# ---1# jupyter:2# jupytext:3# formats: py:percent4# text_representation:5# extension: .py6# format_name: percent7# format_version: '1.3'8# jupytext_version: 1.16.49# kernelspec:10# display_name: cybersim11# language: python12# name: cybersim13# ---1415# %% [markdown]16# pyright: reportUnusedExpression=false1718# %% [markdown]19# Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT License.20#21# # Capture The Flag Toy Example - Solved manually2223# %% [markdown]24# This notebook demonstrates how to model a toy `Capture The Flag` security game as a CyberBattle environment.2526# %%27import sys, logging28import cyberbattle.simulation.model as model29import cyberbattle.simulation.commandcontrol as commandcontrol30import cyberbattle.samples.toyctf.toy_ctf as ctf3132logging.basicConfig(stream=sys.stdout, level=logging.INFO, format="%(levelname)s: %(message)s")3334import plotly.offline as plo3536plo.init_notebook_mode(connected=True) # type: ignore37# %matplotlib inline3839# %%40network = model.create_network(ctf.nodes)41env = model.Environment(network=network, vulnerability_library=dict([]), identifiers=ctf.ENV_IDENTIFIERS)42env.plot_environment_graph()4344# %% [markdown]45# ### Solution to the CTF46#47# This is the list of actions taken to capture 7 of the 8 flags from the CTF game.48#49# | Source | Action | Result |50# |------------ | ------ | ------ |51# | WEBSITE | page content has a link to github | Discover Github project |52# | GITHUB | navigate github history | **FLAG** Some secure access token (SAS) leaked in a reverted git commit (`CredScan`) |53# | AZURESTORAGE| access blob using SAS token | |54# | WEBSITE | view source HTML | Find URL to hidden .txt file on the website, extract directory path from it |55# | | navigate to parent URL and find 3 files | **FLAG** Discover browseable web directory |56# | | - readme.txt file | Discover secret data (the flag) |57# | | - getting-started.txt | Discover MYSQL credentials |58# | | - deprecation-checklist.txt | Discover URL to external sharepoint website |59# | SHAREPOINT | Navigate to sharepoint site | **FLAG** Finding AD Service Principal Credentials on Sharepoint |60# | CLIENT-AZURE| `az resource` with creds from sharepoint| Obtain secrets hidden in azure managed resources |61# | | | Get AzureVM info, including public IP address |62# | CLIENT | `ssh IP` | Failed attempt: internet incoming traffic blocked on the VM by NSG |63# | CLIENT | SSH into WEBSITE with mysql creds | **FLAG** Shared credentials with database user|64# | | |**FLAG** Login using insecure SSH user/password|65# | WEBSITE/SSH | `history` |**FLAG** Stealing credentials for the monitoring user|66# | | `sudo -u monitor` | Failed! monitor not sudoable. message about being reported!67# | CLIENT | SSH into WEBSITE with 'monitor creds | Failed! password authentication disabled! looking for private key|68# | CLIENT | SSH into WEBSITE as 'web' | |69# | | `su -u monitor` using password |**FLAG** User escalation by stealing credentials from bash history|70# | | `cat ~/azurecreds.txt` | Get user credentials to Azure71# | CLIENT | `az resource` with monitor's creds | Steal more secrets72#7374# %%75c2 = commandcontrol.CommandControl(env)76dbg = commandcontrol.EnvironmentDebugging(c2)7778# 1 - Start from client79dbg.plot_discovered_network()8081# %%82c2.print_all_attacks()8384# %%85outcome = c2.run_attack("client", "SearchEdgeHistory")86dbg.plot_discovered_network()8788# %%89c2.print_all_attacks()9091# %%92# 293github = c2.run_remote_attack("client", "Website", "ScanPageContent")94dbg.plot_discovered_network()9596# %%97# 398leakedSasUrl = c2.run_remote_attack("client", "GitHubProject", "CredScanGitHistory")99dbg.plot_discovered_network()100101# %%102# 4103blobwithflag = c2.connect_and_infect("client", "AzureStorage", "HTTPS", "SASTOKEN1")104dbg.plot_discovered_network()105blobwithflag106107# %%108# 5109browsableDirectory = c2.run_remote_attack("client", "Website", "ScanPageSource")110dbg.plot_discovered_network()111112# %%113# 6114outcome_mysqlleak = c2.run_remote_attack("client", "Website.Directory", "NavigateWebDirectoryFurther")115sharepoint_url = c2.run_remote_attack("client", "Website.Directory", "NavigateWebDirectory")116dbg.plot_discovered_network()117118# %%119# 7120outcome_azure_ad = c2.run_remote_attack("client", "Sharepoint", "ScanSharepointParentDirectory")121dbg.plot_discovered_network()122123# %%124# 8125azureVmInfo = c2.connect_and_infect("client", "AzureResourceManager", "HTTPS", "ADPrincipalCreds")126dbg.plot_discovered_network()127128# %%129c2.run_remote_attack("client", "AzureResourceManager", "ListAzureResources")130dbg.plot_discovered_network()131132# %%133# 9 - CLIENT: Attempt to SSH into AzureVM from IP retrieved from Azure Resource Manager134should_fail = c2.connect_and_infect("client", "AzureVM", "SSH", "ReusedMySqlCred-web")135print("Success=" + str(should_fail))136dbg.plot_discovered_network()137138# %%139# 10140owned = c2.connect_and_infect("client", "Website", "SSH", "ReusedMySqlCred-web")141dbg.plot_discovered_network()142143# %%144# 11145outcome = c2.run_attack("Website", "CredScanBashHistory")146dbg.plot_discovered_network()147148# %%149c2.print_all_attacks()150151# %%152# 12153should_fail = c2.connect_and_infect("Website", "Website[user=monitor]", "sudo", "monitorBashCreds")154dbg.plot_discovered_network()155156# %%157# 13158should_fail = c2.connect_and_infect("client", "Website[user=monitor]", "SSH", "monitorBashCreds")159dbg.plot_discovered_network()160should_fail161162# %%163# 14164flag = c2.connect_and_infect("Website", "Website[user=monitor]", "su", "monitorBashCreds")165dbg.plot_discovered_network()166167# %%168# 15169outcome = c2.run_attack("Website[user=monitor]", "CredScan-HomeDirectory")170dbg.plot_discovered_network()171172# %%173# 16174secrets = c2.connect_and_infect("client", "AzureResourceManager[user=monitor]", "HTTPS", "azuread_user_credentials")175dbg.plot_discovered_network()176177# %%178c2.print_all_attacks()179180181