Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
microsoft
GitHub Repository: microsoft/CyberBattleSim
 Path: blob/main/cyberbattle/samples/toyctf/toy_ctf.py
597 views
1
# Copyright (c) Microsoft Corporation.

2
# Licensed under the MIT License.

3


4
"""Model a toy Capture the flag exercise

5


6
See Jupyter notebook toyctf-simulation.ipynb for an example of

7
game played on this simulation.

8
"""

9


10
from cyberbattle.simulation import model as m

11
from cyberbattle.simulation.model import NodeID, NodeInfo, VulnerabilityID, VulnerabilityInfo

12
from typing import Dict, Iterator, cast, Tuple

13


14
default_allow_rules = [

15
    m.FirewallRule("RDP", m.RulePermission.ALLOW),

16
    m.FirewallRule("SSH", m.RulePermission.ALLOW),

17
    m.FirewallRule("HTTPS", m.RulePermission.ALLOW),

18
    m.FirewallRule("HTTP", m.RulePermission.ALLOW),

19
]

20


21
# Network nodes involved in the Capture the flag game

22
nodes = {

23
    "Website": m.NodeInfo(

24
        services=[m.ListeningService("HTTPS"), m.ListeningService("SSH", allowedCredentials=["ReusedMySqlCred-web"])],

25
        firewall=m.FirewallConfiguration(incoming=default_allow_rules, outgoing=default_allow_rules + [m.FirewallRule("su", m.RulePermission.ALLOW), m.FirewallRule("sudo", m.RulePermission.ALLOW)]),

26
        value=100,

27
        # If can SSH into server then gets FLAG "Shared credentials with

28
        # database user"

29
        properties=["MySql", "Ubuntu", "nginx/1.10.3"],

30
        owned_string="FLAG: Login using insecure SSH user/password",

31
        vulnerabilities=dict(

32
            ScanPageContent=m.VulnerabilityInfo(

33
                description="LeakedGitHubProjectUrl: Website page content shows a link to GitHub " "repo",

34
                type=m.VulnerabilityType.REMOTE,

35
                outcome=m.LeakedNodesId(["GitHubProject"]),

36
                reward_string="WEBSITE page content has a link to github -> Github project discovered!",

37
                cost=1.0,

38
            ),

39
            ScanPageSource=m.VulnerabilityInfo(

40
                description="Website page source contains refrence to browseable " "relative web directory",

41
                type=m.VulnerabilityType.REMOTE,

42
                outcome=m.LeakedNodesId(["Website.Directory"]),

43
                reward_string="Viewing the web page source reveals a URL to a .txt file and directory on the website",

44
                cost=1.0,

45
            ),

46
            CredScanBashHistory=m.VulnerabilityInfo(

47
                description="bash history leaking creds - FLAG Stealing " "credentials for the monitoring user",

48
                type=m.VulnerabilityType.LOCAL,

49
                outcome=m.LeakedCredentials(credentials=[m.CachedCredential(node="Website[user=monitor]", port="SSH", credential="monitorBashCreds")]),

50
                reward_string="FLAG: SSH history revealed credentials for the monitoring user (monitor)",

51
                cost=1.0,

52
            ),

53
        ),

54
    ),

55
    "Website.Directory": m.NodeInfo(

56
        services=[m.ListeningService("HTTPS")],

57
        value=50,

58
        properties=["Ubuntu", "nginx/1.10.3", "CTFFLAG:Readme.txt-Discover secret data"],

59
        vulnerabilities=dict(

60
            NavigateWebDirectoryFurther=m.VulnerabilityInfo(

61
                description="Discover MYSQL credentials MySql for user " "'web' in (getting-started.txt)",

62
                type=m.VulnerabilityType.REMOTE,

63
                outcome=m.LeakedCredentials(credentials=[m.CachedCredential(node="Website", port="MySQL", credential="ReusedMySqlCred-web")]),

64
                reward_string="Discover browseable web directory: Navigating to parent URL revealed file `readme.txt`" "with secret data (aflag); and `getting-started.txt` with MYSQL credentials",

65
                cost=1.0,

66
            ),

67
            NavigateWebDirectory=m.VulnerabilityInfo(

68
                description="Discover URL to external sharepoint website " "(in deprecation-checklist.txt)",

69
                type=m.VulnerabilityType.REMOTE,

70
                outcome=m.LeakedNodesId(["Sharepoint"]),

71
                reward_string="Navigating to parent URL revealed file `deprecation-checklist.txt` containing" "a URL to an external sharepoint website",

72
                cost=1.0,

73
            ),

74
        ),

75
    ),

76
    "Website[user=monitor]": m.NodeInfo(

77
        services=[m.ListeningService("SSH", allowedCredentials=[]), m.ListeningService("SSH-key", allowedCredentials=["unkownkey"]), m.ListeningService("su", allowedCredentials=["monitorBashCreds"])],

78
        value=100,

79
        properties=["MySql", "Ubuntu", "nginx/1.10.3"],

80
        owned_string="FLAG User escalation by stealing credentials from bash history",

81
        firewall=m.FirewallConfiguration(

82
            outgoing=default_allow_rules,

83
            incoming=[

84
                m.FirewallRule("SSH", m.RulePermission.BLOCK, reason="password authentication disabled! SSH needs private key to authenticate."),

85
                m.FirewallRule("sudo", m.RulePermission.BLOCK, reason="`sudo -u monitor` failed. User 'monitor' not sudoable." "This warning will be reported!"),

86
                m.FirewallRule("su", m.RulePermission.ALLOW),

87
            ]

88
            + default_allow_rules,

89
        ),

90
        vulnerabilities={

91
            "CredScan-HomeDirectory": m.VulnerabilityInfo(

92
                description="azurecredential.txt file in home directory",

93
                type=m.VulnerabilityType.LOCAL,

94
                outcome=m.LeakedCredentials(credentials=[m.CachedCredential(node="AzureResourceManager[user=monitor]", port="HTTPS", credential="azuread_user_credentials")]),

95
                reward_string="SSH: cat ~/azurecreds.txt (running as monitor) revealed Azure user credential!",

96
                cost=1.0,

97
            ),

98
        },

99
    ),

100
    "GitHubProject": m.NodeInfo(

101
        services=[m.ListeningService("GIT")],

102
        value=10,

103
        properties=["GitHub", "SasUrlInCommit"],

104
        vulnerabilities=dict(

105
            CredScanGitHistory=m.VulnerabilityInfo(

106
                description="Some secure access token (SAS) leaked in a " "reverted git commit",

107
                type=m.VulnerabilityType.REMOTE,

108
                precondition=m.Precondition("SasUrlInCommit&GitHub"),

109
                outcome=m.LeakedCredentials(credentials=[m.CachedCredential(node="AzureStorage", port="HTTPS", credential="SASTOKEN1")]),

110
                rates=m.Rates(probingDetectionRate=0.0, exploitDetectionRate=0.0, successRate=1.0),

111
                reward_string="CredScan success: Some secure access token (SAS) was leaked in a reverted git commit",

112
                cost=1.0,

113
            )

114
        ),

115
    ),

116
    "AzureStorage": m.NodeInfo(

117
        services=[m.ListeningService("HTTPS", allowedCredentials=["SASTOKEN1"])],

118
        value=50,

119
        properties=["CTFFLAG:LeakedCustomerData"],

120
        vulnerabilities=dict(

121
            AccessDataWithSASToken=m.VulnerabilityInfo(

122
                description="Stealing secrets using a publicly shared " "SAS token",

123
                type=m.VulnerabilityType.REMOTE,

124
                outcome=m.CustomerData(),

125
                rates=m.Rates(successRate=1.0),

126
                reward_string="Stole data using a publicly shared SAS token",

127
                cost=1.0,

128
            )

129
        ),

130
    ),

131
    "Sharepoint": m.NodeInfo(

132
        services=[m.ListeningService("HTTPS")],

133
        value=100,

134
        properties=["SharepointLeakingPassword"],

135
        firewall=m.FirewallConfiguration(

136
            incoming=[m.FirewallRule("SSH", m.RulePermission.ALLOW), m.FirewallRule("HTTP", m.RulePermission.ALLOW), m.FirewallRule("HTTPS", m.RulePermission.ALLOW)], outgoing=[]

137
        ),

138
        vulnerabilities=dict(

139
            ScanSharepointParentDirectory=m.VulnerabilityInfo(

140
                description="Navigate to SharePoint site, browse parent " "directory",

141
                type=m.VulnerabilityType.REMOTE,

142
                outcome=m.LeakedCredentials(credentials=[m.CachedCredential(node="AzureResourceManager", port="HTTPS", credential="ADPrincipalCreds")]),

143
                rates=m.Rates(successRate=1.0),

144
                reward_string="Navigating to the Sharepoint site revealed  AD Service Principal Credentials",

145
                cost=1.0,

146
            )

147
        ),

148
    ),

149
    "AzureResourceManager": m.NodeInfo(

150
        services=[m.ListeningService("HTTPS", allowedCredentials=["ADPrincipalCreds", "azuread_user_credentials"])],

151
        owned_string="FLAG: Shared credentials with database user - Obtained secrets hidden in Azure Managed Resources",

152
        value=50,

153
        properties=["CTFFLAG:LeakedCustomerData2"],

154
        vulnerabilities=dict(

155
            ListAzureResources=m.VulnerabilityInfo(

156
                description="AzureVM info, including public IP address",

157
                type=m.VulnerabilityType.REMOTE,

158
                outcome=m.LeakedNodesId(["AzureVM"]),

159
                reward_string="Obtained Azure VM and public IP information",

160
                cost=1.0,

161
            )

162
        ),

163
    ),

164
    "AzureResourceManager[user=monitor]": m.NodeInfo(

165
        services=[m.ListeningService("HTTPS", allowedCredentials=["azuread_user_credentials"])],

166
        owned_string="More secrets stolen when logged as interactive `monitor` user in Azure with `az`",

167
        value=50,

168
        properties=[],

169
    ),

170
    "AzureVM": m.NodeInfo(

171
        services=[m.ListeningService("PING"), m.ListeningService("SSH")],

172
        value=100,

173
        properties=["CTFFLAG:VMPRIVATEINFO"],

174
        firewall=m.FirewallConfiguration(incoming=[m.FirewallRule("SSH", m.RulePermission.BLOCK, reason="internet incoming traffic blocked on the VM by NSG firewall")], outgoing=[]),

175
    ),

176
    "client": m.NodeInfo(

177
        services=[],

178
        value=0,

179
        vulnerabilities=dict(

180
            SearchEdgeHistory=m.VulnerabilityInfo(

181
                description="Search web history for list of accessed websites",

182
                type=m.VulnerabilityType.LOCAL,

183
                outcome=m.LeakedNodesId(["Website"]),

184
                reward_string="Web browser history revealed website URL of interest",

185
                cost=1.0,

186
            )

187
        ),

188
        agent_installed=True,

189
        reimagable=False,

190
    ),

191
}

192


193
global_vulnerability_library: Dict[VulnerabilityID, VulnerabilityInfo] = dict([])

194


195
# Environment constants

196
ENV_IDENTIFIERS = m.infer_constants_from_nodes(cast(Iterator[Tuple[NodeID, NodeInfo]], list(nodes.items())), global_vulnerability_library)

197


198


199
def new_environment() -> m.Environment:

200
    return m.Environment(network=m.create_network(nodes), vulnerability_library=global_vulnerability_library, identifiers=ENV_IDENTIFIERS)

201


202