From 11f9b11d9ae5f14a47deecabd90511df214ff4dc Mon Sep 17 00:00:00 2001 From: flux Date: Sun, 2 Aug 2020 15:07:56 +0200 Subject: [PATCH] First version of fork --- .env | 10 +++ Dockerfile | 18 ----- README.md | 83 ++++++++--------------- app/Dockerfile | 19 ++++++ app/scripts/run.sh | 52 ++++++++++++++ docker-compose.yml | 28 ++++++++ examples/Reverse Proxy/README.md | 10 --- examples/Reverse Proxy/docker-compose.yml | 27 -------- examples/Standalone/README.md | 7 -- examples/Standalone/docker-compose.yml | 21 ------ run.sh | 46 ------------- 11 files changed, 136 insertions(+), 185 deletions(-) create mode 100644 .env delete mode 100644 Dockerfile create mode 100644 app/Dockerfile create mode 100644 app/scripts/run.sh create mode 100644 docker-compose.yml delete mode 100644 examples/Reverse Proxy/README.md delete mode 100644 examples/Reverse Proxy/docker-compose.yml delete mode 100644 examples/Standalone/README.md delete mode 100644 examples/Standalone/docker-compose.yml delete mode 100755 run.sh diff --git a/.env b/.env new file mode 100644 index 0000000..8df0c99 --- /dev/null +++ b/.env @@ -0,0 +1,10 @@ +DB=/db/c2.db +HOSTNAME=c2.example.com +HTTPS=True +KEYFILE=/cert/cert.key +CERTFILE=/cert/cert.crt +LISTENIP=0.0.0.0 +LISTENPORT=8080 +REVERSEPROXY= +REVERSEPROXYPORT= +SSHPORT=2022 diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index 374c578..0000000 --- a/Dockerfile +++ /dev/null @@ -1,18 +0,0 @@ -FROM alpine:3.10 - -ARG version=2.1.2 - -RUN apk add ca-certificates wget unzip libc6-compat \ - && wget https://downloads.hak5.org/api/devices/cloudc2-community/firmwares/${version} --no-cache \ - && unzip ${version} \ - && mkdir /app \ - && mv c2_community-linux-64 /app \ - && rm c2* ${version} \ - && chmod +x /app/* \ - && apk del wget unzip - -COPY run.sh /app - -EXPOSE 8080 2022 - -CMD /bin/ash /app/run.sh \ No newline at end of file diff --git a/README.md b/README.md index 6ff0c27..2ee3015 100644 --- a/README.md +++ b/README.md @@ -1,76 +1,47 @@ -![Docker Pulls](https://img.shields.io/docker/pulls/lindezagrey/hak5c2?style=plastic) +# Alpine based hak5c² container -# 🐋 Alpine based hak5c² container +This image packs the amazing Hak5C² software into a secure and light weight alpine-linux based docker container. It is a fork based on https://github.com/LindezaGrey/hak5c2 using more strict docker-compose style and the ability to work with self-signed certs. -This image packs the amazing Hak5C² software into a secure and light weight alpine-linux based docker container. - -Quick start for local tests (assuming your local ip is 192.168.1.1): +## Quick Start +Create _.env_ file in the same directory with the following content and modify values as needed: ```sh -docker volume create c2DB -docker run -d -p 8080:8080 -p 2022:2022 -e db=/home/c2.db -v c2DB:/home --name hak5c2 --hostname=192.168.1.1 lindezagrey/hak5c2 +DB=/db/c2.db +HTTPS=True +KEYFILE=/cert/cert.key +CERTFILE=/cert/cert.crt +# change what's needed after this line +HOSTNAME=c2.example.com +LISTENIP=0.0.0.0 +LISTENPORT=8080 +SSHPORT=2022 +# If set, Cloud C2 will work behind a reverse proxy like nginx proxy-companion +REVERSEPROXY= +REVERSEPROXYPORT= ``` -## Build options - -You can build the image by yourself with any of the provided docker compose files or with the docker build command. This will download the software and build the image. - -* Clone or download this repository -* either build the image with ```docker build --rm -f "Dockerfile" -t hak5c2 .``` -* or if you use docker compose ```docker-compose -f "docker-compose.yml" up -d --build``` - -Or for a quickstart you can use a prepared image from [Dockerhub](https://hub.docker.com/r/lindezagrey/hak5c2) which is based on this repository. - -## Deployment options - -You can run the image directly with docker or with docker-compose (check the [examples](/examples) folder). It is possible to run the container without a volume, which means everything that is stored in C² is lost when the container is removed (including loot and licensing). On the other hand you can create a volume and map it so that the c2.db is persistent. - -The easiest way to run a container locally (assuming you build it yourself) would be: +Run using docker-compose ```sh -docker run -d --name hak5c2 hak5c2 +docker-compose up ``` -Then you will be able to access the webinterface by navigating to localhost:8080. -To get the setup token you can run: +Copy the Setup token which is displayed during setup, otherwise, if startet with _-d_ grep it later: ```sh docker logs hak5c2 | grep "token" ``` -If you want to run it externally accessible (e.g. on a VPS) you have to publish the ports 8080 and 2022 as well. -The application will take the hostname of the container as the hostname argument. So if you made a DNS entry use the FQDN as hostname, if not then the public IP of your server. +Now you will be able to access the webinterface by navigating to :443. -```sh -docker run -d -p 8080:8080 -p 2022:2022 --name hak5c2 --hostname=test.test.com hak5c2 -``` +In case you want to start over fresh remove the files in the _c2DB_ and the _certs_ folder and restart the container. The files will be regenerated now. -## Environment variables -You can pass all parameters you would normally pass to the application to the container by adding them as an environment variable (except the hostname which is set by the docker "hostname" command): +## Deployment options -```sh -docker run -d -e reverseProxy=True -e reverseProxyPort=443 --name hak5c2 hak5c2 -``` +There are three TLS Options: +* Self signed cert using the cetificate files predefined through the _.env_ files +* Reverseproxy using the _.env_ config Options +* LetsEncrypt cert by deleting the predefined _KEYFILE_ and _CERTFILE_ values. -> Keep in Mind that port 80/tcp and 443/tcp need to be reachable (mind NAT and firewalls) for the certificate generation by the LetsEncrypt bot. Also a valid domain is needed. -```sh -Usage of ./c2_community-linux-64: - -certFile string - Custom SSL Certificate file (disabled letsencrypt) - -db string - Path to the c2 database (default "c2.db") - -https True/False - Enable https (requires ports 80 and 443) - -keyFile string - Custom SSL Key file (disables letsencrypt) - -listenip string - IP address to listen on (default "0.0.0.0") - -listenport string - Port of the HTTP server (default "8080") - -reverseProxy True/False - If set, Cloud C2 will work behind a reverse proxy - -reverseProxyPort string - If set, this will be the internet facing port from which Cloud C2 will be available - -sshport string - Port of the SSH server (default "2022") -``` +Of course an unencrypted deployment is possible by removing the _HTTP_ variable. diff --git a/app/Dockerfile b/app/Dockerfile new file mode 100644 index 0000000..ebb72c3 --- /dev/null +++ b/app/Dockerfile @@ -0,0 +1,19 @@ +FROM alpine:latest + +ARG version=2.2.0 + +# Prepare +RUN apk add ca-certificates wget unzip libc6-compat openssl\ + && wget https://downloads.hak5.org/api/devices/cloudc2-community/firmwares/${version} --no-cache \ + && unzip ${version} \ + && mkdir /app /db /cert \ + && mv c2_community-linux-64 /app \ + && rm c2* ${version} \ + && chmod +x /app/* \ + && apk del wget unzip + +COPY ./app/scripts/run.sh /app + +EXPOSE 2022 443 80 + +CMD /bin/ash /app/run.sh diff --git a/app/scripts/run.sh b/app/scripts/run.sh new file mode 100644 index 0000000..4d6af0f --- /dev/null +++ b/app/scripts/run.sh @@ -0,0 +1,52 @@ +#!/bin/bash + + +# ugly but readable lel +# if variable is not empty +if ! [ -z "$CERTFILE" ]; then + certFile="-certFile $CERTFILE" +fi + +if ! [ -z "$DB" ]; then + db="-db $DB" +fi + +if ! [ -z "$HTTPS" ]; then + https="-https" +fi + +if ! [ -z "$KEYFILE" ]; then + keyFile="-keyFile $KEYFILE" +fi + +if ! [ -z "$LISTENIP" ]; then + listenip="-listenip $LISTENIP" +fi + +if ! [ -z "$LISTENPORT" ]; then + listenport="-listenport $LISTENPORT" +fi + +if ! [ -z "$REVERSEPROXY" ]; then + reverseProxy="-reverseProxy" +fi + +if ! [ -z "$REVERSEPROXYPORT" ]; then + reverseProxyPort="-reverseProxyPort $REVERSEPROXYPORT" +fi + +if ! [ -z "$SSHPORT" ]; then + sshport="-sshport $SSHPORT" +fi + +hostname="-hostname $(hostname -f)" + +if [ -z "$(ls -A /cert)" ]; then + echo "[*] Creating fresh certificate" + openssl req -newkey rsa:2048 -x509 -sha256 -days 365 -nodes -out /cert/cert.crt -keyout /cert/cert.key -subj "/C=US/ST=HackHack/L=HackHack/O=HackHack/CN=www.example.com" >/dev/null 2>&1 +else + echo "[*] Cert exists" +fi + +echo [*] "using following settings: "$hostname $https $keyFile $certFile $db $listenip $listenport $reverseProxy $reverseProxyPort $sshport +/app/c2_community-linux-64 $hostname $https $keyFile $certFile $db $listenip $listenport $reverseProxy $reverseProxyPort $sshport diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..a55f04d --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,28 @@ +version: "2" + +services: + c2: + build: + dockerfile: $PWD/app/Dockerfile + context: $PWD + ports: + - "2022:2022" + - "443:443" + - "80:80" + hostname: ${HOSTNAME} + network_mode: bridge + restart: always + volumes: + - ./cert:/cert + - ./c2DB:/db + environment: + DB: ${DB} + HOSTNAME: ${HOSTNAME} + HTTPS: ${HTTPS} + KEYFILE: ${KEYFILE} + CERTFILE: ${CERTFILE} + LISTENIP: ${LISTENIP} + LISTENPORT: ${LISTENPORT} + REVERSEPROXY: ${REVERSEPROXY} + REVERSEPROXYPORT: ${REVERSEPROXYPORT} + SSHPORT: ${SSHPORT} diff --git a/examples/Reverse Proxy/README.md b/examples/Reverse Proxy/README.md deleted file mode 100644 index 8cc68c7..0000000 --- a/examples/Reverse Proxy/README.md +++ /dev/null @@ -1,10 +0,0 @@ -# Reverse Proxy example - -This compose file is an example of how to use the image together with a docker based nginx reverse proxy, namely [jwilder/nginx-proxy -](https://github.com/jwilder/nginx-proxy) with the [JrCs / docker-letsencrypt-nginx-proxy-companion](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion) - -To run, adapt the file with your domain and run: - -```sh -docker-compose -f "examples/Reverse Proxy/docker-compose.yml" up -d --build -``` diff --git a/examples/Reverse Proxy/docker-compose.yml b/examples/Reverse Proxy/docker-compose.yml deleted file mode 100644 index b13bc0e..0000000 --- a/examples/Reverse Proxy/docker-compose.yml +++ /dev/null @@ -1,27 +0,0 @@ -version: "2" - -services: - c2: - build: - dockerfile: $PWD/Dockerfile - context: $PWD - image: hak5c2 - volumes: - - c2DB:/home - ports: - - "2022:2022" - hostname: my.domain.com - environment: - VIRTUAL_HOST: my.domain.com - LETSENCRYPT_HOST: my.domain.com - LETSENCRYPT_EMAIL: me@mydomain.com - VIRTUAL_PORT: 8080 - db: /home/c2.db - reverseProxy: "True" - reverseProxyPort: 443 - https: "True" - network_mode: bridge - restart: always - -volumes: - c2DB: diff --git a/examples/Standalone/README.md b/examples/Standalone/README.md deleted file mode 100644 index 02fa655..0000000 --- a/examples/Standalone/README.md +++ /dev/null @@ -1,7 +0,0 @@ -# Standalone example - -Example of how to build an run the image with docker-compose - -```sh -docker-compose -f "examples/Standalone/docker-compose.yml" up -d --build -``` diff --git a/examples/Standalone/docker-compose.yml b/examples/Standalone/docker-compose.yml deleted file mode 100644 index a6555bf..0000000 --- a/examples/Standalone/docker-compose.yml +++ /dev/null @@ -1,21 +0,0 @@ -version: "2" - -services: - c2: - build: - dockerfile: $PWD/Dockerfile - context: $PWD - image: hak5c2 - volumes: - - c2DB:/home - ports: - - "2022:2022" - - "8080:8080" - hostname: localhost - environment: - db: /home/c2.db - network_mode: bridge - restart: always - -volumes: - c2DB: diff --git a/run.sh b/run.sh deleted file mode 100755 index 9d3d3fd..0000000 --- a/run.sh +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/bash - - -# ugly but readable lel -# if variable is not empty -if ! [ -z "$certFile" ]; then - certFile="-certfile $certFile" -fi - -if ! [ -z "$db" ]; then - db="-db $db" -fi - -if ! [ -z "$https" ]; then - https="-https" -fi - -if ! [ -z "$keyFile" ]; then - keyFile="-keyFile $keyFile" -fi - -if ! [ -z "$listenip" ]; then - listenip="-listenip $listenip" -fi - -if ! [ -z "$listenport" ]; then - listenport="-listenport $listenport" -fi - -if ! [ -z "$reverseProxy" ]; then - reverseProxy="-reverseProxy" -fi - -if ! [ -z "$reverseProxyPort" ]; then - reverseProxyPort="-reverseProxyPort $reverseProxyPort" -fi - -if ! [ -z "$sshport" ]; then - sshport="-sshport $sshport" -fi - -hostname="-hostname $(hostname -f)" - -echo "using following settings:" $hostname $certFile $db $https $keyFile $listenip $listenport $reverseProxy $reverseProxyPort $sshport - -/app/c2_community-linux-64 $hostname $certFile $db $https $keyFile $listenip $listenport $reverseProxy $reverseProxyPort $sshport \ No newline at end of file