-
Notifications
You must be signed in to change notification settings - Fork 259
/
Copy pathtoyctf-solved.py
179 lines (147 loc) · 6.15 KB
/
toyctf-solved.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
# ---
# jupyter:
# jupytext:
# formats: py:percent
# text_representation:
# extension: .py
# format_name: percent
# format_version: '1.3'
# jupytext_version: 1.16.4
# kernelspec:
# display_name: cybersim
# language: python
# name: cybersim
# ---
# %% [markdown]
# pyright: reportUnusedExpression=false
# %% [markdown]
# Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT License.
#
# # Capture The Flag Toy Example - Solved manually
# %% [markdown]
# This notebook demonstrates how to model a toy `Capture The Flag` security game as a CyberBattle environment.
# %%
import sys, logging
import cyberbattle.simulation.model as model
import cyberbattle.simulation.commandcontrol as commandcontrol
import cyberbattle.samples.toyctf.toy_ctf as ctf
logging.basicConfig(stream=sys.stdout, level=logging.INFO, format="%(levelname)s: %(message)s")
import plotly.offline as plo
plo.init_notebook_mode(connected=True) # type: ignore
# %matplotlib inline
# %%
network = model.create_network(ctf.nodes)
env = model.Environment(network=network, vulnerability_library=dict([]), identifiers=ctf.ENV_IDENTIFIERS)
env.plot_environment_graph()
# %% [markdown]
# ### Solution to the CTF
#
# This is the list of actions taken to capture 7 of the 8 flags from the CTF game.
#
# | Source | Action | Result |
# |------------ | ------ | ------ |
# | WEBSITE | page content has a link to github | Discover Github project |
# | GITHUB | navigate github history | **FLAG** Some secure access token (SAS) leaked in a reverted git commit (`CredScan`) |
# | AZURESTORAGE| access blob using SAS token | |
# | WEBSITE | view source HTML | Find URL to hidden .txt file on the website, extract directory path from it |
# | | navigate to parent URL and find 3 files | **FLAG** Discover browseable web directory |
# | | - readme.txt file | Discover secret data (the flag) |
# | | - getting-started.txt | Discover MYSQL credentials |
# | | - deprecation-checklist.txt | Discover URL to external sharepoint website |
# | SHAREPOINT | Navigate to sharepoint site | **FLAG** Finding AD Service Principal Credentials on Sharepoint |
# | CLIENT-AZURE| `az resource` with creds from sharepoint| Obtain secrets hidden in azure managed resources |
# | | | Get AzureVM info, including public IP address |
# | CLIENT | `ssh IP` | Failed attempt: internet incoming traffic blocked on the VM by NSG |
# | CLIENT | SSH into WEBSITE with mysql creds | **FLAG** Shared credentials with database user|
# | | |**FLAG** Login using insecure SSH user/password|
# | WEBSITE/SSH | `history` |**FLAG** Stealing credentials for the monitoring user|
# | | `sudo -u monitor` | Failed! monitor not sudoable. message about being reported!
# | CLIENT | SSH into WEBSITE with 'monitor creds | Failed! password authentication disabled! looking for private key|
# | CLIENT | SSH into WEBSITE as 'web' | |
# | | `su -u monitor` using password |**FLAG** User escalation by stealing credentials from bash history|
# | | `cat ~/azurecreds.txt` | Get user credentials to Azure
# | CLIENT | `az resource` with monitor's creds | Steal more secrets
#
# %%
c2 = commandcontrol.CommandControl(env)
dbg = commandcontrol.EnvironmentDebugging(c2)
# 1 - Start from client
dbg.plot_discovered_network()
# %%
c2.print_all_attacks()
# %%
outcome = c2.run_attack("client", "SearchEdgeHistory")
dbg.plot_discovered_network()
# %%
c2.print_all_attacks()
# %%
# 2
github = c2.run_remote_attack("client", "Website", "ScanPageContent")
dbg.plot_discovered_network()
# %%
# 3
leakedSasUrl = c2.run_remote_attack("client", "GitHubProject", "CredScanGitHistory")
dbg.plot_discovered_network()
# %%
# 4
blobwithflag = c2.connect_and_infect("client", "AzureStorage", "HTTPS", "SASTOKEN1")
dbg.plot_discovered_network()
blobwithflag
# %%
# 5
browsableDirectory = c2.run_remote_attack("client", "Website", "ScanPageSource")
dbg.plot_discovered_network()
# %%
# 6
outcome_mysqlleak = c2.run_remote_attack("client", "Website.Directory", "NavigateWebDirectoryFurther")
sharepoint_url = c2.run_remote_attack("client", "Website.Directory", "NavigateWebDirectory")
dbg.plot_discovered_network()
# %%
# 7
outcome_azure_ad = c2.run_remote_attack("client", "Sharepoint", "ScanSharepointParentDirectory")
dbg.plot_discovered_network()
# %%
# 8
azureVmInfo = c2.connect_and_infect("client", "AzureResourceManager", "HTTPS", "ADPrincipalCreds")
dbg.plot_discovered_network()
# %%
c2.run_remote_attack("client", "AzureResourceManager", "ListAzureResources")
dbg.plot_discovered_network()
# %%
# 9 - CLIENT: Attempt to SSH into AzureVM from IP retrieved from Azure Resource Manager
should_fail = c2.connect_and_infect("client", "AzureVM", "SSH", "ReusedMySqlCred-web")
print("Success=" + str(should_fail))
dbg.plot_discovered_network()
# %%
# 10
owned = c2.connect_and_infect("client", "Website", "SSH", "ReusedMySqlCred-web")
dbg.plot_discovered_network()
# %%
# 11
outcome = c2.run_attack("Website", "CredScanBashHistory")
dbg.plot_discovered_network()
# %%
c2.print_all_attacks()
# %%
# 12
should_fail = c2.connect_and_infect("Website", "Website[user=monitor]", "sudo", "monitorBashCreds")
dbg.plot_discovered_network()
# %%
# 13
should_fail = c2.connect_and_infect("client", "Website[user=monitor]", "SSH", "monitorBashCreds")
dbg.plot_discovered_network()
should_fail
# %%
# 14
flag = c2.connect_and_infect("Website", "Website[user=monitor]", "su", "monitorBashCreds")
dbg.plot_discovered_network()
# %%
# 15
outcome = c2.run_attack("Website[user=monitor]", "CredScan-HomeDirectory")
dbg.plot_discovered_network()
# %%
# 16
secrets = c2.connect_and_infect("client", "AzureResourceManager[user=monitor]", "HTTPS", "azuread_user_credentials")
dbg.plot_discovered_network()
# %%
c2.print_all_attacks()