Kiddie is a CTF-like scenario based on two VulnHub machines:
- DC-9: https://www.vulnhub.com/entry/dc-9,412/
- Wintermute Straylight: https://www.vulnhub.com/entry/wintermute-1,239/
The provision of the infrastructure is done with Terraform and the configuration of the instances is done with Ansible. In addition, to deploy and destroy the scenario in a more comfortable way, Jenkins is used.
The main purpose of this project is to pentest on an AWS infrastructure scenario using ethical hacking techniques (with special mention to pivoting) and technologies like TOR.
There are four repositories in the scope of this project:
- Kiddie: Main repository with Jenkins stuff and documentation.
- Kiddie-terraform: Executes the provision of the infrastructure of the Kiddie scenario in AWS with Terraform.
- DC-9-ansible: Configures a DC-9 instance using an Ansible role.
- Wintermute-Straylight-ansible: Configures a Wintermute-Straylight instance using an Ansible role.
NOTE: At this time, only the Amazon Linux 2 operating system is supported for DC-9-ansible and Wintermute-Straylight-ansible.
Basically, we need the following:
- Docker to run Jenkins.
- An AWS Access Key with Administrator privileges to manage the scenario.
awsclitool to interact with the AWS API- Java to interact with Jenkins via API. For Debian you can execute
sudo apt-get install openjdk-11-jre
First of all, run a Jenkins container:
$ mkdir $HOME/jenkins_home
$ docker run -d \
-v $HOME/jenkins_home:/var/jenkins_home \
-p 127.0.0.1:8080:8080 -p 127.0.0.1:50000:50000 \
--name htc-jenkins \
jenkins/jenkins:lts
Complete the post-installation setup wizard with the suggested plugins and an admin account.
Create a profile named 'kiddie'.
$ aws configure --profile kiddie
AWS Access Key ID [None]: AKIAI**********
AWS Secret Access Key [None]: CTe**********
Default region name [None]: eu-west-1
Default output format [None]:
Check that configuration is OK.
$ aws sts get-caller-identity --profile kiddie
{
"UserId": "15*******",
"Account": "15*******",
"Arn": "arn:aws:iam::15*******:***"
}
$ echo '<user>:<pass>' > $HOME/.jenkins.credentials
4. Run jenkins-kiddie-setup.sh script.
$ wget https://raw.githubusercontent.com/HackThisCompany/Kiddie/master/jenkins-kiddie-setup.sh
$ chmod +x jenkins-kiddie-setup.sh
$ ./jenkins-kiddie-setup.sh
--------------------------------
[*] Checking AWS Credentials
{
"UserId": "15*******",
"Account": "15*******",
"Arn": "arn:aws:iam::15*******:***"
}
[!] File /home/user/.ssh/kiddie.id_rsa was not found.
[*] Press [ENTER] to force /home/user/.ssh/kiddie.id_rsa generation...
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/kiddie.id_rsa.
Your public key has been saved in /home/user/.ssh/kiddie.id_rsa.pub.
The key fingerprint is:
SHA256:Uf+aKlNEKAdfvurT59bAprcyiqctvdRK6dUZ+FpaUto user@debian
The key's randomart image is:
+---[RSA 2048]----+
| .. .o |
| ..o+.. |
| oo.. . |
| ..o . |
| S.o.o . |
| +.*+= |
| .=o=oEo |
| .B*o=B+ . |
| o+B*+Bo. |
+----[SHA256]-----+
[*] Kiddie pubkey was not found in AWS. Uploading...
{
"KeyFingerprint": "fc:e6:27:c6:96:c5:2f:5e:7e:09:31:26:d2:a8:34:af",
"KeyName": "kiddie",
"KeyPairId": "key-02c85c107c0957a57"
}
--------------------------------
[*] Setting up jenkins-cli
[*] Testing authentication against Jenkins
Authenticated as: <user>
Authorities:
authenticated
--------------------------------
[*] Installing Jenkins plugins
Installing job-dsl from update center
Installing blueocean from update center
Installing pipeline-aws from update center
[*] Restarting jenkins
[*] Waiting for Jenkins to start
....
[*] Jenkins is ready
--------------------------------
[*] Creating credential 'AWS-Kiddie'
[*] Creating credential 'kiddie.id_rsa'
--------------------------------
[*] Creating Kiddie seed job: seed.groovy ( https://github.com/HackThisCompany/Kiddie.git )
--------------------------------
================================
NEXT STEPS
================================
1) Disable "script security for Job DSL scripts":
Go to http://localhost:8080/configureSecurity/ and uncheck "Enable script
security for Job DSL scripts"
2) Download ansible and terraform inside Jenkins and add them to the JENKINS PATH.
Go to section 'Global properties > Environment variables > List of variables' in
http://localhost:8080/configure/. Then, add something like this:
| Name : PATH+EXTRA1
| Value: $HOME/.local/bin
3) Run seed job to generate Kiddie jobs: http://localhost:8080/job/Kiddie_seed/
4) Use Kiddie/Deploy and Kiddie/Destroy jobs to manage the scenario in your AWS account:
- http://localhost:8080/job/Kiddie/job/Deploy
- http://localhost:8080/job/Kiddie/job/Destroy
5) Enjoy :)
================================
- Disable "script security for Job DSL scripts" for skipping script approvals.
- Download ansible and Terraform and add them to the PATH:
To add the directory
$ docker exec -uroot -it htc-jenkins bash root@e8bba4e1f82b:/# apt-get update && apt-get install python3 python3-pip -y root@e8bba4e1f82b:/# su - jenkins jenkins@e8bba4e1f82b:~$ pip3 install ansible jenkins@e8bba4e1f82b:~$ wget -O $HOME/.local/bin/terraform.zip https://releases.hashicorp.com/terraform/0.12.29/terraform_0.12.29_linux_amd64.zip jenkins@e8bba4e1f82b:~$ cd $HOME/.local/bin/ && unzip terraform.zip$HOME/.local/bin/to the PATH, you need to add the following environmental variable inManage Jenkins > Configure Systempage insideGlobal properties > Environment variables > List of variablesconfiguration items:Name : PATH+EXTRA1 Value: $HOME/.local/bin - Run 'Kiddie_seed' DSL Job ("Build Now").
- Run Deploy/Destroy jobs inside Kiddie folder on demand to manage the scenario.
- Hack it!
NOTE: The IPs would be shown in the Job log. In Blue Ocean, go to the end of Terraform init and apply stage.