fresh-setup

1. #!/bin/bash
2.  
3. # Purpose: This script is intended for use with the AOL Training course - "Hands on Application Security (Behind the Curtain)". It will install required tools and libraries onto a Debian-based (virtual) machine.
4. # Additional configuration should be performed when building a new VM to deploy/deliver for students.
5.  
6. # Written by: Chris Holt
7. # Original Publication: 2017-04-19
8. # Updated: 2017-08-21
9. # built for Kali_4.11.0
10.  
11. # TODO: Add checks to ensure that each section completed successfully. Notify user if anything failed.
12. # TODO: Ping the eclipse endpoint before downloading from it to ensure it can be downloaded
13. # TODO: Add prompts or run-options to create scripts, install software, kickoff apps -- Does that turn this script into an init.d 'does it all' thing? is that a bad idea?
14. # TODO: Figure out how to move this to base-Debian instead of Kali. This will require install package commands for: burpsuite, firefox-esr, sslscan
15. # TODO: change the names of the webgoat, dvwa scripts to match each other. Combine build+deploy steps where needed
16. # TODO: Build install scripts for another vulnerable web app.
17. # TODO: Rebuild VM with the name "The_Curtain_v0.4"
18. # TODO: Figure out how to script 'Delete Firefox configs' so it reverts to blank settings; Delete all Bookmarks; Add app bookmarks?
19. # TODO: test the "passwords" script. Make sure that each block APPENDS to the file. Check it is executable. check formatting of the file/output
20. # TODO: add --yes parameter check to the 'reset' scripts to reduce code re-writing in this script. Then, for setting up apps the first time, just call `app-reset --yes`
21. # TODO: Ask user if running in vbox or vmware to select appropriate addons package to install
22. # TODO: set the hostname for the VM
23. # TODO: change the desktop image
24. # TODO: change "update" to "build"; requires edits to Module docs
25.  
26. ########################
27. # OS Setup Scripts
28. #@@@@
29.  # install os updates
30. cat <<EOF > /usr/bin/os_update.sh
31. #!/bin/bash
32. echo -n "Update the OS. Causes the system to reboot."
33. echo -n "[Enter] to continue. [ctrl+c] to quit."
34. read DOIT
35.  
36. apt update
37. apt-get -y dist-upgrade
38. apt-get autoremove
39. apt-get autoclean
40. reboot
41.  
42. EOF
43. chmod 755 /usr/bin/os_update.sh
44. ln -s /usr/bin/os_update ~/Desktop/howas_scripts/setup/os_update.sh
45. #@@@@
46. #####
47.  # Script to install vmtools for VMWare Machine
48. cat <<EOF > /usr/bin/install_tools_VMWare.sh
49. #!/bin/bash
50. echo -n "Install vmtools for VMWare. Causes the system to reboot."
51. echo -n "[Enter] to continue. [ctrl+c] to quit."
52. read DOIT
53.  
54. apt update
55. apt install -y open-vm-tools-desktop fuse
56. echo "Please run \"reboot\" to reboot the machine."
57. reboot
58.  
59. EOF
60. chmod 755 ~/Desktop/install_tools_VMWare.sh
61. ln -s /usr/bin/install_tools_VMWare.sh ~/Desktop/howas_scripts/setup/install_tools_VMWare.sh
62. #####
63. #$$$$
64.  # Script to install vmtools for VirtualBox
65. cat <<EOF > /usr/bin/install_tools_VirtualBox.sh
66. #!/bin/bash
67. echo -n "Install vmtools for VirtualBox. Causes the system to reboot."
68. echo -n "[Enter] to continue. [ctrl+c] to quit."
69. read DOIT
70.  
71. apt-get update
72. apt-get -y install virtualbox-guest-x11
73. echo "Please run \"reboot\" to reboot the machine."
74. reboot
75.  
76. EOF
77. chmod 755 ~/Desktop/install_tools_VirtualBox.sh
78. ln -s /usr/bin/install_tools_VirtualBox.sh ~/Desktop/howas_scripts/setup/install_tools_VirtualBox.sh
79. #$$$$
80. #%%%%
81.  # create Passwords script
82. cat <<EOF > /usr/bin/passwords
83. echo "Passwords for the locally hosted applications are as follows (unless you changed them!)."
84. echo -n "[Enter] to continue. [ctrl+c] to quit."
85. read DOIT
86.  
87. echo ""
88.  
89. EOF
90. chmod 755 /usr/bin/passwords
91. ln -s /usr/bin/passwords ~/Desktop/howas_scripts/passwords.sh
92. #%%%%
93. # set the favorites bar app shortcuts
94. dconf write /org/gnome/shell/favorite-apps "['firefox-esr.desktop', 'org.gnome.Terminal.desktop', 'org.gnome.Nautilus.desktop', 'kali-burpsuite.desktop', 'eclipse.desktop']"
95. ########################
96.  
97. ########################
98. # WebGoat
99. #@@@@
100.  # create WebGoat script - reload
101. cat <<EOF > /usr/bin/goat-reload
102. #!/bin/bash
103. echo -n "Update WebGoat by building from source and deploying to the tomcat server."
104. echo -n "[Enter] to continue. [ctrl+c] to quit."
105. read DOIT
106.  
107. goat-build
108. goat-deploy
109.  
110. EOF
111. chmod 755 /usr/bin/goat-reload
112. ln -s /usr/bin/goat-reload ~/Desktop/howas_scripts/webgoat/goat-reload.sh
113. #@@@@
114. #####
115.   # create WebGoat script - deploy
116. cat <<EOF > /usr/bin/goat-deploy
117. #!/bin/bash
118. echo -n "Deploy WebGoat WAR file to the tomcat server."
119. echo -n "[Enter] to continue. [ctrl+c] to quit."
120. read DOIT
121.  
122. cd ~/Documents/WebGoat
123. mvn -pl webgoat-container tomcat7:run-war
124.  
125. EOF
126. chmod 755 /usr/bin/goat-deploy
127. ln -s /usr/bin/goat-deploy ~/Desktop/howas_scripts/webgoat/goat-deploy.sh
128. #####
129. #$$$$
130.   # create WebGoat script - build
131. # test this, new lines added to delete jars in case of bad-build scenario
132. cat <<EOF > /usr/bin/goat-build
133. #!/bin/bash
134. echo -n "Build the WebGoat code into a deployable WAR file."
135. echo -n "[Enter] to continue. [ctrl+c] to quit."
136. read DOIT
137.  
138. cd ~/Documents/WebGoat-Lessons
139. rm *.jar ../WebGoat/webgoat-container/src/main/webapp/plugin_lessons/
140. rm *.jar target/plugins/
141. mvn package
142. cp target/plugins/*.jar ../WebGoat/webgoat-container/src/main/webapp/plugin_lessons/
143. echo "Update complete, please redeploy"
144.  
145. EOF
146. chmod 755 /usr/bin/goat-build
147. ln -s /usr/bin/goat-build ~/Desktop/howas_scripts/webgoat/goat-build.sh
148. #$$$$
149. #%%%%
150.   # create WebGoat script - reset
151. cat <<EOF > /usr/bin/goat-reset
152. #!/bin/bash
153. echo -n "Reset WebGoat to a new installation."
154. echo -n "This script will erase all data in your WebGoat folders. Are you sure you want to do this? [YES]: "
155. read DOIT
156.  
157. if [[ "\$DOIT" = "YES" ]]; then
158. echo "Alright, deleting everything and getting a new batch...."
159. sleep 3
160. cd ~/Documents
161. rm target -r
162. rm WebGoat -r
163. rm WebGoat-Lessons -r
164.  
165. echo "Getting new installation of WebGoat 7.1"
166. cd ~/Documents
167. git clone https://github.com/WebGoat/WebGoat.git
168. git clone https://github.com/WebGoat/WebGoat-Lessons.git
169. cd ~/Documents/WebGoat
170. git checkout master
171. git pull
172. mvn clean compile install
173. cd ~/Documents/WebGoat-Lessons
174. git checkout master
175. git pull
176. mvn package
177. cp target/plugins/*.jar ../WebGoat/webgoat-container/src/main/webapp/plugin_lessons/
178.  
179. else
180. echo "Safe choice, maybe you can fix it."
181. fi
182.  
183. EOF
184. chmod 755 /usr/bin/goat-reset
185. ln -s /usr/bin/goat-reset ~/Desktop/howas_scripts/webgoat/goat-reset.sh
186. #%%%%
187. #&&&&
188.   # create WebGoat desktop shortcut
189. cat <<EOF > ~/Desktop/WebGoat.desktop
190. [Desktop Entry]
191.  
192. Encoding=UTF-8
193. Name=Open WebGoat
194. Type=Link
195. URL=http://localhost:8080/WebGoat
196. Icon=text-html
197.  
198. EOF
199. #&&&&
200.  
201.   #drop passwords into the script file
202. cat <<EOF >> /usr/bin/passwords
203. echo "--WebGoat--"
204. echo "  username: goat"
205. echo "  password: goat"
206. echo ""
207.  
208. EOF
209.  
210.   # get required tools for dev environment
211. apt-get update
212. apt-get install -y maven default-jdk
213. apt-get autoremove
214. apt-get autoclean
215.  
216.   # do the initial checkout/install
217. cd ~/Documents
218. git clone https://github.com/WebGoat/WebGoat.git
219. git clone https://github.com/WebGoat/WebGoat-Lessons.git
220. cd ~/Documents/WebGoat
221. git checkout master
222. git pull
223. mvn clean compile install
224. cd ~/Documents/WebGoat-Lessons
225. git checkout master
226. git pull
227. mvn package
228. cp target/plugins/*.jar ../WebGoat/webgoat-container/src/main/webapp/plugin_lessons/
229. # echo "goat-get-new" > /usr/bin/goat-reset
230. chmod 755 /usr/bin/goat-reset
231. ###########################
232.  
233. ###########################
234. # eclipse
235.  
236.  # Download and install eclipse
237. cd /tmp
238. curl -O http://mirror.csclub.uwaterloo.ca/eclipse/technology/epp/downloads/release/neon/3/eclipse-jee-neon-3-linux-gtk-x86_64.tar.gz
239. tar xvzf eclipse-jee-neon-3-linux-gtk-x86_64.tar.gz
240. mv eclipse /opt/eclipse
241. ln -s /opt/eclipse/eclipse /usr/bin/eclipse
242. rm eclipse-jee-neon-3-linux-gtk-x86_64.tar.gz
243. mkdir ~/Documents/eclipse-work
244.  
245.  # create shortcut in Applications launcher
246. cat <<EOF > /usr/share/applications/eclipse.desktop
247. [Desktop Entry]
248.  
249. Name=Eclipse
250. Exec=/opt/eclipse/eclipse
251. Terminal=false
252. Type=Application
253. Categories=IDE
254. Icon=/opt/eclipse/icon.xpm
255.  
256. EOF
257.  
258.  # set preferences for last launch
259. cat <<EOF > /opt/eclipse/configuration/.settings/org.eclipse.ui.ide.prefs
260. MAX_RECENT_WORKSPACES=10
261. RECENT_WORKSPACES=/root/Documents/eclipse-work
262. RECENT_WORKSPACES_PROTOCOL=3
263. SHOW_RECENT_WORKSPACES=false
264. SHOW_WORKSPACE_SELECTION_DIALOG=false
265. eclipse.preferences.version=1
266.  
267. EOF
268. ###########################
269.  
270. ###########################
271. # DVWA
272.   # src: https://github.com/ethicalhack3r/DVWA
273.   # ref: https://medium.com/@TheShredder/create-your-ethical-hacking-environment-install-dvwa-into-your-kali-linux-4783282dea6a
274.  
275.   # create DVWA script - on
276. cat <<EOF > /usr/bin/dvwa-on
277. #!/bin/bash
278. echo -n "Turn DVWA web server on."
279. echo -n "[Enter] to continue. [ctrl+c] to quit."
280. read DOIT
281.  
282. sphp5
283. service apache2 start && service mysql start
284.  
285. EOF
286. chmod 755 /usr/bin/dvwa-on
287. ln -s /usr/bin/dvwa-on ~/Desktop/howas_scripts/dvwa/dvwa-on.sh
288.  
289.   # create DVWA script - off
290. cat <<EOF > /usr/bin/dvwa-off
291. #!/bin/bash
292. echo -n "Turn DVWA web server off."
293. echo -n "[Enter] to continue. [ctrl+c] to quit."
294. read DOIT
295.  
296. service apache2 stop && service mysql stop
297. sphp7
298.  
299. EOF
300. chmod 755 /usr/bin/dvwa-off
301. ln -s /usr/bin/dvwa-off ~/Desktop/howas_scripts/dvwa/dvwa-off.sh
302.  
303.   # create DVWA script - finish
304. cat <<EOF > /usr/bin/dvwa-finish
305. #!/bin/bash
306. echo -n "Final installation step for DVWA."
307. echo -n "[Enter] to continue. [ctrl+c] to quit."
308. read DOIT
309.  
310. echo "To finish setting up, create the database."
311. sleep 3
312. dvwa-on
313. firefox http://127.0.0.1/dvwa/setup.php &
314.  
315. EOF
316. chmod 755 /usr/bin/dvwa-finish
317. ln -s /usr/bin/dvwa-finish ~/Desktop/howas_scripts/dvwa/dvwa-finish.sh
318.  
319.   # create DVWA script - reset
320. cat <<EOF > /usr/bin/dvwa-reset
321. #!/bin/bash
322. echo -n "Reset DVWA to a new installation."
323. echo -n "This script will erase all data in your DVWA folders. Are you sure you want to do this? [YES]: "
324. read DOIT
325.  
326. if [[ "\$DOIT" = "YES" ]]; then
327. echo "Alright, deleting everything and getting a new batch...."
328. sleep 3
329. service apache2 stop && service mysql stop
330. rm -r /var/www/html/dvwa
331. cd /var/www/html
332. wget https://github.com/RandomStorm/DVWA/archive/v1.9.zip && unzip v1.9.zip
333. mv DVWA-1.9 /var/www/html/dvwa
334. rm v1.9.zip
335. chmod -R 777 dvwa
336. service mysql start
337. mysql -u root <<SQ
338. CREATE DATABASE dvwa;
339. CREATE USER 'user'@'127.0.0.1' IDENTIFIED BY 'p@ssword';
340. GRANT ALL ON dvwa.* TO 'user'@'127.0.0.1';
341. FLUSH PRIVILEGES;
342. exit
343.  
344. SQ
345.  
346. service mysql stop
347. sed -i -e "s/'root'/'user'/1" /var/www/html/dvwa/config/config.inc.php
348. sed -i -e "s/'p@ssw0rd'/'p@ssword'/1" /var/www/html/dvwa/config/config.inc.php
349. sed -i -e "s/'impossible'/'low'/1" /var/www/html/dvwa/config/config.inc.php
350. sed -i -e 's/allow_url_include = Off/allow_url_include = On/1' /etc/php5/apache2/php.ini
351. sed -i -e 's/allow_url_fopen = Off/allow_url_fopen = On/1' /etc/php5/apache2/php.ini
352. dvwa-finish
353. else
354. echo "Safe choice, maybe you can fix it."
355. fi
356.  
357. EOF
358. chmod 755 /usr/bin/dvwa-reset
359. ln -s /usr/bin/dvwa-reset ~/Desktop/howas_scripts/dvwa/dvwa-reset.sh
360.  
361.  # create scripts for switching php versions
362.  # ref: http://www.magleaks.com/running-php-5-and-php-7-on-same-environment-ubuntu/
363.   # create 'switch to php5' script - sphp5
364. cat <<EOF  > /usr/bin/sphp5
365. #!/bin/bash
366. echo -n "Set to php5."
367. sudo a2enmod php5 && sudo a2dismod php7.0 && sudo ln -sfn /usr/bin/php5 /etc/alternatives/php && sudo service apache2 restart && php -v
368.  
369. EOF
370. chmod 755 /usr/bin/sphp5
371. ln -s /usr/bin/sphp5 ~/Desktop/howas_scripts/system/set_php5.sh
372.  
373.   # create 'switch to php7' script - sphp7
374. cat <<EOF > /usr/bin/sphp7
375. #!/bin/bash
376. echo -n "Set to php7."
377. sudo a2dismod php5 && sudo a2enmod php7.0 && sudo ln -sfn /usr/bin/php7.0 /etc/alternatives/php && sudo service apache2 restart && php -v
378.  
379. EOF
380. chmod 755 /usr/bin/sphp7
381. ln -s /usr/bin/sphp7 ~/Desktop/howas_scripts/system/set_php7.sh
382.  
383.  # create DVWA shortcut
384. cat <<EOF  > ~/Desktop/DVWA.desktop
385. [Desktop Entry]
386.  
387. Encoding=UTF-8
388. Name=Open DVWA
389. Type=Link
390. URL=http://127.0.0.1/dvwa/login.php
391. Icon=text-html
392.  
393. EOF
394.  
395. #drop passwords into the script file
396. cat <<EOF >> /usr/bin/passwords
397. echo "--Damn Vulnerable Web App (DVWA)-- "
398. echo "  username: admin"
399. echo "  password: password"
400. echo ""
401.  
402. EOF
403.   # get required libraries for DVWA
404.     # backup the sources list, add new source, install, restore original
405. cp /etc/apt/sources.list /etc/apt/sources.list.bak
406. echo 'deb http://old.kali.org/kali sana main non-free contrib' >> /etc/apt/sources.list
407. apt-get update
408. apt-get install -y php5 php5-mysql php5-gd
409. apt-get autoremove
410. apt-get autoclean
411. rm /etc/apt/sources.list
412. mv /etc/apt/sources.list.bak /etc/apt/sources.list
413.   # If using the captcha module, keys will need to be generated and installed to /var/www/html/dvwa/config/config.inc.php
414. cd /var/www/html
415. wget https://github.com/RandomStorm/DVWA/archive/v1.9.zip && unzip v1.9.zip
416. mv DVWA-1.9 /var/www/html/dvwa
417. rm v1.9.zip
418. chmod -R 777 dvwa
419. service mysql start
420. mysql -u root <<SQ
421. CREATE DATABASE dvwa;
422. CREATE USER 'user'@'127.0.0.1' IDENTIFIED BY 'p@ssword';
423. GRANT ALL ON dvwa.* TO 'user'@'127.0.0.1';
424. FLUSH PRIVILEGES;
425. exit
426.  
427. SQ
428. service mysql stop
429. sed -i -e "s/'root'/'user'/1" /var/www/html/dvwa/config/config.inc.php
430. sed -i -e "s/'p@ssw0rd'/'p@ssword'/1" /var/www/html/dvwa/config/config.inc.php
431. sed -i -e "s/'impossible'/'low'/1" /var/www/html/dvwa/config/config.inc.php
432. sed -i -e 's/allow_url_include = Off/allow_url_include = On/1' /etc/php5/apache2/php.ini
433. sed -i -e 's/allow_url_fopen = Off/allow_url_fopen = On/1' /etc/php5/apache2/php.ini
434. dvwa-finish
435. ###########################