From 031a0ab426bf046aba1f89389645acdc728c0614 Mon Sep 17 00:00:00 2001
From: vakarisz <vakarisz@yahoo.com>
Date: Mon, 26 Sep 2022 12:19:32 +0300
Subject: [PATCH] BB: Change powershell credential reuse test to a dedicated
 machine

Island shouldn't be part of the test, so powershell credential reuse was moved to powershell 46(exploited via log4shell) and powershell 44(exploited via credential reuse from powershell 46)
---
 .../blackbox/gcp_test_machine_list.py         | 16 +++----
 envs/monkey_zoo/blackbox/test_blackbox.py     | 10 -----
 .../blackbox/test_configurations/__init__.py  |  1 -
 .../blackbox/test_configurations/depth_2_a.py | 26 ++++++++++-
 .../powershell_credentials_reuse.py           | 44 -------------------
 envs/monkey_zoo/docs/fullDocs.md              | 40 +++++++++++++++--
 envs/monkey_zoo/terraform/images.tf           |  4 ++
 envs/monkey_zoo/terraform/monkey_zoo.tf       | 15 +++++++
 8 files changed, 86 insertions(+), 70 deletions(-)
 delete mode 100644 envs/monkey_zoo/blackbox/test_configurations/powershell_credentials_reuse.py

diff --git a/envs/monkey_zoo/blackbox/gcp_test_machine_list.py b/envs/monkey_zoo/blackbox/gcp_test_machine_list.py
index c7b2886c2..908ed30af 100644
--- a/envs/monkey_zoo/blackbox/gcp_test_machine_list.py
+++ b/envs/monkey_zoo/blackbox/gcp_test_machine_list.py
@@ -15,6 +15,7 @@ GCP_TEST_MACHINE_LIST = {
         "zerologon-25",
     ],
     "europe-west1-b": [
+        "powershell-3-44",
         "powershell-3-45",
         "powershell-3-46",
         "powershell-3-47",
@@ -35,7 +36,12 @@ DEPTH_2_A = {
     "europe-west3-a": [
         "sshkeys-11",
         "sshkeys-12",
-    ]
+    ],
+    "europe-west1-b": [
+        "powershell-3-46",
+        "powershell-3-44",
+    ],
+
 }
 
 
@@ -75,13 +81,6 @@ DEPTH_4_A = {
     ],
 }
 
-
-POWERSHELL_EXPLOITER_REUSE = {
-    "europe-west1-b": [
-        "powershell-3-46",
-    ]
-}
-
 ZEROLOGON = {
     "europe-west3-a": [
         "zerologon-25",
@@ -110,7 +109,6 @@ GCP_SINGLE_TEST_LIST = {
     "test_depth_1_a": DEPTH_1_A,
     "test_depth_3_a": DEPTH_3_A,
     "test_depth_4_a": DEPTH_4_A,
-    "test_powershell_exploiter_credentials_reuse": POWERSHELL_EXPLOITER_REUSE,
     "test_zerologon_exploiter": ZEROLOGON,
     "test_credentials_reuse_ssh_key": CREDENTIALS_REUSE_SSH_KEY,
     "test_wmi_and_mimikatz_exploiters": WMI_AND_MIMIKATZ,
diff --git a/envs/monkey_zoo/blackbox/test_blackbox.py b/envs/monkey_zoo/blackbox/test_blackbox.py
index f140733ec..87d9e825c 100644
--- a/envs/monkey_zoo/blackbox/test_blackbox.py
+++ b/envs/monkey_zoo/blackbox/test_blackbox.py
@@ -15,7 +15,6 @@ from envs.monkey_zoo.blackbox.test_configurations import (
     depth_2_a_test_configuration,
     depth_3_a_test_configuration,
     depth_4_a_test_configuration,
-    powershell_credentials_reuse_test_configuration,
     smb_pth_test_configuration,
     wmi_mimikatz_test_configuration,
     zerologon_test_configuration,
@@ -130,15 +129,6 @@ class TestMonkeyBlackbox:
             island_client, depth_4_a_test_configuration, "Depth4A test suite"
         )
 
-    # Not grouped because can only be ran on windows
-    @pytest.mark.skip_powershell_reuse
-    def test_powershell_exploiter_credentials_reuse(self, island_client):
-        TestMonkeyBlackbox.run_exploitation_test(
-            island_client,
-            powershell_credentials_reuse_test_configuration,
-            "PowerShell_Remoting_exploiter_credentials_reuse",
-        )
-
     # Not grouped because it's slow
     def test_zerologon_exploiter(self, island_client):
         test_name = "Zerologon_exploiter"
diff --git a/envs/monkey_zoo/blackbox/test_configurations/__init__.py b/envs/monkey_zoo/blackbox/test_configurations/__init__.py
index ba0beec74..964cad9ac 100644
--- a/envs/monkey_zoo/blackbox/test_configurations/__init__.py
+++ b/envs/monkey_zoo/blackbox/test_configurations/__init__.py
@@ -3,7 +3,6 @@ from .depth_1_a import depth_1_a_test_configuration
 from .depth_2_a import depth_2_a_test_configuration
 from .depth_3_a import depth_3_a_test_configuration
 from .depth_4_a import depth_4_a_test_configuration
-from .powershell_credentials_reuse import powershell_credentials_reuse_test_configuration
 from .smb_pth import smb_pth_test_configuration
 from .wmi_mimikatz import wmi_mimikatz_test_configuration
 from .zerologon import zerologon_test_configuration
diff --git a/envs/monkey_zoo/blackbox/test_configurations/depth_2_a.py b/envs/monkey_zoo/blackbox/test_configurations/depth_2_a.py
index 550b7bc02..581259130 100644
--- a/envs/monkey_zoo/blackbox/test_configurations/depth_2_a.py
+++ b/envs/monkey_zoo/blackbox/test_configurations/depth_2_a.py
@@ -6,6 +6,8 @@ from common.credentials import Credentials, Password, Username
 from .noop import noop_test_configuration
 from .utils import (
     add_exploiters,
+    add_fingerprinters,
+    add_http_ports,
     add_subnets,
     add_tcp_ports,
     replace_agent_configuration,
@@ -16,30 +18,50 @@ from .utils import (
 
 # Tests:
 #     SSH password and key brute-force, key stealing (10.2.2.11, 10.2.2.12)
+#     Powershell credential reuse (logging in without credentials
+#       to an identical user on another machine)(10.2.3.44, 10.2.3.46)
 def _add_exploiters(agent_configuration: AgentConfiguration) -> AgentConfiguration:
     brute_force = [
         PluginConfiguration(name="SSHExploiter", options={}),
+        PluginConfiguration(name="PowerShellExploiter", options={}),
     ]
-    return add_exploiters(agent_configuration, brute_force=brute_force, vulnerability=[])
+    vulnerability = [
+        PluginConfiguration(name="Log4ShellExploiter", options={}),
+    ]
+    return add_exploiters(agent_configuration, brute_force=brute_force, vulnerability=vulnerability)
 
 
 def _add_subnets(agent_configuration: AgentConfiguration) -> AgentConfiguration:
     subnets = [
         "10.2.2.11",
         "10.2.2.12",
+        "10.2.3.44",
+        "10.2.3.46",
     ]
     return add_subnets(agent_configuration, subnets)
 
 
+def _add_fingerprinters(agent_configuration: AgentConfiguration) -> AgentConfiguration:
+    fingerprinters = [PluginConfiguration(name="http", options={})]
+
+    return add_fingerprinters(agent_configuration, fingerprinters)
+
+
 def _add_tcp_ports(agent_configuration: AgentConfiguration) -> AgentConfiguration:
-    ports = [22]
+    ports = [22, 5985, 5986, 8080]
     return add_tcp_ports(agent_configuration, ports)
 
 
+def _add_http_ports(agent_configuration: AgentConfiguration) -> AgentConfiguration:
+    return add_http_ports(agent_configuration, [8080])
+
+
 test_agent_configuration = set_maximum_depth(noop_test_configuration.agent_configuration, 2)
 test_agent_configuration = _add_exploiters(test_agent_configuration)
 test_agent_configuration = _add_subnets(test_agent_configuration)
+test_agent_configuration = _add_fingerprinters(test_agent_configuration)
 test_agent_configuration = _add_tcp_ports(test_agent_configuration)
+test_agent_configuration = _add_http_ports(test_agent_configuration)
 
 CREDENTIALS = (
     Credentials(identity=Username(username="m0nk3y"), secret=None),
diff --git a/envs/monkey_zoo/blackbox/test_configurations/powershell_credentials_reuse.py b/envs/monkey_zoo/blackbox/test_configurations/powershell_credentials_reuse.py
deleted file mode 100644
index 5d974cd17..000000000
--- a/envs/monkey_zoo/blackbox/test_configurations/powershell_credentials_reuse.py
+++ /dev/null
@@ -1,44 +0,0 @@
-import dataclasses
-
-from common.agent_configuration import AgentConfiguration, PluginConfiguration
-
-from .noop import noop_test_configuration
-from .utils import (
-    add_exploiters,
-    add_subnets,
-    add_tcp_ports,
-    replace_agent_configuration,
-    set_maximum_depth,
-)
-
-
-def _add_exploiters(agent_configuration: AgentConfiguration) -> AgentConfiguration:
-    brute_force = [
-        PluginConfiguration(name="PowerShellExploiter", options={}),
-    ]
-
-    return add_exploiters(agent_configuration, brute_force=brute_force, vulnerability=[])
-
-
-def _add_subnets(agent_configuration: AgentConfiguration) -> AgentConfiguration:
-    subnets = [
-        "10.2.3.46",
-    ]
-    return add_subnets(agent_configuration, subnets)
-
-
-def _add_tcp_ports(agent_configuration: AgentConfiguration) -> AgentConfiguration:
-    ports = [5985, 5986]
-    return add_tcp_ports(agent_configuration, ports)
-
-
-test_agent_configuration = set_maximum_depth(noop_test_configuration.agent_configuration, 1)
-test_agent_configuration = _add_exploiters(test_agent_configuration)
-test_agent_configuration = _add_subnets(test_agent_configuration)
-test_agent_configuration = _add_tcp_ports(test_agent_configuration)
-
-powershell_credentials_reuse_test_configuration = dataclasses.replace(noop_test_configuration)
-replace_agent_configuration(
-    test_configuration=powershell_credentials_reuse_test_configuration,
-    agent_configuration=test_agent_configuration,
-)
diff --git a/envs/monkey_zoo/docs/fullDocs.md b/envs/monkey_zoo/docs/fullDocs.md
index 5b08146a9..a86d82508 100644
--- a/envs/monkey_zoo/docs/fullDocs.md
+++ b/envs/monkey_zoo/docs/fullDocs.md
@@ -759,6 +759,38 @@ This prevents ssh exploitation, but allows tunneling.</td>
 </tbody>
 </table>
 
+<table>
+<thead>
+<tr class="header">
+<th><p><span id="_Toc536021479" class="anchor"></span>Nr. <strong>3-44 Powershell</strong></p>
+<p>(10.2.3.44)</p></th>
+<th>(Vulnerable)</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td>OS:</td>
+<td><strong>Windows Server 2016 x64</strong></td>
+</tr>
+<tr class="even">
+<td>Software:</td>
+<td>WinRM service</td>
+</tr>
+<tr class="odd">
+<td>Default server’s port: 5985, 5986</td>
+<td>-</td>
+</tr>
+<tr class="even">
+<td>Notes:</td>
+<td>User: m0nk3y, Password: nPj8rbc3<br>
+Accessible using the same m0nk3y user from powershell-3-46,
+in other words powershell exploiter can exploit
+this machine without credentials as long as the user running the agent has
+the same credentials on both machines</td>
+</tr>
+</tbody>
+</table>
+
 <table>
 <thead>
 <tr class="header">
@@ -804,17 +836,17 @@ Accessibale through Island using m0nk3y-user.</td>
 <tr class="even">
 <td>Software:</td>
 <td>WinRM service</td>
+<td>Tomcat 8.0.36</td>
 </tr>
 <tr class="odd">
-<td>Default server’s port:</td>
+<td>Default server’s port:8080</td>
 <td>-</td>
 </tr>
 <tr class="even">
 <td>Notes:</td>
 <td>User: m0nk3y, Password: nPj8rbc3<br>
-Accessible using the same m0nk3y user from island, in other words powershell exploiter can exploit
-this machine without credentials as long as the user running the agent is the same on both
-machines</td>
+Exploited from island via log4shell(tomcat). Then uses cached powershell credentials to
+propagate to powershell-3-44</td>
 </tr>
 </tbody>
 </table>
diff --git a/envs/monkey_zoo/terraform/images.tf b/envs/monkey_zoo/terraform/images.tf
index 767935f61..44913f1a9 100644
--- a/envs/monkey_zoo/terraform/images.tf
+++ b/envs/monkey_zoo/terraform/images.tf
@@ -59,6 +59,10 @@ data "google_compute_image" "powershell-3-46" {
   name = "powershell-3-46"
   project = local.monkeyzoo_project
 }
+data "google_compute_image" "powershell-3-44" {
+  name = "powershell-3-44"
+  project = local.monkeyzoo_project
+}
 data "google_compute_image" "powershell-3-45" {
   name = "powershell-3-45"
   project = local.monkeyzoo_project
diff --git a/envs/monkey_zoo/terraform/monkey_zoo.tf b/envs/monkey_zoo/terraform/monkey_zoo.tf
index 553a85076..f8c5a43be 100644
--- a/envs/monkey_zoo/terraform/monkey_zoo.tf
+++ b/envs/monkey_zoo/terraform/monkey_zoo.tf
@@ -311,6 +311,21 @@ resource "google_compute_instance_from_template" "powershell-3-46" {
   }
 }
 
+resource "google_compute_instance_from_template" "powershell-3-44" {
+  name = "${local.resource_prefix}powershell-3-44"
+  source_instance_template = local.default_windows
+  boot_disk{
+    initialize_params {
+      image = data.google_compute_image.powershell-3-44.self_link
+    }
+    auto_delete = true
+  }
+  network_interface {
+    subnetwork="${local.resource_prefix}monkeyzoo-main-1"
+    network_ip="10.2.3.44"
+  }
+}
+
 resource "google_compute_instance_from_template" "powershell-3-45" {
   name = "${local.resource_prefix}powershell-3-45"
   source_instance_template = local.default_windows