Add ansible playbooks
parent
9dca42d692
commit
f4b89117bd
|
@ -1,19 +0,0 @@
|
|||
Welcome to Locked Shields 2024 Linux challenge. Here are the credentials to your
|
||||
VM with all the tasks described after first login.
|
||||
|
||||
VM details:
|
||||
- IP: 64.227.120.192
|
||||
- Username: root
|
||||
- Password: Admin1Admin1
|
||||
- ssh access key:
|
||||
-----BEGIN OPENSSH PRIVATE KEY-----
|
||||
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
|
||||
QyNTUxOQAAACDvwy4nRU7fgRGvGGxShNQ8Mo24XcYYGSRmWAzrGxRlYQAAALAQAixuEAIs
|
||||
bgAAAAtzc2gtZWQyNTUxOQAAACDvwy4nRU7fgRGvGGxShNQ8Mo24XcYYGSRmWAzrGxRlYQ
|
||||
AAAEB7zUu4b0VNeTX7zTwE5DQNXABZ26tw1EhOMZ0B/yCmgu/DLidFTt BEa8YbFKE1Dwy
|
||||
jbhdxhgZJGZYDOsbFGVhAAAAJm5lamNASmVybmVqLVBvcmVudGFzLU1hY0Jvb2stUHJvLm
|
||||
xvY2FsAQIDBAUGBw==
|
||||
-----END OPENSSH PRIVATE KEY-----
|
||||
|
||||
|
||||
This message can be viewed only once, so don't forget to store the credentials.
|
|
@ -0,0 +1,35 @@
|
|||
iserver {
|
||||
listen 443 ssl default_server;
|
||||
listen [::]:443 ssl default_server;
|
||||
|
||||
include snippets/snakeoil.conf;
|
||||
|
||||
root /var/www/html;
|
||||
index index.html index.htm index.php;
|
||||
|
||||
listen 80 default_server;
|
||||
server_name _;
|
||||
|
||||
location /2048/ {
|
||||
proxy_pass http://localhost:8018/;
|
||||
proxy_set_header Host $host;
|
||||
|
||||
# Add security headers
|
||||
add_header X-Frame-Options "SAMEORIGIN";
|
||||
add_header X-Content-Type-Options "nosniff";
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
}
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
|
||||
location ~ \.php$ {
|
||||
include snippets/fastcgi-php.conf;
|
||||
fastcgi_pass unix:/run/php/php-fpm.sock;
|
||||
}
|
||||
|
||||
location ~ /\. {
|
||||
deny all;
|
||||
}
|
||||
}
|
|
@ -1,37 +0,0 @@
|
|||
Last login: Thu Feb 1 14:51:05 2024 from 89.212.81.147
|
||||
_ _ _ _____ _ _ _ _ ___ _ _
|
||||
| | | | | |/ ____| | (_) | | | | |__ \| || |
|
||||
| | ___ ___| | _____ __| | (___ | |__ _ ___| | __| |___ ) | || |_
|
||||
| | / _ \ / __| |/ / _ \/ _` |\___ \| '_ \| |/ _ \ |/ _` / __| / /|__ _|
|
||||
| |___| (_) | (__| < __/ (_| |____) | | | | | __/ | (_| \__ \/ /_ | |
|
||||
|______\___/ \___|_|\_\___|\__,_|_____/|_| |_|_|\___|_|\__,_|___/____| |_|
|
||||
|
||||
Welcome to the very vulnerable VM, somewhat similar what we can expect at Locked
|
||||
Shields.
|
||||
|
||||
There are few tasks for you:
|
||||
- protect the VM preserving the following services in running (and secure)
|
||||
state:
|
||||
- web server
|
||||
- ssh server: all users (including root) should be allowed to login
|
||||
- dns server
|
||||
- identify as many vulnerabilities in the VM as possible
|
||||
- all passwords are set to `Admin1Admin1`. You are encouraged to change them.
|
||||
- write down the vulnerabilities with short explanation what this vulnerability
|
||||
can cause
|
||||
- write ansible playbook (preferred) or a bash script, which will mitigate the
|
||||
vulnerabilities and will still serve the web, ssh and dns services
|
||||
- share the "documentation" with description of identified vulnerabilities and
|
||||
code to lockedshields@ssrd.io. Github links preferred.
|
||||
|
||||
Some notes:
|
||||
- the VM will be forcefully shutdown so make changes permanent
|
||||
- root user should be allowed to login from 138.68.128.150 with the following ssh
|
||||
keys:
|
||||
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC55vv1HAHwUOxZ+Zn4IcswclUkLEP2eA0tJG3BwE0pO
|
||||
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKOliO5L0TA84lclwmsdu+Wcm/r3LDQH9G2jICZ3ECC
|
||||
- defense (and documentation, either through code or description) is more
|
||||
important than finding vulnerabilities
|
||||
- you do not need to go into details explaining vulnerabilities
|
||||
- we will share the planted vulnerabilities afterwards
|
||||
|
|
@ -0,0 +1,33 @@
|
|||
---
|
||||
- name: Secure Nginx Web Server
|
||||
hosts: your_web_server
|
||||
become: yes
|
||||
tasks:
|
||||
- name: Copy nginx configuration file with XSS protection and dot file access denial
|
||||
template:
|
||||
src: nginx_secure_config.j2
|
||||
dest: /etc/nginx/sites-available/default
|
||||
notify:
|
||||
- Reload Nginx
|
||||
|
||||
- name: Ensure nginx snakeoil.conf is included
|
||||
lineinfile:
|
||||
path: /etc/nginx/sites-available/default
|
||||
regexp: '^include snippets/snakeoil.conf;'
|
||||
line: 'include snippets/snakeoil.conf;'
|
||||
notify:
|
||||
- Reload Nginx
|
||||
|
||||
- name: Ensure nginx PHP location is configured correctly
|
||||
lineinfile:
|
||||
path: /etc/nginx/sites-available/default
|
||||
regexp: '^location ~ \.php\$ {'
|
||||
line: 'location ~ \.php$ {'
|
||||
notify:
|
||||
- Reload Nginx
|
||||
|
||||
handlers:
|
||||
- name: Reload Nginx
|
||||
systemd:
|
||||
name: nginx
|
||||
state: restarted
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
- name: Delete shell.php in Podman container
|
||||
hosts: localhost
|
||||
gather_facts: no
|
||||
tasks:
|
||||
- name: Run Podman command to delete shell.php
|
||||
command: "podman exec -it 4d05d4a1a404 rm -f /var/www/html/shell.php"
|
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
- name: Unset functions and kill processes
|
||||
hosts: your_target_host
|
||||
become: yes
|
||||
tasks:
|
||||
- name: Unset functions netstat, ps, pstree, and ss
|
||||
shell: unset -f netstat ps pstree ss
|
||||
ignore_errors: yes
|
||||
|
||||
- name: Find and kill processes using port 2227
|
||||
shell: |
|
||||
ss -ltnp | grep ':2227' | awk '{print $6}' | sed 's/.*pid=//;s/,.*//' | xargs kill -9
|
||||
ignore_errors: yes
|
|
@ -0,0 +1,42 @@
|
|||
---
|
||||
- name: Update SSH server configuration
|
||||
hosts: your_target_host
|
||||
become: yes
|
||||
tasks:
|
||||
- name: Disable empty password login
|
||||
lineinfile:
|
||||
path: /etc/ssh/sshd_config
|
||||
regexp: '^PermitEmptyPasswords'
|
||||
line: 'PermitEmptyPasswords no'
|
||||
notify:
|
||||
- Restart SSH
|
||||
|
||||
- name: Disable password authentication
|
||||
lineinfile:
|
||||
path: /etc/ssh/sshd_config
|
||||
regexp: '^PasswordAuthentication'
|
||||
line: 'PasswordAuthentication no'
|
||||
notify:
|
||||
- Restart SSH
|
||||
|
||||
- name: Update AuthorizedKeysFile
|
||||
lineinfile:
|
||||
path: /etc/ssh/sshd_config
|
||||
regexp: '^AuthorizedKeysFile'
|
||||
line: 'AuthorizedKeysFile .ssh/authorized_keys'
|
||||
notify:
|
||||
- Restart SSH
|
||||
|
||||
- name: Remove other AuthorizedKeysFile settings
|
||||
replace:
|
||||
path: /etc/ssh/sshd_config
|
||||
regexp: '^AuthorizedKeysFile.*'
|
||||
replace: ''
|
||||
notify:
|
||||
- Restart SSH
|
||||
|
||||
handlers:
|
||||
- name: Restart SSH
|
||||
service:
|
||||
name: sshd
|
||||
state: restarted
|
|
@ -0,0 +1,15 @@
|
|||
---
|
||||
- name: Remove and restart cron job
|
||||
hosts: your_target_host
|
||||
become: yes
|
||||
tasks:
|
||||
- name: Remove the specified cron job
|
||||
lineinfile:
|
||||
path: /etc/cron.d/e2scrub_all # Specify the path to your cron job file
|
||||
regexp: '^(.*/sbin/xfsscrub_all.*)$' # Match the line containing /sbin/xfsscrub_all
|
||||
state: absent # Remove the line if found
|
||||
|
||||
- name: Restart the cron service
|
||||
service:
|
||||
name: cron
|
||||
state: restarted
|
|
@ -0,0 +1,19 @@
|
|||
---
|
||||
- name: Fix MySQL systemd service and restart MySQL
|
||||
hosts: your_target_host
|
||||
become: yes
|
||||
tasks:
|
||||
- name: Remove --skip-grant-tables from mysql.service file
|
||||
lineinfile:
|
||||
path: /lib/systemd/system/mysql.service
|
||||
regexp: '^ExecStart=/usr/sbin/mysqld --skip-grant-tables'
|
||||
line: 'ExecStart=/usr/sbin/mysqld'
|
||||
notify:
|
||||
- Reload and Restart MySQL
|
||||
|
||||
- name: Reload and Restart MySQL
|
||||
systemd:
|
||||
name: mysql
|
||||
state: restarted
|
||||
ignore_errors: yes
|
||||
|
|
@ -392,6 +392,8 @@ ss ()
|
|||
}
|
||||
```
|
||||
|
||||
|
||||
|
||||
Tried:
|
||||
|
||||
```bash
|
||||
|
@ -417,6 +419,15 @@ root@ls-2024-9:/etc/ssh# ss -ltnp | grep ':2227' | awk '{print $6}' | sed 's/.*p
|
|||
1673
|
||||
```
|
||||
|
||||
After some time reverse shell is back.
|
||||
|
||||
```bash
|
||||
root 1672 0.0 0.1 4172 1952 ? Ss 08:01 0:00 SCREEN -d -m /usr/bin/socat TCP6-LISTEN:2227,reuseaddr,fork EXEC:/usr/bin/bash,stderr
|
||||
root 1673 0.0 0.0 10292 900 pts/1 Ss+ 08:01 0:00 \_ /usr/bin/socat TCP6-LISTEN:2227,reuseaddr,fork EXEC:/usr/bin/bash,stderr
|
||||
```
|
||||
|
||||
Killed it and I hope it does not come back.
|
||||
|
||||
### e bit in pexec
|
||||
|
||||
```bash
|
||||
|
@ -747,3 +758,56 @@ grep -R "meta l4proto tcp ip saddr 10.88.0.0/16 tcp dport 8018 counter packets"
|
|||
Returns empty match.
|
||||
|
||||
But iguess this is just for the container to communicate. Nothing to worry about iguess.
|
||||
|
||||
|
||||
### SMTP
|
||||
|
||||
|
||||
```bash
|
||||
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
|
||||
|
||||
|
||||
# Debian specific: Specifying a file name will cause the first
|
||||
# line of that file to be used as the name. The Debian default
|
||||
# is /etc/mailname.
|
||||
#myorigin = /etc/mailname
|
||||
|
||||
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
|
||||
biff = no
|
||||
|
||||
# appending .domain is the MUA's job.
|
||||
append_dot_mydomain = no
|
||||
|
||||
# Uncomment the next line to generate "delayed mail" warnings
|
||||
#delay_warning_time = 4h
|
||||
|
||||
readme_directory = no
|
||||
|
||||
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
|
||||
# fresh installs.
|
||||
compatibility_level = 3.6
|
||||
|
||||
|
||||
|
||||
# TLS parameters
|
||||
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
|
||||
smtpd_tls_security_level=may
|
||||
|
||||
smtp_tls_CApath=/etc/ssl/certs
|
||||
smtp_tls_security_level=may
|
||||
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
||||
|
||||
|
||||
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
|
||||
myhostname = ls-2024-9
|
||||
alias_maps = hash:/etc/aliases
|
||||
alias_database = hash:/etc/aliases
|
||||
mydestination = $myhostname, ls-2024-9, localhost.localdomain, , localhost
|
||||
relayhost =
|
||||
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
|
||||
mailbox_size_limit = 0
|
||||
recipient_delimiter = +
|
||||
inet_interfaces = all
|
||||
inet_protocols = all
|
||||
```
|
||||
|
|
Loading…
Reference in New Issue