ATT 100: Caldera (25 or more pts)

Purpose

Caldera performs APT attacks, emulating the actions of real threat actors, using the ATT&CK matrix.

In this project, you install Caldera and begin to see a few of its most basic features.

What You Need

A Google Cloud account
A Windows system with PowerShell, such as Windows 10 or Windows Server 2016

Preparing a Target Machine

Make a Debian 10 Google Cloud Server with the default settings.

Execute these commands to install Go on it.

sudo apt update sudo apt install curl -y curl -O https://dl.google.com/go/go1.13.3.linux-amd64.tar.gz tar xvf go1.13.3.linux-amd64.tar.gz sudo chown -R root:root ./go sudo mv go /usr/local echo export GOPATH=$HOME/work >> ~/.profile echo export PATH=\$PATH:/usr/local/go/bin:\$GOPATH/bin >> ~/.profile source ~/.profile go version

You should see the version of Go, as shown below.

Preparing a Server to Host Caldera

Make a Debian 10 Google Cloud Server with 2 vCPU, 7.5 GB memory, as shown below.

Allow HTTP traffic to it, as shown below.

Allowing Port 7010

In Google Cloud Console, at the top left, click "Google Cloud Platform".

In the NETWORKING section, click "VPC network", "Firewall rules".

At the top center, click CREATE FIREWALL RULE".

Enter these values, as shown below.

Name: allow7010
Targets: "All instances on the network"
Source filter: "IP ranges"
Source IP ranges: 0.0.0.0/0
Protocols and ports: "Specified protocols and ports"
tcp: 7010

At the bottom, click the CREATE button.

Finding your Caldera Server's Public IP Address

In the Google Cloud console, find the public IP address of your Caldera server, outlined in green in the image below.

Installing Caldera

On your Caldera Server, execute these commands:

sudo apt install git python3-pip -y git clone https://github.com/mitre/caldera.git --recursive --branch 2.6.6 cd caldera sudo pip3 install -r requirements.txt cp conf/default.yml conf/default.yml.orig nano conf/default.yml

Make these changes, as shown below.

Change "888" to "80" in two places
Change the password of "admin" in three places to something else, such as "SECRET"
Change "127.0.0.1" to public IP address of your Caldera server in four places

Type Ctrl+X, Y, Enter to save the file.

Starting Caldera

On your Caldera Server, execute this command:

sudo python3 server.py --fresh &

Press Enter. Then execute this command:

sudo ss -pant

You should see python3 listening on port 80, as shown below.

Viewing the Caldera Web Console

In Chrome, open this URL, replacing the IP address with the IP address of your Caldera server.

http://35.184.202.37/

red SECRET

Launching the Training Module

At the top right, click Plugins, training.

At the lower left, select a certificate of "User certificate", as shown below.

1. LOCAL AGENT

At the top left, click Campaigns, agents.

On the left, click "Click here to deploy an agent".

Select an agent of Manx.

Scroll down to the code containing "platform:linux". Copy the code, as shown below.

Paste the code into your Target SSH session and execute it, as shown below.

In Chrome, close the box showing the agent code.

Challenge 1 now shows a green check mark, as shown below.

2. REMOTE AGENT

Copy the PowerShell agent code, as shown below.

Run it in a PowerShell window on your Windows client, as shown below.

In Chrome, close the box showing the agent code.

More challenges are complete, as shown below.

4. UPDATE AGENT

Copy the PowerShell agent code, as shown below.

Run it in a PowerShell window on your Windows client, as shown below.

In Chrome, close the box showing the agent code.

More challenges are complete, as shown below.

Submitting your Results
Solve as many challenges as you can. Submit one or more images showing the check marks, as shown below.
You'll get 5 points per checkmark. The image above is worth 25 pts.
There's no way to enter this project into the CTF scoring system.

References

CALDERA: Automating Adversary Emulation
CALDERA on Github
How to Install Python 3.6.4 on Debian 9
CALDERA’s documentation!

Posted 5-15-2020 by Sam Bowne