This is the multi-page printable view of this section. Click here to print.
Random
Packer, Ubuntu Noble, and VirtualBox
Adventures with automating VM builds
I have been using Packer for quite a while. However, all my interactions have used JSON instead of HCL. I wanted to set up a new build using HCL, VirtualBox, and Ubuntu 24.04. I am going to attempt to create documentation for using HCL with VirtualBox to build a custom image based on the latest Ubuntu LTS release (with cloud init).
In my research I found some decent guides that did most of what I wanted. I’ll use these a reference for building my specific use case.
- QEMU: https://github.com/shantanoo-desai/packer-ubuntu-server-uefi/tree/main
- VMWare: https://github.com/ynlamy/packer-ubuntuserver24_04/blob/main/vmware-iso-ubuntuserver24_04.pkr.hcl
The official docs will also come in handy and can be found here: https://developer.hashicorp.com/packer/integrations/hashicorp/virtualbox.
# virtualbox.pkr.hcl
packer {
required_version = ">= 1.7.0"
required_plugins {
virtualbox = {
version = "~> 1"
source = "github.com/hashicorp/virtualbox"
}
ansible = {
version = ">= 1.1.1"
source = "github.com/hashicorp/ansible"
}
}
}
source "virtualbox-iso" "packer-vm-ubuntu" {
guest_os_type = "Ubuntu_64"
iso_url = "https://releases.ubuntu.com/noble/ubuntu-24.04-live-server-amd64.iso"
iso_checksum = "sha256:8762f7e74e4d64d72fceb5f70682e6b069932deedb4949c6975d0f0fe0a91be3"
http_directory = "./http/24.04/"
ssh_username = "packer"
ssh_password = "packer"
ssh_timeout = "10m"
shutdown_command = "echo 'packer' | sudo -S shutdown -P now"
headless = false
firmware = "efi"
boot_command = ["e<wait><down><down><down><end> autoinstall 'ds=nocloud-net;s=http://{{ .HTTPIP }}:{{ .HTTPPort }}/'<F10>"]
boot_wait = "5s"
vboxmanage = [
[
"modifyvm",
"{{.Name}}",
"--memory",
"4096"
],
[
"modifyvm",
"{{.Name}}",
"--cpus",
"4"
],
[
"modifyvm",
"{{.Name}}",
"--nat-localhostreachable1",
"on"
]
]
}
# build {
# sources = ["sources.virtualbox-iso.packer-vm-ubuntu"]
#
# provisioner "ansible" {
# playbook_file = "../../ansible/ubuntu-desktop.yaml"
# }
# }
I’d like to point out a few things. First the http_directory property
specifies a directory to be exposed via HTTP. This will be consumed by
cloud-init. We’ll use that to create our initial user.
In the out http_directory we’ll need to create two files.
- meta-data
- user-data
We’ll leave meta-data empty, if it is not there, cloud-init will refuse to
consume our user-data file.
#cloud-config
autoinstall:
version: 1
locale: en_US
keyboard:
layout: us
ssh:
install-server: true
allow-pw: true
packages:
- zsh
updates: all
late-commands:
- |
if [ -d /sys/firmware/efi ]; then
apt-get install -y efibootmgr
efibootmgr -o $(efibootmgr | perl -n -e '/Boot(.+)\* Ubuntu/ && print $1')
fi
user-data:
preserve_hostname: false
hostname: carbon
package_upgrade: true
timezone: UTC
users:
- name: packer
# passwd must be a password hash, you can generate it with `openssl passwd -6 replacewithyourpassword`
passwd: $6$ZfIbBMQd5rmGTGPk$AWrvIL1v4Xq6jsSR72KsSONa2VpSnr8SZHPDF2l6pNNcQ3HKjqWF2JEBYepl4LnnmzKiKFEcRuf7lfyOMooq50
groups: [adm, cdrom, dip, plugdev, lxd, sudo]
lock-passwd: false
sudo: ALL=(ALL) NOPASSWD:ALL
shell: /bin/zsh
Now we should be able to build our VM using VirtualBox.
packer build virtualbox.pkr.hcl
If you have an ansible playbook, you can reference it in the build section.
SaintCON Training
I’ve been working on a phishing training for SAINTCON. I used this to brainstorm how I wanted the network laid out.
Network Diagram
flowchart TB
wifi-->opnet
subgraph labnet [FakeNet]
direction TB
subgraph corpnet [Corp Network]
subgraph corpnetprod [Production Network]
smtp[Corporate Web Site]
www[Corporate Web Site]
webapp[product]
end
subgraph corpnetinternal [Internal Network]
corpuser[Corp User]
codehosting[Code Server]
end
end
subgraph wifi [Guest Network]
operator001("Operator Physical Machines")
end
subgraph opnet [Op Network]
op001("Operations VMs")
end
opnet-->corpnetprod;
corpnetinternal<-->corpnetprod;
endWork Flows
stateDiagram-v2
[*] --> Onboard
Onboard --> OSINT
OSINT --> InfrastructureDev
InfrastructureDev --> CampaignDevelopment
CampaignDevelopment --> Test
Test --> Phish
state Onboard {
[*] --> ConnectNet
ConnectNet --> AccessVM
AccessVM --> ReadDocs
ReadDocs --> [*]
}
state OSINT {
[*] --> SearchEngines
[*] --> CrunchBase
[*] --> LinkedIn
[*] --> CodeHosting
[*] --> DNSRecon
[*] --> MailServers
[*] --> LoginPages
SearchEngines --> [*]
CrunchBase --> [*]
LinkedIn --> [*]
CodeHosting --> [*]
DNSRecon --> [*]
MailServers --> [*]
LoginPages --> [*]
}
state InfrastructureDev {
SpinUpServices : Spin up Services
PointDomains : Point Domains
StaticSite : Static Site
[*] --> SpinUpServices
SpinUpServices --> PointDomains
SpinUpServices --> Modlishka
SpinUpServices --> Gophish
SpinUpServices --> StaticSite
Modlishka --> [*]
Gophish --> [*]
StaticSite --> [*]
PointDomains --> [*]
}
state CampaignDevelopment {
[*] --> EmailTemplates
[*] --> PayloadCreation
EmailTemplates --> TestCampaigns
PayloadCreation --> TestCampaigns
TestCampaigns --> [*]
}
state Test {
[*] --> SendTestEmail
SendTestEmail --> TestCredHarvesting
TestCredHarvesting --> TestPayload
TestPayload --> [*]
}
state Phish {
[*] --> ScheduleCampaign
ScheduleCampaign --> WaitForCreds
ScheduleCampaign --> WaitForCallback
WaitForCreds --> TakeOverSession
TakeOverSession --> AuthenticatedPostExploitation
WaitForCallback --> InternalPostExploitation
InternalPostExploitation --> [*]
AuthenticatedPostExploitation --> [*]
}Curl Resolve DNS through Proxy
If you append h to your socks5 protocol prefix when using --proxy the DNS resolution happens on the other side of the socks proxy!
curl --proxy socks5h://127.0.0.1:1080 http://internal-host
Cloud metadata URLs
Alibaba
http://100.100.100.200/latest/meta-data/
http://100.100.100.200/latest/meta-data/instance-id
http://100.100.100.200/latest/meta-data/image-id
References
AWS
http://169.254.169.254/latest/user-data
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/iam/security-credentials/
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/ami-id
http://169.254.169.254/latest/meta-data/reservation-id
http://169.254.169.254/latest/meta-data/hostname
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key
http://169.254.169.254/
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/meta-data/public-keys/
ECS Task
http://169.254.170.2/v2/credentials/
References
- http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories
- https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-metadata-endpoint-v2.html
Azure
No header Required
http://169.254.169.254/metadata/v1/maintenance
Requires header
Must use Metadata: true request header
http://169.254.169.254/metadata/instance?api-version=2017-04-02
http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text
References
- https://azure.microsoft.com/en-us/blog/what-just-happened-to-my-vm-in-vm-metadata-service/
- https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service
Google Cloud
Requires header
Must use one of the following headers
Metadata-Flavor: GoogleX-Google-Metadata-Request: True
http://169.254.169.254/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/
http://metadata/computeMetadata/v1/
http://metadata.google.internal/computeMetadata/v1/instance/hostname
http://metadata.google.internal/computeMetadata/v1/instance/id
http://metadata.google.internal/computeMetadata/v1/project/project-id
http://metadata.google.internal/computeMetadata/v1/instance/disks/?recursive=true
No header required (old)
http://metadata.google.internal/computeMetadata/v1beta1/
References
Digital Ocean
http://169.254.169.254/metadata/v1.json
http://169.254.169.254/metadata/v1/
http://169.254.169.254/metadata/v1/id
http://169.254.169.254/metadata/v1/user-data
http://169.254.169.254/metadata/v1/hostname
http://169.254.169.254/metadata/v1/region
http://169.254.169.254/metadata/v1/interfaces/public/0/ipv6/address
References
HP Helion
http://169.254.169.254/2009-04-04/meta-data/
Kubernetes
https://kubernetes.default
https://kubernetes.default.svc.cluster.local
https://kubernetes.default.svc/metrics
References
- https://twitter.com/Random_Robbie/status/1072242182306832384
- https://kubernetes.io/docs/tasks/debug-application-cluster/debug-service/
OpenStack/RackSpace
http://169.254.169.254/openstack
References
Oracle Cloud
http://192.0.0.192/latest/
http://192.0.0.192/latest/user-data/
http://192.0.0.192/latest/meta-data/
http://192.0.0.192/latest/attributes/
References
Packetcloud
https://metadata.packet.net/userdata
PfSense and SELKS
I installed SELKS this in a VM. I am using Fedora Server (which I kind of regret because of the updates).
Once installed I went to my PfSense firewall admin interface, to bridge LAN and WAN to a 3rd interface ( OPT1). ref
WAN
+
|
|
+--------------v----------------+
| |
| |
| PfSense |
| |
| |
| |
+---+--------------------+------+
| |
| |
| |
v v
LAN OPT1
(to SELKS Monitor port)
PfSense logs in SELKS kibana
I used some files from here, then enabled log forwarding in pfsense
Anyproxy Intercept
Anyproxy is an intercept proxy. I used it to inject scripts into pages to assist in web fuzzing.
const AnyProxy = require('./anyproxy/proxy');
const options = {
port: 8080,
rule: require('./dfkt_rule'),
webInterface: {
enable: true,
webPort: 8002
},
throttle: 10000,
forceProxyHttps: true,
wsIntercept: true,
silent: false
};
const proxyServer = new AnyProxy.ProxyServer(options);
proxyServer.on('ready', () => {
console.log('ready')
});
proxyServer.on('error', (e) => {
console.error(e)
});
proxyServer.start();
//when finished
// dfkt_rule
let hooks = {
beforeSendRequest: [
function (requestDetail, requestDetailModifications) {
requestDetailModifications.requestOptions = requestDetail.requestOptions;
requestDetailModifications.requestOptions.headers['User-Agent'] += ' DFKT/1';
},
],
beforeSendResponse: [
function (requestDetail, responseDetail, modifiedResponse) {
modifiedResponse.response = responseDetail.response;
console.log(modifiedResponse.response.header);
if (modifiedResponse.response.body.indexOf('<head>') !== -1) {
modifiedResponse.response.body = modifiedResponse.response.body.toString().replace('<head>', '<head><script>console.log("dfkt loaded")</script>');
}
},
],
}
module.exports = {
summary: 'DFKT rules for web testing',
* beforeSendRequest(requestDetail) {
let requestDetailModifications = {};
for (let hook in hooks.beforeSendRequest) {
hooks.beforeSendRequest[hook](requestDetail, requestDetailModifications);
}
return requestDetailModifications;
},
// deal response before send to client
* beforeSendResponse(requestDetail, responseDetail) {
let responseDetailModifications = {};
for (let hook in hooks.beforeSendResponse) {
hooks.beforeSendResponse[hook](requestDetail, responseDetail, responseDetailModifications);
}
return responseDetailModifications;
},
// // if deal https request
// *beforeDealHttpsRequest(requestDetail) {
//
// },
// error happened when dealing requests
* onError(requestDetail, error) {
},
// error happened when connect to https server
* onConnectError(requestDetail, error) {
}
};
Random shell scripting things I may use in the future
Mass move:
for f in wlog/*; do
for ff in $f/*; do
cp "$ff" $(basename $f)-$(basename $ff | sed 's/^00-//g' | sed 's/ /-/g');
done;
done
Mass Find and replace:
for f in *todo*; do
cat $f | sed -e 's/## '$(basename $f | sed 's/-stand-up-notes.md//')$'/---\\\ndate: "2019-03-01T16:20:01"
title: '$(basename $f | sed 's/-stand-up-notes.md//')$' stand up notes\\\n---'/ | tee $f ;
done
Mass adjust markdown headers:
find . -name '*.md' | while read f; do cat $f | egrep '^##\s' > /dev/null && echo $f; done | while read fn; do cat $fn | sed 's/^##/###/g' | sed 's/^#\s/## /g' | tee $fn; done
Create temp directory:
tmpDir="$(mktemp -d -t tmpdirname.XXXXXXXXXX || oops "Can't create temporary directory")"
cleanup() {
rm -rf "$tmpDir"
}
trap cleanup EXIT INT QUIT TERM