From cc7f8bcba88688242165fa324c658374dfb30141 Mon Sep 17 00:00:00 2001 From: CnF-Gris Date: Mon, 23 Jun 2025 16:42:16 +0200 Subject: [PATCH] Initial Commit --- .devcontainer/devcontainer.json | 35 ++++++ .gitignore | 4 + compose.yaml | 34 ++++++ config/vulnbox/.env.example | 1 + config/vulnbox/.gitkeep | 0 private/.gitkeep | 0 services/.gitkeep | 0 vulnbox/DOCKERFILE | 30 ++++++ vulnbox/helper-scripts/entry.sh | 9 ++ vulnbox/nginx/http/.gitkeep | 0 vulnbox/nginx/http/prova.conf | 23 ++++ vulnbox/nginx/nginx.conf | 49 +++++++++ vulnbox/nginx/quic/.gitkeep | 0 vulnbox/nginx/stream/.gitkeep | 0 vulnbox/nginx/stream/ssl-termination.conf | 33 ++++++ vulnbox/ssh/sshd_config | 123 ++++++++++++++++++++++ 16 files changed, 341 insertions(+) create mode 100644 .devcontainer/devcontainer.json create mode 100644 .gitignore create mode 100644 compose.yaml create mode 100644 config/vulnbox/.env.example create mode 100644 config/vulnbox/.gitkeep create mode 100644 private/.gitkeep create mode 100644 services/.gitkeep create mode 100644 vulnbox/DOCKERFILE create mode 100644 vulnbox/helper-scripts/entry.sh create mode 100644 vulnbox/nginx/http/.gitkeep create mode 100644 vulnbox/nginx/http/prova.conf create mode 100644 vulnbox/nginx/nginx.conf create mode 100644 vulnbox/nginx/quic/.gitkeep create mode 100644 vulnbox/nginx/stream/.gitkeep create mode 100644 vulnbox/nginx/stream/ssl-termination.conf create mode 100644 vulnbox/ssh/sshd_config diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json new file mode 100644 index 0000000..33c8434 --- /dev/null +++ b/.devcontainer/devcontainer.json @@ -0,0 +1,35 @@ +{ + // Displayed name + "name": "Vulnbox", + + // Service name from compose file + "service": "vulnbox", + + // Compose-File + "dockerComposeFile": ["../compose.yaml"], + + // Customization + "customizations": { + "vscode": { + "extensions": [ + "william-voyek.vscode-nginx", + "fabiospampinato.vscode-highlight", + "fabiospampinato.vscode-todo-plus" + ] + } + }, + + // The WorkspaceFolder inside container + "workspaceFolder": "/etc/nginx", + + // Env in container + "containerEnv": { + + } + + + + + + +} \ No newline at end of file diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1558beb --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +config/*/* +private/** +!**/*.gitkeep +!**/*.example \ No newline at end of file diff --git a/compose.yaml b/compose.yaml new file mode 100644 index 0000000..7130f25 --- /dev/null +++ b/compose.yaml @@ -0,0 +1,34 @@ +services: + vulnbox: + privileged: true + env_file: + - ./config/vulnbox/.env + build: + context: ./vulnbox + dockerfile: DOCKERFILE + volumes: + - ./vulnbox/nginx:/etc/nginx/ + - ./private/:/services-keys + ports: + - 8080:80 + - 3000:3000 + - 3443:3443 + - 0.0.0.0:22:22 + networks: + - test-net + entrypoint: entry.sh + + express-tls: + build: + context: ./services/ExpressTLS + dockerfile: DOCKERFILE + volumes: + - ./private/ExpressTLS:/workspace/keys + networks: + - test-net + ports: + - 0.0.0.0:8443:8443 + + +networks: + test-net: diff --git a/config/vulnbox/.env.example b/config/vulnbox/.env.example new file mode 100644 index 0000000..0151858 --- /dev/null +++ b/config/vulnbox/.env.example @@ -0,0 +1 @@ +VULNBOX_PASSWORD = BEST_PASSWORD \ No newline at end of file diff --git a/config/vulnbox/.gitkeep b/config/vulnbox/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/private/.gitkeep b/private/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/services/.gitkeep b/services/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/vulnbox/DOCKERFILE b/vulnbox/DOCKERFILE new file mode 100644 index 0000000..ebbfb64 --- /dev/null +++ b/vulnbox/DOCKERFILE @@ -0,0 +1,30 @@ +FROM alpine + +ENV PATH "$PATH:/docker-bin" + +RUN apk update && apk upgrade +RUN apk add nginx openssh openrc \ + nano openssl git nginx-mod-stream \ + nginx-mod-http-headers-more \ + tcpdump + +# NGINX +RUN adduser -D -g 'www' www +RUN mkdir /www +RUN chown -R www:www /var/lib/nginx +RUN chown -R www:www /www + +RUN cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.orig + +# SSHD +RUN rc-update add sshd +RUN touch /run/openrc/softlevel + +COPY ./ssh/sshd_config /etc/ssh/sshd_config + +WORKDIR /docker-bin + +COPY ./helper-scripts /docker-bin + +RUN chmod +x /docker-bin/* + diff --git a/vulnbox/helper-scripts/entry.sh b/vulnbox/helper-scripts/entry.sh new file mode 100644 index 0000000..dedb5d0 --- /dev/null +++ b/vulnbox/helper-scripts/entry.sh @@ -0,0 +1,9 @@ +#!/bin/sh + +echo "root:${VULNBOX_PASSWORD}" | chpasswd +rc-service sshd start +rc-service nginx start + +# This is needed, otherwise +# the machine will close +sleep infinity \ No newline at end of file diff --git a/vulnbox/nginx/http/.gitkeep b/vulnbox/nginx/http/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/vulnbox/nginx/http/prova.conf b/vulnbox/nginx/http/prova.conf new file mode 100644 index 0000000..8e3572d --- /dev/null +++ b/vulnbox/nginx/http/prova.conf @@ -0,0 +1,23 @@ + + + +server { + listen *:3443 ssl; + + ssl_certificate /services-keys/ExpressTLS/cert.pem; + ssl_certificate_key /services-keys/ExpressTLS/key.pem; + ssl_protocols TLSv1.3; + + location / { + proxy_pass http://localhost:3080/; + } +} + +server { + listen 127.0.0.1:3080; + + location / { + proxy_pass https://express-tls:8443/; + } +} + diff --git a/vulnbox/nginx/nginx.conf b/vulnbox/nginx/nginx.conf new file mode 100644 index 0000000..8192ed5 --- /dev/null +++ b/vulnbox/nginx/nginx.conf @@ -0,0 +1,49 @@ +user nginx; + +# Set number of worker processes automatically based on number of CPU cores. +worker_processes auto; + +# Load ngx_stream_module +load_module /usr/lib/nginx/modules/ngx_stream_module.so; +load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so; + + + + + +# Enables the use of JIT for regular expressions to speed-up their processing. +pcre_jit on; + +events { + # The maximum number of simultaneous connections that can be opened by + # a worker process. + worker_connections 1024; +} + +http { + + more_clear_headers Server; + + # Helper variable for proxying websockets. + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + + # Specifies the main log format. + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + + + # Includes virtual hosts configs. + include /etc/nginx/http/*.conf; +} + +stream { + + include /etc/nginx/stream*.conf; + +} \ No newline at end of file diff --git a/vulnbox/nginx/quic/.gitkeep b/vulnbox/nginx/quic/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/vulnbox/nginx/stream/.gitkeep b/vulnbox/nginx/stream/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/vulnbox/nginx/stream/ssl-termination.conf b/vulnbox/nginx/stream/ssl-termination.conf new file mode 100644 index 0000000..b8a88b1 --- /dev/null +++ b/vulnbox/nginx/stream/ssl-termination.conf @@ -0,0 +1,33 @@ + +upstream backend_ssl_ter { + server localhost:3080; +} + +upstream backend { + server https://express-tls:8443; +} + +server { + + listen 3443 ssl; + + more_clear_headers Server; + + proxy_pass backend_ssl_ter; + + + ssl_certificate /services-keys/ExpressTLS/cert.pem; + ssl_certificate_key /services-keys/ExpressTLS/key.pem; + ssl_protocols TLSv1.3; + + +} + +server { + + more_clear_headers Server; + + listen 3080; + proxy_pass backend; + +} \ No newline at end of file diff --git a/vulnbox/ssh/sshd_config b/vulnbox/ssh/sshd_config new file mode 100644 index 0000000..b9a9616 --- /dev/null +++ b/vulnbox/ssh/sshd_config @@ -0,0 +1,123 @@ +# $OpenBSD: sshd_config,v 1.105 2024/12/03 14:12:47 dtucker Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +# Include configuration snippets before processing this file to allow the +# snippets to override directives set in this file. +Include /etc/ssh/sshd_config.d/*.conf + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin yes +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to "no" here! +#PasswordAuthentication yes +#PermitEmptyPasswords no + +# Change to "no" to disable keyboard-interactive authentication. Depending on +# the system's configuration, this may involve passwords, challenge-response, +# one-time passwords or some combination of these and other methods. +#KbdInteractiveAuthentication yes + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the KbdInteractiveAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via KbdInteractiveAuthentication may bypass +# the setting of "PermitRootLogin prohibit-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and KbdInteractiveAuthentication to 'no'. +#UsePAM no + +#AllowAgentForwarding yes +# Feel free to re-enable these if your use case requires them. +AllowTcpForwarding no +GatewayPorts no +X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp internal-sftp + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server \ No newline at end of file