github
/
metasploitable3
mirror of https://github.com/rapid7/metasploitable3
1
Fork 0
Code Releases Activity

Add five_of_diamonds flag 

This flag is hidden within a binary that runs a webservice on a given port.
The port is blocked until the correct port knocking sequence is initiated.
The default port sequence is all of the user's salary numbers.

The commit also moves a lot of values that were previously in recipes into
attributes files for easier maintaining going forward.
This commit is contained in:
James Barnett 2017-06-30 14:47:30 -05:00
parent dfcdafe410
commit 5bbed5387e
11 changed files with 286 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
Vagrantfile vendored
View File

@ -160,12 +160,6 @@ Vagrant.configure("2") do |config|
}
}
chef.add_recipe "metasploitable::mysql"
chef.add_recipe "metasploitable::apache_continuum"
chef.add_recipe "metasploitable::apache"
chef.add_recipe "metasploitable::php_545"
chef.add_recipe "metasploitable::phpmyadmin"
chef.add_recipe "metasploitable::proftpd"
chef.add_recipe "metasploitable::users"
chef.add_recipe "metasploitable::sinatra"
chef.add_recipe "metasploitable::docker"
@ -176,6 +170,9 @@ Vagrant.configure("2") do |config|
chef.add_recipe "metasploitable::readme_app"
chef.add_recipe "metasploitable::payroll_app"
chef.add_recipe "metasploitable::drupal"
chef.add_recipe "metasploitable::knockd"
chef.add_recipe "metasploitable::iptables"
chef.add_recipe "metasploitable::flags"
end
end
end

7
chef/cookbooks/metasploitable/attributes/flags.rb Normal file
View File

@ -0,0 +1,7 @@
#
# Cookbook:: metasploitable
# Attributes:: flags
#
default[:flags][:flag1][:vuln_service] = 'apache'
default[:flags][:flag1][:vuln_port] = '8989'

109
chef/cookbooks/metasploitable/attributes/users.rb Normal file
View File

@ -0,0 +1,109 @@
#
# Cookbook:: metasploitable
# Attributes:: users
#
default[:users][:leia_organa] = { username: 'leia_organa',
password: 'obiwan',
password_hash: '$1$2ny4/xaH$tAFV5fbEqHx2OkOPIQhpx0',
first_name: 'Leia',
last_name: 'Organa',
salary: '9560'}
default[:users][:luke_skywalker] = { username: 'luke_skywalker',
password: 'password',
password_hash: '$1$n8tgrGRs$8xaS40CFS1J5iIAEmbnx50',
first_name: 'Luke',
last_name: 'Skywalker',
salary: '1080'}
default[:users][:han_solo] = { username: 'han_solo',
password: 'sh00t-first',
password_hash: '$1$L/2/AWAh$ZMUulbFhP2IesZ6xwBmaV0',
first_name: 'Han',
last_name: 'Solo',
salary: '1200'}
default[:users][:artoo_detoo] = { username: 'artoo_detoo',
password: 'beep_b00p',
password_hash: '$1$DlEuqBUm$u71bKO9I603kDCqEphmon1',
first_name: 'Artoo',
last_name: 'Detoo',
salary: '22222'}
default[:users][:c_three_pio] = { username: 'c_three_pio',
password: 'pr0t0c0l',
password_hash: '$1$4JMoAFqs$b5MwsiCfOASdUKktx6wQ7/',
first_name: 'C',
last_name: 'Threepio',
salary: '3200'}
default[:users][:ben_kenobi] = { username: 'ben_kenobi',
password: 'thats_no_moon',
password_hash: '$1$vmHrrI9b$OyLulJjgi18GxgREG5V5c1',
first_name: 'Ben',
last_name: 'Kenobi',
salary: '10000'}
default[:users][:darth_vader] = { username: 'darth_vader',
password: 'd@rk_sid3',
password_hash: '$1$c7AfQJ86$zvcdz7pPate7GdCQ.yfTf0',
first_name: 'Darth',
last_name: 'Vader',
salary: '6666'}
default[:users][:anakin_skywalker] = { username: 'anakin_skywalker',
password: 'yipp33!!',
password_hash: '$1$AvIldIHu$o1s2OCU4n/qSCGQMKMgkH/',
first_name: 'Anakin',
last_name: 'Skywalker',
salary: '1025'}
default[:users][:jarjar_binks] = { username: 'jarjar_binks',
password: 'mesah_p@ssw0rd',
password_hash: '$1$SNokFi0c$F.SvjZQjYRSuoBuobRWMh1',
first_name: 'Jar-Jar',
last_name: 'Binks',
salary: '2048'}
default[:users][:lando_calrissian] = { username: 'lando_calrissian',
password: 'b@ckstab',
password_hash: '$1$8aWC7zHq$bz6K2rZVD7XlMNqBIIMGX.',
first_name: 'Lando',
last_name: 'Calrissian',
salary: '40000'}
default[:users][:boba_fett] = { username: 'boba_fett',
password: 'mandalorian1',
password_hash: '$1$TjxlmV4j$k/rG1vb4.pj.z0yFWJ.ZD0',
first_name: 'Boba',
last_name: 'Fett',
salary: '20000'}
default[:users][:jabba_hutt] = { username: 'jabba_hutt',
password: 'not-a-slug12',
password_hash: '$1$1q5jRHYC$LIp/8O/g9qg3NaeGOxGSl/',
first_name: 'Jaba',
last_name: 'Hutt',
salary: '65000'}
default[:users][:greedo] = { username: 'greedo',
password: 'hanShotFirst!',
password_hash: '$1$1lmZ0rOJ$GITT5.sX0tvOQeC2/wWQF1',
first_name: 'Greedo',
last_name: 'Rodian',
salary: '50000'}
default[:users][:chewbacca] = { username: 'chewbacca',
password: 'rwaaaaawr5',
password_hash: '$1$AjU5ZLh9$WjO.j9fYh3yms3HSDBKya1',
first_name: 'Chewbacca',
last_name: '',
salary: '4500'}
default[:users][:kylo_ren] = { username: 'kylo_ren',
password: 'daddy_issues1',
password_hash: '$1$Zcw3AKDA$1Mjgzmr/HpmFXuxUjj2Vv1',
first_name: 'Kylo',
last_name: 'Ren',
salary: '6667'}

BIN
chef/cookbooks/metasploitable/files/flags/five_of_diamonds Executable file
View File

Binary file not shown.

26
chef/cookbooks/metasploitable/files/flags/five_of_diamonds.cr Normal file
View File

File diff suppressed because one or more lines are too long

39
chef/cookbooks/metasploitable/files/flags/five_of_diamonds_srv Normal file
View File

@ -0,0 +1,39 @@
#!/bin/sh
### BEGIN INIT INFO
# Provides: five_of_diamonds
# Required-Start: $local_fs
# Required-Stop: $local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# X-Interactive: false
# Short-Description: Init script for five_of_diamonds
# Description: Start/stop five_of_diamonds
### END INIT INFO
DESC="five_of_diamonds"
NAME=five_of_diamonds
#DAEMON=
do_start()
{
echo "Starting five_of_diamonds.";
/opt/knock_knock/five_of_diamonds -p 8989 &
}
do_stop()
{
echo "Stopping five_of_diamonds."
killall five_of_diamonds
}
case "$1" in
start)
do_start
;;
stop)
do_stop
;;
esac
exit 0

15
chef/cookbooks/metasploitable/files/knockd/knockd Normal file
View File

@ -0,0 +1,15 @@
################################################
#
# knockd's default file, for generic sys config
#
################################################
# control if we start knockd at init or not
# 1 = start
# anything else = don't start
#
# PLEASE EDIT /etc/knockd.conf BEFORE ENABLING
START_KNOCKD=1
# command line options
#KNOCKD_OPTS="-i eth1"

23
chef/cookbooks/metasploitable/recipes/flags.rb Normal file
View File

@ -0,0 +1,23 @@
#
# Cookbook:: metasploitable
# Recipe:: flags
#
# Copyright:: 2017, Rapid7, All Rights Reserved.
directory '/opt/knock_knock' do
mode 0700
end
cookbook_file '/opt/knock_knock/five_of_diamonds' do
source 'flags/five_of_diamonds'
mode 0700
end
cookbook_file '/etc/init.d/five_of_diamonds_srv' do
source 'flags/five_of_diamonds_srv'
mode '760'
end
service 'five_of_diamonds_srv' do
action [:enable, :start]
end

27
chef/cookbooks/metasploitable/recipes/iptables.rb Normal file
View File

@ -0,0 +1,27 @@
#
# Cookbook:: metasploitable
# Recipe:: iptables
#
# Copyright:: 2017, Rapid7, All Rights Reserved.
execute "apt-get update" do
command "apt-get update"
end
bash 'setup for knockd, used for flag' do
code <<-EOH
iptables -A FORWARD 1 -p tcp -m tcp --dport 8989 -j DROP
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -j DROP
EOH
end
package 'iptables-persistent' do
action :install
end
service 'iptables-persistent' do
action [:enable, :start]
end

23
chef/cookbooks/metasploitable/recipes/knockd.rb Normal file
View File

@ -0,0 +1,23 @@
#
# Cookbook:: metasploitable
# Recipe:: knockd
#
# Copyright:: 2017, Rapid7, All Rights Reserved.
package 'knockd' do
action :install
end
template '/etc/knockd.conf' do
source 'knockd/knockd.conf.erb'
mode '0600'
end
cookbook_file '/etc/default/knockd' do
source 'knockd/knockd'
mode '0600'
end
service 'knockd' do
action :restart
end

14
chef/cookbooks/metasploitable/templates/knockd/knockd.conf.erb Normal file
View File

@ -0,0 +1,14 @@
[options]
UseSyslog
[openFlag]
sequence = <%= node[:users].collect { |u, att| node[:users][u][:salary] }.join(',') %>
seq_timeout = 15
command = /sbin/iptables -I INPUT 1 -s %IP% -p tcp --dport <%= node[:flags][:flag1][:vuln_port] %> -j ACCEPT
tcpflags = syn
[closeFlag]
sequence = <%= node[:users].collect { |u, att| node[:users][u][:salary] }.reverse.join(',') %>
seq_timeout = 15
command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport <%= node[:flags][:flag1][:vuln_port] %> -j ACCEPT
tcpflags = syn