Initial Commit

2025-06-23 16:42:16 +02:00 · 2025-06-23 16:42:16 +02:00 · cc7f8bcba8
commit cc7f8bcba8
16 changed files with 341 additions and 0 deletions
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@ -0,0 +1,35 @@
+{
+    // Displayed name
+    "name": "Vulnbox",
+
+    // Service name from compose file
+    "service": "vulnbox",
+
+    // Compose-File
+    "dockerComposeFile": ["../compose.yaml"],
+
+    // Customization
+    "customizations": {
+        "vscode": {
+            "extensions": [
+                "william-voyek.vscode-nginx",
+                "fabiospampinato.vscode-highlight",
+                "fabiospampinato.vscode-todo-plus"
+            ]
+        }
+    },
+    
+    // The WorkspaceFolder inside container
+    "workspaceFolder": "/etc/nginx",
+
+    // Env in container
+    "containerEnv": {
+
+    }
+
+    
+
+    
+    
+
+}
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,4 @@
+config/*/*
+private/**
+!**/*.gitkeep
+!**/*.example
--- a/compose.yaml
+++ b/compose.yaml
@ -0,0 +1,34 @@
+services:
+  vulnbox:
+    privileged: true
+    env_file:
+      - ./config/vulnbox/.env
+    build:
+      context: ./vulnbox
+      dockerfile: DOCKERFILE
+    volumes:
+      - ./vulnbox/nginx:/etc/nginx/
+      - ./private/:/services-keys
+    ports:
+      - 8080:80
+      - 3000:3000
+      - 3443:3443
+      - 0.0.0.0:22:22
+    networks:
+      - test-net
+    entrypoint: entry.sh
+
+  express-tls:
+    build: 
+      context: ./services/ExpressTLS
+      dockerfile: DOCKERFILE
+    volumes:
+      - ./private/ExpressTLS:/workspace/keys
+    networks:
+      - test-net
+    ports:
+      - 0.0.0.0:8443:8443
+
+
+networks:
+  test-net:
--- a/config/vulnbox/.env.example
+++ b/config/vulnbox/.env.example
@ -0,0 +1 @@
+VULNBOX_PASSWORD = BEST_PASSWORD
--- a/config/vulnbox/.gitkeep
+++ b/config/vulnbox/.gitkeep
--- a/private/.gitkeep
+++ b/private/.gitkeep
--- a/services/.gitkeep
+++ b/services/.gitkeep
--- a/vulnbox/DOCKERFILE
+++ b/vulnbox/DOCKERFILE
@ -0,0 +1,30 @@
+FROM alpine
+
+ENV PATH "$PATH:/docker-bin"
+
+RUN apk update && apk upgrade
+RUN apk add nginx openssh openrc \
+    nano openssl git nginx-mod-stream \
+    nginx-mod-http-headers-more \
+    tcpdump
+
+# NGINX
+RUN adduser -D -g 'www' www
+RUN mkdir /www
+RUN chown -R www:www /var/lib/nginx
+RUN chown -R www:www /www
+
+RUN cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.orig
+
+# SSHD
+RUN rc-update add sshd
+RUN touch /run/openrc/softlevel
+
+COPY ./ssh/sshd_config /etc/ssh/sshd_config
+
+WORKDIR /docker-bin
+
+COPY ./helper-scripts /docker-bin
+
+RUN chmod +x /docker-bin/*
+
--- a/vulnbox/helper-scripts/entry.sh
+++ b/vulnbox/helper-scripts/entry.sh
@ -0,0 +1,9 @@
+#!/bin/sh
+
+echo "root:${VULNBOX_PASSWORD}" | chpasswd
+rc-service sshd start
+rc-service nginx start
+
+# This is needed, otherwise
+#   the machine will close
+sleep infinity
--- a/vulnbox/nginx/http/.gitkeep
+++ b/vulnbox/nginx/http/.gitkeep
--- a/vulnbox/nginx/http/prova.conf
+++ b/vulnbox/nginx/http/prova.conf
@ -0,0 +1,23 @@
+
+
+    
+server { 
+    listen *:3443 ssl;
+
+    ssl_certificate     /services-keys/ExpressTLS/cert.pem;
+    ssl_certificate_key /services-keys/ExpressTLS/key.pem;
+    ssl_protocols       TLSv1.3;
+
+    location / {
+        proxy_pass http://localhost:3080/;
+    }
+}
+
+server {
+    listen 127.0.0.1:3080;
+
+    location / {
+        proxy_pass https://express-tls:8443/;
+    }
+}
+
--- a/vulnbox/nginx/nginx.conf
+++ b/vulnbox/nginx/nginx.conf
@ -0,0 +1,49 @@
+user nginx;
+
+# Set number of worker processes automatically based on number of CPU cores.
+worker_processes auto;
+
+# Load ngx_stream_module
+load_module /usr/lib/nginx/modules/ngx_stream_module.so;
+load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so;
+
+
+
+
+
+# Enables the use of JIT for regular expressions to speed-up their processing.
+pcre_jit on;
+
+events {
+	# The maximum number of simultaneous connections that can be opened by
+	# a worker process.
+	worker_connections 1024;
+}
+
+http {
+	
+	more_clear_headers Server; 
+
+	# Helper variable for proxying websockets.
+	map $http_upgrade $connection_upgrade {
+		default upgrade;
+		'' close;
+	}
+
+
+	# Specifies the main log format.
+	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+			'$status $body_bytes_sent "$http_referer" '
+			'"$http_user_agent" "$http_x_forwarded_for"';
+
+
+
+	# Includes virtual hosts configs.
+	include /etc/nginx/http/*.conf;
+}
+
+stream {
+
+	include /etc/nginx/stream*.conf;
+    
+}
--- a/vulnbox/nginx/quic/.gitkeep
+++ b/vulnbox/nginx/quic/.gitkeep
--- a/vulnbox/nginx/stream/.gitkeep
+++ b/vulnbox/nginx/stream/.gitkeep
--- a/vulnbox/nginx/stream/ssl-termination.conf
+++ b/vulnbox/nginx/stream/ssl-termination.conf
@ -0,0 +1,33 @@
+
+upstream backend_ssl_ter {
+    server localhost:3080;
+}
+
+upstream backend {
+    server https://express-tls:8443;
+}
+
+server {
+
+    listen 3443 ssl;
+
+    more_clear_headers Server; 
+
+    proxy_pass backend_ssl_ter;
+
+
+    ssl_certificate       /services-keys/ExpressTLS/cert.pem;
+    ssl_certificate_key   /services-keys/ExpressTLS/key.pem;
+    ssl_protocols TLSv1.3;
+
+
+}
+
+server {
+
+    more_clear_headers Server; 
+
+    listen 3080;
+    proxy_pass backend;
+
+}
--- a/vulnbox/ssh/sshd_config
+++ b/vulnbox/ssh/sshd_config
@ -0,0 +1,123 @@
+#       $OpenBSD: sshd_config,v 1.105 2024/12/03 14:12:47 dtucker Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+# Include configuration snippets before processing this file to allow the
+# snippets to override directives set in this file.
+Include /etc/ssh/sshd_config.d/*.conf
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin yes
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile      .ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to "no" here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+
+# Change to "no" to disable keyboard-interactive authentication.  Depending on
+# the system's configuration, this may involve passwords, challenge-response,
+# one-time passwords or some combination of these and other methods.
+#KbdInteractiveAuthentication yes
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the KbdInteractiveAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin prohibit-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and KbdInteractiveAuthentication to 'no'.
+#UsePAM no
+
+#AllowAgentForwarding yes
+# Feel free to re-enable these if your use case requires them.
+AllowTcpForwarding no
+GatewayPorts no
+X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# override default of no subsystems
+Subsystem       sftp    internal-sftp
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#       X11Forwarding no
+#       AllowTcpForwarding no
+#       PermitTTY no
+#       ForceCommand cvs server