search

clong / DetectionLab

Automate the creation of a lab environment complete with security tooling and logging best practices
MIT License
4.59k stars 979 forks source link

win10 - Velociraptor install broken #848

Closed kiyori-lw closed 1 year ago

kiyori-lw commented 1 year ago

Please verify that you are building from an updated Master branch before filing an issue.

Description of the issue:

while re-provisioning win10 host, velociraptor install fails
updated url && deleted velociraptor log file, msi, and any partial velociraptor folder in C:\program files

re-ran 
vagrant reload win10 --provision

entire provisioning completes successfully

in $velociraptorDownloadUrl
** was:  https://github.com/Velocidex/velociraptor/releases/latest
** changed to: https://github.com/Velocidex//velociraptor/releases/

entire line
** was: $velociraptorDownloadUrl = "https://github.com" + ((Invoke-WebRequest "https://github.com/Velocidex/velociraptor/releases/latest" -UseBasicParsing).links | Select-Object -ExpandProperty href | Select-String "windows-amd64.msi$" | Select-Object -First 1)

** changed to:$velociraptorDownloadUrl = "https://github.com" + ((Invoke-WebRequest "https://github.com/Velocidex/velociraptor/releases/" -UseBasicParsing).links | Select-Object -ExpandProperty href | Select-String "windows-amd64.msi$")

Link to Gist Containing Build Logs:

kiyori-lw commented 1 year ago

seems to also affect dc

rcegan commented 1 year ago

Can confirm, ran into this issue as well.

schiaro98 commented 1 year ago

The problem, as far I can see, is in the $velociraptorDownloadUrl variable, that is not setted correctly. So a possible workaround (that fixes the string always to the same version) is setting the variable as in the following line $velociraptorDownloadUrl = "https://github.com/Velocidex/velociraptor/releases/download/v0.6.6-1/velociraptor-v0.6.6-2-windows-amd64.msi"

gingerhax commented 1 year ago

Had the same issue on the logger.

Changed

LATEST_VELOCIRAPTOR_LINUX_URL=$(curl -sL "https://github.com/Velocidex/velociraptor/releases/latest" | grep linux-amd64 | grep href | head -1 | cut -d '"' -f 2 | sed 's#^#https://github.com#g')

to

LATEST_VELOCIRAPTOR_LINUX_URL=$(curl -sL https://github.com/Velocidex/velociraptor/releases/ | grep linux-amd64 | grep href | head -1 | cut -d '"' -f 2 | sed 's#^#https://github.com#g')

and Velociraptor installed correctly and is reachable.

clong commented 1 year ago

Weird, I can't reproduce this:

==> win10: Running provisioner: shell...
    win10: Running: scripts/install-velociraptor.ps1 as C:\tmp\vagrant-shell.ps1
    win10: [22:48] Adding logger to the hosts file
    win10: [22:48] Determining latest release of Velociraptor...
    win10: [22:48] Downloading Velociraptor...
    win10: [22:48] Installing Velociraptor...
    win10: [22:48] Velociraptor successfully installed!
clong commented 1 year ago

In any case, the updated commands for URL generation you folks supplied seem to work fine, so I'll go ahead and update!

clong commented 1 year ago

Fixed in https://github.com/clong/DetectionLab/commit/22bf9be04044fe0ff80bf61c7731f8ff28b65dff