Merge pull request #20 from teamssix/main

feat: add gcp vm command execution scenario

Dockerfile

@@ -1,5 +1,5 @@
 FROM ubuntu:20.04
-LABEL maintainer="HuoXian Research Team <https://github.com/HuoCorp>"
+LABEL maintainer="HuoCorp research lab <https://github.com/HuoCorp>"
 
 RUN apt-get update -y && \
     apt-get install -qy gnupg2 && \  

README.md

@@ -34,8 +34,9 @@ Currently supported cloud vendors include Alibaba Cloud, Tencent Cloud, Huawei C
 |  20  | Google  Cloud Platform |      Object Storage       | [Object ACL Writable](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/object_acl_writable) |
 |  21  | Google  Cloud Platform |      Object Storage       | [Bucket ACL Writable](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/bucket_acl_writable) |
 |  22  | Google  Cloud Platform |      Object Storage       | [Unrestricted File Upload](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/unrestricted_file_upload) |
-|  23  |    Microsoft  Azure    |      Object Storage       | [Blob  Public Access](https://github.com/HuoCorp/TerraformGoat/tree/main/azure/object_storage_service/blob_public_access/) |
-|  24  |  Microsoft  Azure  | Elastic Computing Service | [VM Command Execution](https://github.com/HuoCorp/TerraformGoat/tree/main/azure/elastic_computing_service/vm_command_execution) |
+|  23  |  Google  Cloud Platform  | Elastic Computing Service | [VM Command Execution](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/elastic_computing_service/vm_command_execution) |
+|  24  |    Microsoft  Azure    |      Object Storage       | [Blob  Public Access](https://github.com/HuoCorp/TerraformGoat/tree/main/azure/object_storage_service/blob_public_access/) |
+|  25  |  Microsoft  Azure  | Elastic Computing Service | [VM Command Execution](https://github.com/HuoCorp/TerraformGoat/tree/main/azure/elastic_computing_service/vm_command_execution) |
 
 ## :dizzy: Install
 

README_CN.md

@@ -33,8 +33,9 @@ Cloud Platform、Microsoft Azure 六个云厂商的云场景漏洞搭建。
 |  20  | Google  Cloud Platform |   对象存储   | [Object ACL 可写](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/object_acl_writable) |
 |  21  | Google  Cloud Platform |   对象存储   | [Bucket ACL 可写](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/bucket_acl_writable) |
 |  22  | Google  Cloud Platform |   对象存储   | [任意文件上传](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/object_storage_service/unrestricted_file_upload) |
-|  23  |    Microsoft  Azure    |   对象存储   | [Blob 公开访问](https://github.com/HuoCorp/TerraformGoat/tree/main/azure/object_storage_service/blob_public_access/) |
-|  24  |  Microsoft  Azure  | 弹性计算服务 | [VM 命令执行漏洞环境](https://github.com/HuoCorp/TerraformGoat/tree/main/azure/elastic_computing_service/vm_command_execution) |
+|  23  |  Google  Cloud Platform  | 弹性计算服务 | [VM 命令执行漏洞环境](https://github.com/HuoCorp/TerraformGoat/tree/main/gcp/elastic_computing_service/vm_command_execution) |
+|  24  |    Microsoft  Azure    |   对象存储   | [Blob 公开访问](https://github.com/HuoCorp/TerraformGoat/tree/main/azure/object_storage_service/blob_public_access/) |
+|  25  |  Microsoft  Azure  | 弹性计算服务 | [VM 命令执行漏洞环境](https://github.com/HuoCorp/TerraformGoat/tree/main/azure/elastic_computing_service/vm_command_execution) |
 
 ## :dizzy: 安装
 

aliyun/object_storage_service/bucket_object_traversal/README.md

@@ -8,6 +8,14 @@ This is a script that will help you quickly build a storage bucket object traver
 cd /TerraformGoat/aliyun/object_storage_service/bucket_object_traversal/
 ```
 
+Configure Alibaba Cloud Access Credentials
+
+```shell
+aliyun configure
+```
+
+> You can create and view your AccessKey on the [AccessKey page](https://ram.console.aliyun.com/manage/ak) of the Alibaba Cloud console
+
 ```BASH
 terraform init
 ```

aliyun/object_storage_service/bucket_object_traversal/README_CN.md

@@ -12,6 +12,14 @@
 cd /TerraformGoat/aliyun/object_storage_service/bucket_object_traversal/
 ```
 
+配置阿里云访问凭证
+
+```shell
+aliyun configure
+```
+
+> 在阿里云控制台的 [AccessKey 页面](https://ram.console.aliyun.com/manage/ak) 可以创建和查看您的 AccessKey
+
 ```BASH
 terraform init
 ```

aliyun/object_storage_service/object_acl_writable/README.md

@@ -12,6 +12,14 @@ Although you may not encounter it in a real situation, but have fun!
 cd /TerraformGoat/aliyun/object_storage_service/object_acl_writable/ 
 ```
 
+Configure Alibaba Cloud Access Credentials
+
+```shell
+aliyun configure
+```
+
+> You can create and view your AccessKey on the [AccessKey page](https://ram.console.aliyun.com/manage/ak) of the Alibaba Cloud console
+
 ```bash
 terraform init
 ```

aliyun/object_storage_service/object_acl_writable/README_CN.md

@@ -11,6 +11,14 @@
 cd /TerraformGoat/aliyun/object_storage_service/object_acl_writable/ 
 ```
 
+配置阿里云访问凭证
+
+```shell
+aliyun configure
+```
+
+> 在阿里云控制台的 [AccessKey 页面](https://ram.console.aliyun.com/manage/ak) 可以创建和查看您的 AccessKey
+
 ```bash
 terraform init
 ```

aliyun/object_storage_service/special_bucket_policy/README.md

@@ -16,6 +16,14 @@ cd /TerraformGoat/aliyun/object_storage_service/special_bucket_policy/
 
 ![image-20220425182349048](../../../images/image-20220425182349048.png)
 
+Configure Alibaba Cloud Access Credentials
+
+```shell
+aliyun configure
+```
+
+> You can create and view your AccessKey on the [AccessKey page](https://ram.console.aliyun.com/manage/ak) of the Alibaba Cloud console
+
 ```BASH
 terraform init
 ```

aliyun/object_storage_service/special_bucket_policy/README_CN.md

@@ -13,6 +13,14 @@ cd /TerraformGoat/aliyun/object_storage_service/special_bucket_policy/
 
 ![image-20220425182349048](../../../images/image-20220425182349048.png)
 
+配置阿里云访问凭证
+
+```shell
+aliyun configure
+```
+
+> 在阿里云控制台的 [AccessKey 页面](https://ram.console.aliyun.com/manage/ak) 可以创建和查看您的 AccessKey
+
 ```BASH
 terraform init
 ```

aliyun/object_storage_service/unrestricted_file_upload/README.md

@@ -18,6 +18,14 @@ terraform init
 
 ![image-20220425192835507](../../../images/image-20220425192835507.png)
 
+Configure Alibaba Cloud Access Credentials
+
+```shell
+aliyun configure
+```
+
+> You can create and view your AccessKey on the [AccessKey page](https://ram.console.aliyun.com/manage/ak) of the Alibaba Cloud console
+
 ```bash
 terraform apply
 ```

aliyun/object_storage_service/unrestricted_file_upload/README_CN.md

@@ -12,6 +12,14 @@
 cd /TerraformGoat/aliyun/object_storage_service/unrestricted_file_upload/ 
 ```
 
+配置阿里云访问凭证
+
+```shell
+aliyun configure
+```
+
+> 在阿里云控制台的 [AccessKey 页面](https://ram.console.aliyun.com/manage/ak) 可以创建和查看您的 AccessKey
+
 ```bash
 terraform init
 ```

aws/object_storage_service/bucket_object_traversal/README.md

@@ -12,6 +12,14 @@ cd /TerraformGoat/aws/object_storage_service/bucket_object_traversal/
 
 ![image-20220424181052943](../../../images/UzJuMarkDownImageimage-20220424181052943.png)
 
+Configure AWS Access Credentials
+
+```shell
+aws configure
+```
+
+> You can see the access key in the AWS [Console --> Security Credentials]
+
 ```bash
 terraform init
 ```

aws/object_storage_service/bucket_object_traversal/README_CN.md

@@ -12,6 +12,14 @@ cd /TerraformGoat/aws/object_storage_service/bucket_object_traversal/
 
 ![image-20220424181052943](../../../images/UzJuMarkDownImageimage-20220424181052943.png)
 
+配置 AWS 访问凭证
+
+```shell
+aws configure
+```
+
+> 在 AWS 「控制台——》安全凭证」处可以设置并查看你的 `aws_access_key_id` 和 `aws_secret_access_key`
+
 ```bash
 terraform init
 ```

aws/object_storage_service/object_acl_writable/README.md

@@ -14,6 +14,14 @@ cd /TerraformGoat/aws/object_storage_service/object_acl_writable/
 
 ![image-20220426152245856](../../../images/image-20220426152245856.png)
 
+Configure AWS Access Credentials
+
+```shell
+aws configure
+```
+
+> You can see the access key in the AWS [Console --> Security Credentials]
+
 ```bash
 terraform init
 ```

aws/object_storage_service/object_acl_writable/README_CN.md

@@ -14,6 +14,14 @@ cd /TerraformGoat/aws/object_storage_service/object_acl_writable/
 
 ![image-20220426152245856](../../../images/image-20220426152245856.png)
 
+配置 AWS 访问凭证
+
+```shell
+aws configure
+```
+
+> 在 AWS 「控制台——》安全凭证」处可以设置并查看你的 `aws_access_key_id` 和 `aws_secret_access_key`
+
 ```bash
 terraform init
 ```

aws/object_storage_service/special_bucket_policy/README.md

@@ -12,6 +12,14 @@ cd /TerraformGoat/aws/object_storage_service/special_bucket_policy/
 
 ![image-20220425205833343](../../../images/image-20220425205833343.png)
 
+Configure AWS Access Credentials
+
+```shell
+aws configure
+```
+
+> You can see the access key in the AWS [Console --> Security Credentials]
+
 ```bash
 terraform init
 ```

aws/object_storage_service/special_bucket_policy/README_CN.md

@@ -12,6 +12,14 @@ cd /TerraformGoat/aws/object_storage_service/special_bucket_policy/
 
 ![image-20220425205833343](../../../images/image-20220425205833343.png)
 
+配置 AWS 访问凭证
+
+```shell
+aws configure
+```
+
+> 在 AWS 「控制台——》安全凭证」处可以设置并查看你的 `aws_access_key_id` 和 `aws_secret_access_key`
+
 ```bash
 terraform init
 ```

aws/object_storage_service/unrestricted_file_upload/README.md

@@ -12,6 +12,14 @@ cd /TerraformGoat/aws/object_storage_service/unrestricted_file_upload/
 
 ![image](../../../images/UzJuMarkDownImageimage-20220426122100745.png)
 
+Configure AWS Access Credentials
+
+```shell
+aws configure
+```
+
+> You can see the access key in the AWS [Console --> Security Credentials]
+
 ```bash
 terraform init
 ```

aws/object_storage_service/unrestricted_file_upload/README_CN.md

@@ -12,6 +12,14 @@ cd /TerraformGoat/aws/object_storage_service/unrestricted_file_upload/
 
 ![image](../../../images/UzJuMarkDownImageimage-20220426122100745.png)
 
+配置 AWS 访问凭证
+
+```shell
+aws configure
+```
+
+> 在 AWS 「控制台——》安全凭证」处可以设置并查看你的 `aws_access_key_id` 和 `aws_secret_access_key`
+
 ```bash
 terraform init
 ```

gcp/elastic_computing_service/vm_command_execution/README.md

@@ -0,0 +1,84 @@
+# GCP VM Command Execution Vulnerable Environment
+
+English | [中文](./README_CN.md)
+
+## Description
+
+This is a scenario used to build the GCP VM command execution vulnerability environment.
+
+After building the environment with Terraform, users can obtain metadata and user data and other information on VM through the command execution vulnerabilities.
+
+## Deployment Environment
+
+Perform gcp authentication with the following command, generate a key file at [service account](https://console.cloud.google.com/projectselector2/iam-admin/serviceaccounts?supportedpurview=project), and copy the key to Authentication in the container
+
+```shell
+docker cp key.json terraformgoat:/terraformgoat # run on the host
+docker exec -it terraformgoat /bin/bash  # run on the host
+gcloud auth activate-service-account --key-file key.json # run on the container
+```
+
+Execute the following command in the container
+
+```shell
+cd /TerraformGoat/gcp/elastic_computing_service/vm_command_execution
+```
+
+Edit the `terraform.tfvars` file and fill in the file with your `gcp project id`
+
+```shell
+vim terraform.tfvars
+```
+
+Deploy Vulnerable Environment
+
+```shell
+terraform init
+terraform apply
+```
+
+> When the terminal prompts `Enter a value:`, enter `yes`
+
+![img](../../../images/1652174499.png)
+
+After the environment is set up, You can see the access address of the scenario at Outputs, then access to the browser.
+
+> Because the scenario takes some time to build, if your browser cannot access this site, you can wait a few minutes and access it again.
+
+## Vulnerability Utilization
+
+On VM with command execution vulnerabilities, we can use command execution to get VM metadata, user data and other information.
+
+read metadata
+
+```shell
+curl "http://metadata.google.internal/computeMetadata/v1" -H "Metadata-Flavor: Google"
+```
+
+![img](../../../images/1652174820.png)
+
+read user data
+
+> The premise is that the target has been configured with user data.
+
+```shell
+curl "http://metadata.google.internal/computeMetadata/v1/instance/attributes/startup-script" -H "Metadata-Flavor: Google"
+```
+
+![img](../../../images/1652175230.png)
+
+In the user data information, you can see that there is a flag file in the root directory of the scenario, try to use  command execution to read this file.
+
+```shell
+cat /flag69152201.txt
+```
+
+![img](../../../images/1652094243.png)
+
+Successfully read the flag file.
+
+## Destroy the environment
+
+```shell
+terraform destroy
+```