diff --git a/.github/workflows/cleanup.yaml b/.github/workflows/cleanup.yaml new file mode 100644 index 0000000..4c0f61e --- /dev/null +++ b/.github/workflows/cleanup.yaml @@ -0,0 +1,31 @@ +name: Clean up hcloud resources + +# prevent mutliple concurrent workflow executions to avoid hcloud resources interfering with each other +concurrency: hcloud + +on: + workflow_dispatch: + schedule: + - cron: "0 3 * * *" + # run the workflow after a packer build workflow is finished to clean up all images created by the workflow (and potentially also left-over servers) + workflow_run: + workflows: ["Packer build"] + types: + - completed + +jobs: + cleanup: + runs-on: ubuntu-latest + steps: + - name: setup hcloud + run: | + curl -o hcloud-linux-amd64.tar.gz -L https://github.com/hetznercloud/cli/releases/download/v1.34.0/hcloud-linux-amd64.tar.gz + tar xf hcloud-linux-amd64.tar.gz -C /usr/bin hcloud + chmod +x /usr/bin/hcloud + - name: clean up resources + env: + HCLOUD_TOKEN: ${{ secrets.HCLOUD_TOKEN }} + run: | + for i in $(hcloud ssh-key list -o noheader -o columns=id); do hcloud ssh-key delete $i; done + for i in $(hcloud server list -o noheader -o columns=id); do hcloud server delete $i; done + for i in $(hcloud image list -t snapshot -o noheader -o columns=id); do hcloud image delete $i; done \ No newline at end of file diff --git a/.github/workflows/packer.yaml b/.github/workflows/packer.yaml new file mode 100644 index 0000000..581eef3 --- /dev/null +++ b/.github/workflows/packer.yaml @@ -0,0 +1,58 @@ +name: Packer build + +# prevent mutliple concurrent workflow executions to avoid hcloud resources interfering with each other +concurrency: hcloud + +on: + push: + branches: + - main + pull_request: + branches: + - main + workflow_dispatch: + +jobs: + docker-build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + - name: Build and save Docker image + run: | + docker build -t ghcr.io/enowars/bambictf:latest . + docker save --output /tmp/bambictf.tar ghcr.io/enowars/bambictf:latest + - name: Upload artifact + uses: actions/upload-artifact@v2 + with: + name: bambictf + path: /tmp/bambictf.tar + + packer-build: + strategy: + # fail-fast needs to be disabled, otherwise packer processes may be ungracefully killed and leave stale builder VMs + fail-fast: false + matrix: + image: ["bambichecker", "bambielk", "bambiengine", "bambirouter", "bambivulnbox"] + runs-on: ubuntu-latest + needs: docker-build + steps: + - name: Checkout + uses: actions/checkout@v2 + - name: Download artifact + uses: actions/download-artifact@v2 + with: + name: bambictf + path: /tmp + - name: Load Docker image + run: docker load --input /tmp/bambictf.tar + - name: start docker-compose setup + env: + HCLOUD_TOKEN: ${{ secrets.HCLOUD_TOKEN }} + run: docker-compose up -d + - name: prepare ansible config + run: docker-compose exec -T bambictf sh -c 'cp ansible/config_bambi.yml.sample ansible/config_bambi.yml' + - name: generate config files + run: docker-compose exec -T bambictf sh -c 'cd config; TEAM_COUNT=4 GATEWAY_COUNT=2 CHECKER_COUNT=2 ./gen_config.sh' + - name: build packer image + run: docker-compose exec -T bambictf sh -c 'cd packer; packer build ${{ matrix.image }}.json' \ No newline at end of file diff --git a/.gitignore b/.gitignore index 5d1b6f5..100aac6 100644 --- a/.gitignore +++ b/.gitignore @@ -14,3 +14,5 @@ config*.yml .trash/ .env id_ed25519 +.secrets +ctf*json \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index e56b98d..1579168 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:20.04 +FROM ubuntu:22.04 # Core deps RUN apt-get update @@ -27,6 +27,9 @@ ENV PATH="/usr/share/easy-rsa:${PATH}" # QOL RUN echo "set -g mouse on" > /root/.tmux.conf +# fix SSH host key checking +RUN mkdir /root/.ssh && echo "Host 127.0.0.1\n HostKeyAlgorithms=+ssh-rsa\n PubkeyAcceptedKeyTypes=+ssh-rsa" > /root/.ssh/config + WORKDIR /bambictf ENTRYPOINT tail -f /dev/null diff --git a/README.md b/README.md index 9189421..febef79 100644 --- a/README.md +++ b/README.md @@ -30,8 +30,6 @@ github_ssh_keys: - domenukk - ldruschk - MMunier -elk_address: ip or url -moloch_internal_ip: ip or url ``` 2. Create `./terraform/terraform.tfvars`: ``` @@ -69,7 +67,7 @@ export HCLOUD_TOKEN="..." ``` ## Docker -- Have at least one ssh key with the label `type=admin` in your project +- Have at least one ssh key with the label `type=admin` in your project **(HETZNER's WEBSITE)** - Set `HCLOUD_TOKEN` and `HETZNERDNS_TOKEN` - Create `./ansible/config_bambi.yml` - Obtain a private ssh ed25519 key that can clone your repositories (`cp ~/.ssh/id_ed25519 .`) @@ -88,7 +86,7 @@ export HCLOUD_TOKEN="..." - Create `./terraform/terraform.tfvars` - set `vpn_floating_ip_only = false` - set `internal_floating_ip_only = false` -- `cd ./terraform` +- `cd /bambictf/terraform` - `terraform init` - `terraform apply` diff --git a/ansible/roles/bambi-wireguard-router/tasks/main.yml b/ansible/roles/bambi-wireguard-router/tasks/main.yml index f466284..1395326 100644 --- a/ansible/roles/bambi-wireguard-router/tasks/main.yml +++ b/ansible/roles/bambi-wireguard-router/tasks/main.yml @@ -118,22 +118,15 @@ out_interface: router jump: ACCEPT - - name: allow intra-team traffic part 1 - iptables: - chain: FORWARD - out_interface: router - source: "10.1.{{ item }}.0/24" - destination: "10.1.{{ item }}.0/24" - jump: ACCEPT + # this is a pretty hacky workaround, but the execution of the iptables-module in ansible is just painfully slow + - name: "allow intra-team traffic part 1" + shell: "iptables -A FORWARD -s 10.1.{{ item }}.0/24 -d 10.1.{{ item }}.0/24 -o router -j ACCEPT" + when: '"-A FORWARD -s 10.1."+item+".0/24 -d 10.1."+item+".0/24 -o router -j ACCEPT" not in iptablessave.stdout' with_sequence: start=1 end=255 - - name: allow intra-team traffic part 2 - iptables: - chain: FORWARD - out_interface: team+ - source: "10.1.{{ item }}.0/24" - destination: "10.1.{{ item }}.0/24" - jump: ACCEPT + - name: "allow intra-team traffic part 2" + shell: "iptables -A FORWARD -s 10.1.{{ item }}.0/24 -d 10.1.{{ item }}.0/24 -o team+ -j ACCEPT" + when: '"-A FORWARD -s 10.1."+item+".0/24 -d 10.1."+item+".0/24 -o router -j ACCEPT" not in iptablessave.stdout' with_sequence: start=1 end=255 - name: persist iptables config diff --git a/ansible/roles/bambixploit/tasks/main.yml b/ansible/roles/bambixploit/tasks/main.yml index 8e898e6..9b3bf41 100644 --- a/ansible/roles/bambixploit/tasks/main.yml +++ b/ansible/roles/bambixploit/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Install bambixploit get_url: - url: "https://github.com/enowars/bambiXploit-dotnet/releases/download/v0.0.9/bambixploit-linux-x64" + url: "https://github.com/enowars/bambiXploit-dotnet/releases/download/v0.0.10/bambixploit-linux-x64" dest: /usr/local/bin/bambixploit mode: 0755 diff --git a/ansible/roles/dotnetsdk/tasks/main.yml b/ansible/roles/dotnetsdk/tasks/main.yml index 55a59af..70c8082 100644 --- a/ansible/roles/dotnetsdk/tasks/main.yml +++ b/ansible/roles/dotnetsdk/tasks/main.yml @@ -5,23 +5,23 @@ failed_when: dotnet_sdk_deb.rc > 1 changed_when: dotnet_sdk_deb.rc == 1 - - name: Download Microsoft PGP key - get_url: - url: "https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb" - dest: "/tmp/packages-microsoft-prod.deb" - when: dotnet_sdk_deb.rc == 1 + # - name: Download Microsoft PGP key + # get_url: + # url: "https://packages.microsoft.com/config/ubuntu/22.04/packages-microsoft-prod.deb" + # dest: "/tmp/packages-microsoft-prod.deb" + # when: dotnet_sdk_deb.rc == 1 - - name: Install Microsoft PGP key - apt: - deb: "/tmp/packages-microsoft-prod.deb" - become: yes - when: dotnet_sdk_deb.rc == 1 + # - name: Install Microsoft PGP key + # apt: + # deb: "/tmp/packages-microsoft-prod.deb" + # become: yes + # when: dotnet_sdk_deb.rc == 1 - - name: Install dotnet deps - apt: - name: "apt-transport-https" - state: present - when: dotnet_sdk_deb.rc == 1 + # - name: Install dotnet deps + # apt: + # name: "apt-transport-https" + # state: present + # when: dotnet_sdk_deb.rc == 1 - name: Install dotnet sdk apt: diff --git a/ansible/roles/enomoloch/files/enodump.service b/ansible/roles/enomoloch/files/enodump.service index bad7b5d..991f878 100644 --- a/ansible/roles/enomoloch/files/enodump.service +++ b/ansible/roles/enomoloch/files/enodump.service @@ -8,7 +8,7 @@ Restart=always TimeoutStartSec=300 WorkingDirectory=/pcaps -ExecStart=/usr/sbin/tcpdump -i game -G 30 -w '%%Y_%%m_%%d-%%H_%%M_%%S.pcap' -s 0 +ExecStart=/usr/bin/tcpdump -i game -G 30 -w '%%Y_%%m_%%d-%%H_%%M_%%S.pcap' -s 0 [Install] WantedBy=multi-user.target diff --git a/clean_records.py b/clean_records.py new file mode 100644 index 0000000..9f3a49f --- /dev/null +++ b/clean_records.py @@ -0,0 +1,65 @@ + +# Install the Python Requests library: +# `pip install requests` +import os +import requests + +AUTH_API_TOKEN = os.environ["HETZNERDNS_TOKEN"] +print(AUTH_API_TOKEN) + +def list_records(ZoneID): + # Get Records + # GET https://dns.hetzner.com/api/v1/records + + try: + response = requests.get( + url="https://dns.hetzner.com/api/v1/records", + params={ + "zone_id": ZoneID, + }, + headers={ + "Auth-API-Token": AUTH_API_TOKEN, + }, + ) + print('Response HTTP Status Code: {status_code}'.format( + status_code=response.status_code)) + print('Response HTTP Response Body: {content}'.format( + content=response.content)) + except requests.exceptions.RequestException: + print('HTTP Request failed') + + return response.json() + +def delete_record(RecordID): + # Delete Record + # DELETE https://dns.hetzner.com/api/v1/records/{RecordID} + + try: + response = requests.delete( + url=f"https://dns.hetzner.com/api/v1/records/{RecordID}", + headers={ + "Auth-API-Token": AUTH_API_TOKEN, + }, + ) + print('Response HTTP Status Code: {status_code}'.format( + status_code=response.status_code)) + print('Response HTTP Response Body: {content}'.format( + content=response.content)) + except requests.exceptions.RequestException: + print('HTTP Request failed') + + +records = list_records("bambi.ovh")["records"] +print(records) + +for record in records: + print("RECORD", record["name"], "->", record["value"]) + #delete_record(record['id']) + + +confirm = input("Enter \"yes\" to delete all records") + +if confirm.strip() == "yes": + for record in records: + print("DETLETING RECORD", record["name"], "->", record["value"]) + delete_record(record['id']) \ No newline at end of file diff --git a/config/gen_config.sh b/config/gen_config.sh index a603f54..c72cf3e 100755 --- a/config/gen_config.sh +++ b/config/gen_config.sh @@ -1,8 +1,8 @@ #!/bin/bash -TEAM_COUNT=256 -GATEWAY_COUNT=1 -CHECKER_COUNT=5 +TEAM_COUNT=$(if [ -z "$TEAM_COUNT" ]; then echo 255; else echo "$TEAM_COUNT"; fi) +GATEWAY_COUNT=$(if [ -z "$GATEWAY_COUNT" ]; then echo 2; else echo "$GATEWAY_COUNT"; fi) +CHECKER_COUNT=$(if [ -z "$CHECKER_COUNT" ]; then echo 4; else echo "$CHECKER_COUNT"; fi) mkdir -p "export" mkdir -p "internal_router" diff --git a/packer/bambichecker.json b/packer/bambichecker.json index 895ac6e..9cb58b1 100644 --- a/packer/bambichecker.json +++ b/packer/bambichecker.json @@ -13,14 +13,15 @@ "builders": [ { "type": "hcloud", - "image": "ubuntu-20.04", + "image": "ubuntu-22.04", "location": "fsn1", "server_type": "cx11", "ssh_username": "root", "snapshot_name": "bambichecker-{{timestamp}}", "snapshot_labels": { "type": "bambichecker" - } + }, + "user_data": "#!/bin/sh\necho PubkeyAcceptedKeyTypes=+ssh-rsa >> /etc/ssh/sshd_config; service ssh reload" } ] } diff --git a/packer/bambielk.json b/packer/bambielk.json index 242cd06..d3d57e7 100644 --- a/packer/bambielk.json +++ b/packer/bambielk.json @@ -13,14 +13,15 @@ "builders": [ { "type": "hcloud", - "image": "ubuntu-20.04", + "image": "ubuntu-22.04", "location": "fsn1", "server_type": "cx11", "ssh_username": "root", "snapshot_name": "bambielk-{{timestamp}}", "snapshot_labels": { "type": "bambielk" - } + }, + "user_data": "#!/bin/sh\necho PubkeyAcceptedKeyTypes=+ssh-rsa >> /etc/ssh/sshd_config; service ssh reload" } ] } \ No newline at end of file diff --git a/packer/bambiengine.json b/packer/bambiengine.json index 862466d..982707b 100644 --- a/packer/bambiengine.json +++ b/packer/bambiengine.json @@ -13,14 +13,15 @@ "builders": [ { "type": "hcloud", - "image": "ubuntu-20.04", + "image": "ubuntu-22.04", "location": "fsn1", "server_type": "cx11", "ssh_username": "root", "snapshot_name": "bambiengine-{{timestamp}}", "snapshot_labels": { "type": "bambiengine" - } + }, + "user_data": "#!/bin/sh\necho PubkeyAcceptedKeyTypes=+ssh-rsa >> /etc/ssh/sshd_config; service ssh reload" } ] } diff --git a/packer/bambirouter.json b/packer/bambirouter.json index ea6c11d..1d94647 100644 --- a/packer/bambirouter.json +++ b/packer/bambirouter.json @@ -7,6 +7,9 @@ "extra_arguments": [ "--extra-vars", "ansible_python_interpreter=/usr/bin/python3" + ], + "ansible_env_vars": [ + "ANSIBLE_PIPELINING=True" ] } ], @@ -20,7 +23,8 @@ "snapshot_name": "bambirouter-{{timestamp}}", "snapshot_labels": { "type": "bambirouter" - } + }, + "user_data": "#!/bin/sh\necho PubkeyAcceptedKeyTypes=+ssh-rsa >> /etc/ssh/sshd_config; service ssh reload" } ] } diff --git a/packer/bambivulnbox.json b/packer/bambivulnbox.json index f4a5e37..fffcfda 100644 --- a/packer/bambivulnbox.json +++ b/packer/bambivulnbox.json @@ -13,14 +13,15 @@ "builders": [ { "type": "hcloud", - "image": "ubuntu-20.04", + "image": "ubuntu-22.04", "location": "fsn1", "server_type": "cx11", "ssh_username": "root", "snapshot_name": "bambivulnbox-{{timestamp}}", "snapshot_labels": { "type": "bambivulnbox" - } + }, + "user_data": "#!/bin/sh\necho 'PubkeyAcceptedKeyTypes=+ssh-rsa\nPermitRootLogin yes' >> /etc/ssh/sshd_config; service ssh reload" } ] }