Create exploit.tf

RhinoSecurityLabs · Dec 13, 2024 · e33f8f0 · e33f8f0
1 parent c370a40
commit e33f8f0
Showing 1 changed file with 220 additions and 0 deletions.
diff --git a/scenarios/detection_evasion/solution/exploit.tf b/scenarios/detection_evasion/solution/exploit.tf
@@ -0,0 +1,220 @@
+resource "aws_vpc" "main" {
+  cidr_block       = "${var.target_cidr_block}"
+  instance_tenancy = "default"
+  enable_dns_support = true
+  enable_dns_hostnames  = true 
+  tags = {
+    Name = "vpc_exploit"
+  }
+}
+
+resource "aws_subnet" "main" {
+  vpc_id     = aws_vpc.main.id
+  cidr_block = "${var.target_cidr_block}"
+
+  tags = {
+    Name = "vpc_exploit"
+  }
+}
+
+resource "aws_instance" "web" {
+  ami           = "ami-0cff7528ff583bf9a"
+  instance_type = "t2.micro"
+  private_ip = "${var.target_ip}"
+  associate_public_ip_address = true
+  subnet_id = "${aws_subnet.main.id}"
+  iam_instance_profile = "${aws_iam_instance_profile.ec2_instance_profile.name}"
+  vpc_security_group_ids = ["${aws_security_group.vpc_exploit.id}"]
+  user_data = <<EOF
+#!/bin/bash
+
+for home in /home/* /root; do
+  mkdir -p "$${home}/.aws"
+  echo '
+[profile default]
+region=us-east-1
+sts_regional_endpoints=regional
+'> "$${home}/.aws/config"
+done
+EOF
+
+  tags = {
+    Name = "vpc_exploit"
+  }
+}
+
+resource "aws_iam_instance_profile" "ec2_instance_profile" {
+  name = "ec2_instance_profile"
+  role = aws_iam_role.ec2_instance_profile_role.name
+  tags = {
+    Name = "vpc_exploit"
+  }
+}
+
+resource "aws_iam_role" "ec2_instance_profile_role" {
+  name = "ec2_instance_profile_role"
+  path = "/"
+  tags = {
+    Name = "vpc_exploit"
+  }
+  assume_role_policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": "sts:AssumeRole",
+            "Principal": {
+               "Service": "ec2.amazonaws.com"
+            },
+            "Effect": "Allow",
+            "Sid": ""
+        }
+    ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "admin" {
+  role       = aws_iam_role.ec2_instance_profile_role.name
+  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+}
+
+resource "aws_iam_role_policy_attachment" "ssm_policy_core" {
+  role       = aws_iam_role.ec2_instance_profile_role.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+}
+
+resource "aws_iam_role_policy_attachment" "cloudwatch_agent_server_policy" {
+  role       = aws_iam_role.ec2_instance_profile_role.name
+  policy_arn = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
+}
+
+resource "aws_vpc_endpoint" "sts" {
+  vpc_id       = aws_vpc.main.id
+  service_name = "com.amazonaws.${var.region}.sts"
+  vpc_endpoint_type = "Interface"
+  private_dns_enabled = true
+  subnet_ids = ["${aws_subnet.main.id}"]
+  security_group_ids = [
+    aws_security_group.vpc_exploit.id,
+  ]
+
+  tags = {
+    Name = "vpc_exploit"
+  }
+}
+
+resource "aws_vpc_endpoint" "secretsmanager" {
+  vpc_id       = aws_vpc.main.id
+  service_name = "com.amazonaws.${var.region}.secretsmanager"
+  vpc_endpoint_type = "Interface"
+  private_dns_enabled = true
+  subnet_ids = ["${aws_subnet.main.id}"]
+  security_group_ids = [
+    aws_security_group.vpc_exploit.id,
+  ]
+
+  tags = {
+    Name = "vpc_exploit"
+  }
+}
+
+resource "aws_vpc_endpoint" "ssm" {
+  vpc_id       = aws_vpc.main.id
+  service_name = "com.amazonaws.${var.region}.ssm"
+  vpc_endpoint_type = "Interface"
+  subnet_ids = ["${aws_subnet.main.id}"]
+  private_dns_enabled = true
+  security_group_ids = [
+    aws_security_group.vpc_exploit.id,
+  ]
+
+  tags = {
+    Name = "vpc_exploit"
+  }
+}
+
+resource "aws_vpc_endpoint" "ec2messages" {
+  vpc_id       = aws_vpc.main.id
+  service_name = "com.amazonaws.${var.region}.ec2messages"
+  vpc_endpoint_type = "Interface"
+  subnet_ids = ["${aws_subnet.main.id}"]
+  private_dns_enabled = true
+  security_group_ids = [
+    aws_security_group.vpc_exploit.id,
+  ]
+
+  tags = {
+    Name = "vpc_exploit"
+  }
+}
+
+resource "aws_vpc_endpoint" "ec2" {
+  vpc_id       = aws_vpc.main.id
+  service_name = "com.amazonaws.${var.region}.ec2"
+  vpc_endpoint_type = "Interface"
+  subnet_ids = ["${aws_subnet.main.id}"]
+  private_dns_enabled = true
+  security_group_ids = [
+    aws_security_group.vpc_exploit.id,
+  ]
+
+  tags = {
+    Name = "vpc_exploit"
+  }
+}
+
+resource "aws_vpc_endpoint" "ssmmessages" {
+  vpc_id       = aws_vpc.main.id
+  service_name = "com.amazonaws.${var.region}.ssmmessages"
+  vpc_endpoint_type = "Interface"
+  subnet_ids = ["${aws_subnet.main.id}"]
+  private_dns_enabled = true
+  security_group_ids = [
+    aws_security_group.vpc_exploit.id,
+  ]
+
+  tags = {
+    Name = "vpc_exploit"
+  }
+}
+
+resource "aws_vpc_endpoint" "logs" {
+  vpc_id       = aws_vpc.main.id
+  service_name = "com.amazonaws.${var.region}.logs"
+  vpc_endpoint_type = "Interface"
+  subnet_ids = ["${aws_subnet.main.id}"]
+  private_dns_enabled = true
+  security_group_ids = [
+    aws_security_group.vpc_exploit.id,
+  ]
+
+  tags = {
+    Name = "vpc_exploit"
+  }
+}
+
+resource "aws_security_group" "vpc_exploit" {
+  name        = "vpc_exploit"
+  description = "Allow ssh inbound traffic"
+  vpc_id      = aws_vpc.main.id
+
+  ingress {
+    description      = "SSH"
+    from_port        = 443
+    to_port          = 443
+    protocol         = "tcp"
+    cidr_blocks      = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port        = 443
+    to_port          = 443
+    protocol         = "tcp"
+    cidr_blocks      = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "vpc_exploit"
+  }
+}