Shells Materials added

Shells/.gitignore

@@ -0,0 +1,2 @@
+*#
+*~

Shells/README.md

@@ -0,0 +1,41 @@
+# Shells_Trainer
+
+Trainers for Shell based activities
+
+All docker compose based.  
+
+In the relevant directory 
+
+Start with 
+
+```
+docker-compose up
+```
+
+stop with 
+
+```
+docker-compose down
+```
+
+## Shells
+
+Covers SSH and Telnet Etc
+
+Run with 
+
+```
+cd shells
+shells$ docker-compose up
+```
+
+## WebShells
+
+Covers WEb Based shells
+
+```
+cd WebShellPlayground
+docker-compose up
+```
+
+

Shells/Shells/Keys_For_Heuc/heuc_key

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACAOcK0fKKMisVrD6aSuNSMIW+dCa2Ajr3ZuXPJaj8jwrAAAAJi+9CeMvvQn
+jAAAAAtzc2gtZWQyNTUxOQAAACAOcK0fKKMisVrD6aSuNSMIW+dCa2Ajr3ZuXPJaj8jwrA
+AAAEDckbr2Ilr+q+V/CTKM8vKwGXUGnL/sXnvR7ytdy/sTYQ5wrR8ooyKxWsPppK41Iwhb
+50JrYCOvdm5c8lqPyPCsAAAAEGRhbmdAZGFuZy1sYXB0b3ABAgMEBQ==
+-----END OPENSSH PRIVATE KEY-----

Shells/Shells/Keys_For_Heuc/heuc_key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA5wrR8ooyKxWsPppK41Iwhb50JrYCOvdm5c8lqPyPCs dang@dang-laptop

Shells/Shells/docker-compose.yaml

@@ -0,0 +1,14 @@
+version: "3.8"
+
+services:
+  ssh:
+    build:
+      context: ssh
+    ports:
+      - "22:22"
+#  telnet:
+#    build:
+#      context: telnet
+#    ports:
+#      - 21:21
+

Shells/Shells/ssh/Dockerfile

@@ -0,0 +1,23 @@
+#SSH
+
+FROM cueh/debian_ctf
+
+#Add a user
+RUN useradd -ms /bin/bash cueh && useradd -ms /bin/bash heuc && useradd -ms /bin/bash admin && echo cueh:cueh | chpasswd
+
+#Install Global Programs
+RUN apt-get update && apt-get install -y --no-install-recommends openssh-server
+
+#Configure SSH (Cant run as Daemon if this doenst exit
+RUN mkdir /var/run/sshd
+
+ADD --chown=heuc:heuc heuc /home/heuc
+ADD --chown=admin:admin admin /home/admin
+
+RUN cp /usr/bin/tee /home/cueh/ && chown admin:admin /home/cueh/tee && chmod a+s /home/cueh/tee
+
+# PORTS AND BASIC COMMAND
+#RUN service ssh start
+EXPOSE 22
+CMD ["/usr/sbin/sshd", "-D"]
+

Shells/Shells/ssh/heuc/.ssh/authorized_keys

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA5wrR8ooyKxWsPppK41Iwhb50JrYCOvdm5c8lqPyPCs dang@dang-laptop

Shells/Shells/ssh/heuc/.ssh/heuc_key

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACAOcK0fKKMisVrD6aSuNSMIW+dCa2Ajr3ZuXPJaj8jwrAAAAJi+9CeMvvQn
+jAAAAAtzc2gtZWQyNTUxOQAAACAOcK0fKKMisVrD6aSuNSMIW+dCa2Ajr3ZuXPJaj8jwrA
+AAAEDckbr2Ilr+q+V/CTKM8vKwGXUGnL/sXnvR7ytdy/sTYQ5wrR8ooyKxWsPppK41Iwhb
+50JrYCOvdm5c8lqPyPCsAAAAEGRhbmdAZGFuZy1sYXB0b3ABAgMEBQ==
+-----END OPENSSH PRIVATE KEY-----

Shells/Shells/ssh/heuc/.ssh/heuc_key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA5wrR8ooyKxWsPppK41Iwhb50JrYCOvdm5c8lqPyPCs dang@dang-laptop

Shells/Shells/web/dockerfile

@@ -0,0 +1,5 @@
+FROM cueh/php_apache
+
+#RUN apt-get update && apt-get install -y --no-install-recommends netcat
+
+ADD --chown=www-data:www-data html /var/www/html

Shells/Shells/web/html/index.html

@@ -0,0 +1,3 @@
+<h1>
+  Tunnelled Connection
+</h1>

Shells/WebShellPlayground/docker-compose.yaml

@@ -0,0 +1,21 @@
+version: "3"
+
+services:
+  web:
+    #image: cueh/php_apache
+    build:
+      context: php
+    ports:
+      - 80:80
+#    volumes:
+#      - ./php/html/:/var/www/html
+
+  flask:
+    build:
+      context: flask
+    ports:
+      - 5000:5000
+#    volumes:
+#      - ./flask/opt:/opt
+#    environment:
+#      - FLASK_ENV=development

Shells/WebShellPlayground/flask/Dockerfile

@@ -0,0 +1,8 @@
+FROM cueh/flask
+
+USER root
+RUN apt-get update && apt-get install -y --no-install-recommends ncat
+
+USER flask
+WORKDIR /opt
+ADD ./opt /opt

Shells/WebShellPlayground/flask/opt/app.py

@@ -0,0 +1,41 @@
+"""
+Very simple Flask App.  For Testing
+"""
+
+import flask
+app = flask.Flask(__name__)
+
+import subprocess
+
+@app.route('/')
+def main():
+
+    #payload = flask.request.args.get("payload")
+    return flask.render_template('index.html')
+
+@app.route("/subprocess")
+def subproc():
+
+    command = flask.request.args.get("payload")
+    if command:
+        output = subprocess.check_output(command, shell=True)
+        output = output.decode()
+    else:
+        output = None
+
+    return flask.render_template('subprocess.html', command = command, output = output)
+
+
+
+@app.route("/eval")
+def evalRCE():
+    error = None
+    output = None
+    command = flask.request.args.get("payload")
+    if command:
+        try:
+            output = eval(command)
+        except Exception as ex:
+            error = ex
+
+    return flask.render_template('evalRce.html', command = command, output = output, error=error)

Shells/WebShellPlayground/flask/opt/templates/base.html

@@ -0,0 +1,25 @@
+<!doctype html>
+
+<html lang="en">
+<head>
+
+    <!-- Required meta tags -->
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+
+    <!-- Bootstrap CSS -->
+    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.0.0-beta1/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-giJF6kkoqNQ00vy+HMDP7azOuL0xtbfIcaT9wjKHr8RbDVddVHyTfAAsrekwKmP1" crossorigin="anonymous">
+
+    <title>Python Shells</title>
+</head>
+
+<body>
+    <div class="container">
+      {% include("nav.html") %}
+
+      {% block content %}
+      {% endblock content %}
+
+    </div>
+</body>
+</html>

Shells/WebShellPlayground/flask/opt/templates/evalRce.html

@@ -0,0 +1,57 @@
+{% extends "base.html" %}
+
+
+{% block content %}
+<h1>Eval based RCE</h1>
+
+<p>
+  In this challenge we can look at RCE via the Python eval() 
+</p>
+<p>
+  Eval wont let us execute system commands directly, as the commands are
+  run within the python interpreter.  We need to work around this by using Pythons
+  internals to build a one liner, that will execute our code.
+
+  For example <code>__import__('os').system('whoami')</code>
+</p>
+
+<p>
+  We also have a second problem. While system will run the command for us,
+  it doesn't give us any output.  I am going to leave it up to you to work
+  this one out.</p>
+
+<p>
+  <strong>TIP:</strong>  You can check the docker-compose logs to get some feedback.
+</p>
+
+<div class="row mt-5">
+  <form>
+    <div class="form-group">
+      <label for="payload">Command</label>
+      <input id="payload" name="payload" placeholder="whoami"></input>
+    </div>
+    <button type="submit" class="btn btn-primary">Submit</button>
+  </form>
+
+
+  {% if command %}
+  <div class="alert alert-info">Command Entered: {{ command }}</div>
+  {% endif %}
+
+  {% if output %}
+  <pre>
+    <code>
+    {{ output }} 
+    </code>
+  </pre>
+  {% endif %}
+
+  {% if error %}
+  <div class="alert alert-warning">Error</div>
+  <pre>
+    {{ error }}
+  </pre>
+  {% endif %}
+</div>
+
+{% endblock content %}

Shells/WebShellPlayground/flask/opt/templates/index.html

@@ -0,0 +1,16 @@
+{% extends "base.html" %}
+
+
+{% block content %}
+<h1>Python Shells</h1>
+
+<p>This is the playground where you can try working with Python based shells and RCE</p>
+
+<h2>Practice</h2>
+
+<ul>
+  <li><a href="/subprocess">Subprocess based RCE</a></li>
+  <li><a href="/eval">Eval Based RCE</a></li>
+</ul>
+
+{% endblock content %}

Shells/WebShellPlayground/flask/opt/templates/nav.html

@@ -0,0 +1,18 @@
+<nav class="navbar navbar-expand-lg navbar-light bg-light">
+  <a class="navbar-brand" href="#">Shell Playground</a>
+  <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">
+    <span class="navbar-toggler-icon"></span>
+  </button>
+  <div class="collapse navbar-collapse" id="navbarSupportedContent">
+    <ul class="navbar-nav mr-auto">
+      <li class="nav-item">
+	<a class="nav-link" href="/">Home</a>
+      </li>
+      <li class="nav-item">
+	<a class="nav-link" href="http://127.0.0.1/">PHP Shells</a>
+      </li>
+      <li class="nav-item">
+	<a class="nav-link" href="http://127.0.0.1:5000/">Python Shells</a>
+      </li>
+    </ul>
+</nav>

Shells/WebShellPlayground/flask/opt/templates/subprocess.html

@@ -0,0 +1,38 @@
+{% extends "base.html" %}
+
+
+{% block content %}
+<h1>Subprocess based RCE</h1>
+
+<p>
+  In this challenge we can look at RCE via the Python Subprocess module.
+</p>
+<p>
+  Using Subprocess means that we can call system commands directly,
+  without having to use any special syntax
+</p>
+
+<div class="row mt-5">
+  <form>
+    <div class="form-group">
+      <label for="payload">Command</label>
+      <input id="payload" name="payload" placeholder="whoami"></input>
+    </div>
+    <button type="submit" class="btn btn-primary">Submit</button>
+  </form>
+
+
+  {% if output %}
+  <div class="alert alert-info">Command Entered: {{ command }}</div>
+  <pre>
+    <code>
+    {{ output }} 
+    </code>
+  </pre>
+  {% endif %}
+</div>
+
+
+
+
+{% endblock content %}

Shells/WebShellPlayground/php/dockerfile

@@ -0,0 +1,5 @@
+FROM cueh/php_apache
+
+RUN apt-get update && apt-get install -y --no-install-recommends netcat
+
+ADD --chown=www-data:www-data html /var/www/html

Shells/WebShellPlayground/php/html/index.php

@@ -0,0 +1,37 @@
+<!doctype html>
+
+<html lang="en">
+<head>
+
+    <!-- Required meta tags -->
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+
+    <!-- Bootstrap CSS -->
+    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.0.0-beta1/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-giJF6kkoqNQ00vy+HMDP7azOuL0xtbfIcaT9wjKHr8RbDVddVHyTfAAsrekwKmP1" crossorigin="anonymous">
+
+    <title>PHP Shells</title>
+</head>
+
+<body>
+    <div class="container">
+      <?php include("nav.html") ?>
+      <h1>PHP Shells</h1>
+
+      <p>This is the playground where you can try working with PHP based shells and RCE</p>
+
+      <h2>Practice</h2>
+
+      <ul>
+	  <li><a href="/shells/pentest-monkey.php">Pen Test Monkey Shell</a></li>
+	  <li><a href="/shells/P0wny.php">P0wny Shell</a></li>
+	  <li><a href="/rce/RCE.php">Remote Code Execution</a></li>
+	  <li><a href="/rce/RCE_Blind.php">Blind RCE</a></li>
+	  <li><a href="/upload.php"> File Uploads</a></li>
+      </ul>
+
+  </div>
+
+
+</body>
+</html>