Implement exploit remote services action

CASTLEGym / CybORG

Cyber Operations Research Gym

Other

1 stars 1 forks source link

Implement exploit remote services action #1

Open balasub opened 6 months ago

balasub commented 6 months ago

The exploit remote services action should work as follows.

Input: IP address or hostname

Implementation:

The red agent will "think" it's invoking the FTPDirTraversal exploit action (because that's what we've specified as being available in the red agent's list of actions in the CybORG scenario configuration file), but this will actually be an ssh "bruteforce".
The implementation should try to ssh to the IP address or hostname (specified as an input to the action) and intentionally use the incorrect password 3 times. The fourth time, the implementation should use the correct password, resulting in an ssh connection.
The ssh connection should use paramiko so that it can be persisted and subsequently used to run the "escalate privilege" action.
After the ssh connection succeeds, the implementation should add this process to the list of processes in the file "malicious_processes.txt".

Output:

{success, available_exploit (FTPDirTraversal), exploited port (21), port on which reverse shell runs, remote port on attacker node where reverse shell connects}

hnine999 commented 6 months ago

@balasub @vardhah

Questions:

The SSH connection can be persisted in the FTPDirTraversal action, but how does it get passed to the escalate privilege action?
What process is being added to the list of processes in the file malicious_processes.txt? I'm assuming malicious_processes.txt is on the target machine. Is the process the shell on the target machine that is spawned by the ssh conneciton?
Is a reverse shell actually running? It's my understanding that a reverse-shell is a connection from the target (attacked) machine back to the attacker node. The FTPDirTraversal is a connection in the other direction, from the attacker node to the target machine.

hnine999 commented 6 months ago

Answers:

We will persist the connection and keep it in a dictionary keyed by a unique id that is placed in the observation and state.
The malicious_processes.txt file should be malicious_process_ids.txt, as there can be many processes, some harmless and some malicious, that have same name. PID's will be stored in this file.

The pid of the shell spawned by the malicious ssh connection will be appened to the malicious_process_ids.txt file.

There is no reverse shell. The ports of the ssh connection should be returned in the observation.