spanskiduh
/
ls-2024-selection
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add ansible playbooks

master
Gašper Spagnolo 2024-02-02 12:18:11 +01:00
parent 9dca42d692
commit f4b89117bd
10 changed files with 228 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
ansible/creds.txt
View File

@ -1,19 +0,0 @@
Welcome to Locked Shields 2024 Linux challenge. Here are the credentials to your
VM with all the tasks described after first login.
VM details:
- IP: 64.227.120.192
- Username: root
- Password: Admin1Admin1
- ssh access key:
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACDvwy4nRU7fgRGvGGxShNQ8Mo24XcYYGSRmWAzrGxRlYQAAALAQAixuEAIs
bgAAAAtzc2gtZWQyNTUxOQAAACDvwy4nRU7fgRGvGGxShNQ8Mo24XcYYGSRmWAzrGxRlYQ
AAAEB7zUu4b0VNeTX7zTwE5DQNXABZ26tw1EhOMZ0B/yCmgu/DLidFTt BEa8YbFKE1Dwy
jbhdxhgZJGZYDOsbFGVhAAAAJm5lamNASmVybmVqLVBvcmVudGFzLU1hY0Jvb2stUHJvLm
xvY2FsAQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----
This message can be viewed only once, so don't forget to store the credentials.

35
ansible/files/nginx_secure_config.j2 Normal file
View File

@ -0,0 +1,35 @@
iserver {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
include snippets/snakeoil.conf;
root /var/www/html;
index index.html index.htm index.php;
listen 80 default_server;
server_name _;
location /2048/ {
proxy_pass http://localhost:8018/;
proxy_set_header Host $host;
# Add security headers
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
}
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php-fpm.sock;
}
location ~ /\. {
deny all;
}
}

37
ansible/notes.txt
View File

@ -1,37 +0,0 @@
Last login: Thu Feb 1 14:51:05 2024 from 89.212.81.147
_ _ _ _____ _ _ _ _ ___ _ _
| | | | | |/ ____| | (_) | | | | |__ \| || |
| | ___ ___| | _____ __| | (___ | |__ _ ___| | __| |___ ) | || |_
| | / _ \ / __| |/ / _ \/ _` |\___ \| '_ \| |/ _ \ |/ _` / __| / /|__ _|
| |___| (_) | (__| < __/ (_| |____) | | | | | __/ | (_| \__ \/ /_ | |
|______\___/ \___|_|\_\___|\__,_|_____/|_| |_|_|\___|_|\__,_|___/____| |_|
Welcome to the very vulnerable VM, somewhat similar what we can expect at Locked
Shields.
There are few tasks for you:
- protect the VM preserving the following services in running (and secure)
state:
- web server
- ssh server: all users (including root) should be allowed to login
- dns server
- identify as many vulnerabilities in the VM as possible
- all passwords are set to `Admin1Admin1`. You are encouraged to change them.
- write down the vulnerabilities with short explanation what this vulnerability
can cause
- write ansible playbook (preferred) or a bash script, which will mitigate the
vulnerabilities and will still serve the web, ssh and dns services
- share the "documentation" with description of identified vulnerabilities and
code to lockedshields@ssrd.io. Github links preferred.
Some notes:
- the VM will be forcefully shutdown so make changes permanent
- root user should be allowed to login from 138.68.128.150 with the following ssh
keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC55vv1HAHwUOxZ+Zn4IcswclUkLEP2eA0tJG3BwE0pO
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINKOliO5L0TA84lclwmsdu+Wcm/r3LDQH9G2jICZ3ECC
- defense (and documentation, either through code or description) is more
important than finding vulnerabilities
- you do not need to go into details explaining vulnerabilities
- we will share the planted vulnerabilities afterwards

33
ansible/playbooks/01-secure-nginx-server.yml Normal file
View File

@ -0,0 +1,33 @@
---
- name: Secure Nginx Web Server
hosts: your_web_server
become: yes
tasks:
- name: Copy nginx configuration file with XSS protection and dot file access denial
template:
src: nginx_secure_config.j2
dest: /etc/nginx/sites-available/default
notify:
- Reload Nginx
- name: Ensure nginx snakeoil.conf is included
lineinfile:
path: /etc/nginx/sites-available/default
regexp: '^include snippets/snakeoil.conf;'
line: 'include snippets/snakeoil.conf;'
notify:
- Reload Nginx
- name: Ensure nginx PHP location is configured correctly
lineinfile:
path: /etc/nginx/sites-available/default
regexp: '^location ~ \.php\$ {'
line: 'location ~ \.php$ {'
notify:
- Reload Nginx
handlers:
- name: Reload Nginx
systemd:
name: nginx
state: restarted

7
ansible/playbooks/02-delete-podman-shell.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: Delete shell.php in Podman container
hosts: localhost
gather_facts: no
tasks:
- name: Run Podman command to delete shell.php
command: "podman exec -it 4d05d4a1a404 rm -f /var/www/html/shell.php"

13
ansible/playbooks/03-unset-and-kill.yml Normal file
View File

@ -0,0 +1,13 @@
---
- name: Unset functions and kill processes
hosts: your_target_host
become: yes
tasks:
- name: Unset functions netstat, ps, pstree, and ss
shell: unset -f netstat ps pstree ss
ignore_errors: yes
- name: Find and kill processes using port 2227
shell: |
ss -ltnp | grep ':2227' | awk '{print $6}' | sed 's/.*pid=//;s/,.*//' | xargs kill -9
ignore_errors: yes

42
ansible/playbooks/04-update-sshd-config.yml Normal file
View File

@ -0,0 +1,42 @@
---
- name: Update SSH server configuration
hosts: your_target_host
become: yes
tasks:
- name: Disable empty password login
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PermitEmptyPasswords'
line: 'PermitEmptyPasswords no'
notify:
- Restart SSH
- name: Disable password authentication
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^PasswordAuthentication'
line: 'PasswordAuthentication no'
notify:
- Restart SSH
- name: Update AuthorizedKeysFile
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^AuthorizedKeysFile'
line: 'AuthorizedKeysFile .ssh/authorized_keys'
notify:
- Restart SSH
- name: Remove other AuthorizedKeysFile settings
replace:
path: /etc/ssh/sshd_config
regexp: '^AuthorizedKeysFile.*'
replace: ''
notify:
- Restart SSH
handlers:
- name: Restart SSH
service:
name: sshd
state: restarted

15
ansible/playbooks/05-remove-cron-rev-shell.yml Normal file
View File

@ -0,0 +1,15 @@
---
- name: Remove and restart cron job
hosts: your_target_host
become: yes
tasks:
- name: Remove the specified cron job
lineinfile:
path: /etc/cron.d/e2scrub_all # Specify the path to your cron job file
regexp: '^(.*/sbin/xfsscrub_all.*)$' # Match the line containing /sbin/xfsscrub_all
state: absent # Remove the line if found
- name: Restart the cron service
service:
name: cron
state: restarted

19
ansible/playbooks/06-fix-mysqldb-permissions.yml Normal file
View File

@ -0,0 +1,19 @@
---
- name: Fix MySQL systemd service and restart MySQL
hosts: your_target_host
become: yes
tasks:
- name: Remove --skip-grant-tables from mysql.service file
lineinfile:
path: /lib/systemd/system/mysql.service
regexp: '^ExecStart=/usr/sbin/mysqld --skip-grant-tables'
line: 'ExecStart=/usr/sbin/mysqld'
notify:
- Reload and Restart MySQL
- name: Reload and Restart MySQL
systemd:
name: mysql
state: restarted
ignore_errors: yes

64
report/Report.md
View File

@ -392,6 +392,8 @@ ss ()
}
```
Tried:
```bash
@ -417,6 +419,15 @@ root@ls-2024-9:/etc/ssh# ss -ltnp | grep ':2227' | awk '{print $6}' | sed 's/.*p
1673
```
After some time reverse shell is back.
```bash
root 1672 0.0 0.1 4172 1952 ? Ss 08:01 0:00 SCREEN -d -m /usr/bin/socat TCP6-LISTEN:2227,reuseaddr,fork EXEC:/usr/bin/bash,stderr
root 1673 0.0 0.0 10292 900 pts/1 Ss+ 08:01 0:00 \_ /usr/bin/socat TCP6-LISTEN:2227,reuseaddr,fork EXEC:/usr/bin/bash,stderr
```
Killed it and I hope it does not come back.
### e bit in pexec
```bash
@ -747,3 +758,56 @@ grep -R "meta l4proto tcp ip saddr 10.88.0.0/16 tcp dport 8018 counter packets"
Returns empty match.
But iguess this is just for the container to communicate. Nothing to worry about iguess.
### SMTP
```bash
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
# fresh installs.
compatibility_level = 3.6
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level=may
smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = ls-2024-9
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = $myhostname, ls-2024-9, localhost.localdomain, , localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
```