
|
||||||
|
mailbox_size_limit = 0
|
||||||
|
recipient_delimiter = +
|
||||||
|
inet_interfaces = all
|
||||||
|
inet_protocols = all
|
||||||
|
```
|
||||||
|
|
Loading…
Reference in New Issue