CentOS 7 build docker+vulhub (Vulnerability Test Range)

CentOS 7 Install Vulhub (Vulnerability Test Range)

1. Install Docker
- 1. Install Docker with one click
- 2. Manually install Docker
- accelerator
- - Configure Docker Image Station
  - - Linux
    - macOS
    - Windows
2. Install docker-compose
- 1. Install Python3
- 2. Install PIP
- 3. Install docker-compose
3. Download Vulhub
4. Start the environment
Vulnerability testing
6. Remove the environment
7. Configuration requirements

This article is a personal diary version of vulhub that was created in combination with the blogs of all the big guys.

The citations involved are as follows:
vulhub official website:/#/docs/download-vulhub/.
Xiu Jin:/xiujin/p/.
Just do it:/daiyekun-blog/p/.

1. InstallationDocker

1. Install Docker with one click

This is the recommended way. On machines that have not installed Docker, execute the following commands to install the latest version of Docker in one click:

curl -s / | sh

If you have installed the old version of Docker (and not installed with this one-click installation script), please uninstall Docker first (for example,sudo apt purge --autoremove ）。

If you don't want to install Docker in this way, you can also use the package management tool that comes with the system to install it, for exampleUbuntuDown:

sudo apt install

However, the Docker version installed by the package management tool is generally older, and there may be bugs when using Vulhub (basically, it is not ruled out that some Docker versions are too old).

Note that docker is a system service, so after the installation is completed, you may need to manually start the service: service start docker, otherwise the connection will fail. Similarly, if docker does not start automatically, you also need to start the docker service manually. If you are installing docker using one-click installation tool, docker will start automatically.

2. Manually install Docker

If the operating system you are using does not support the one-click installation script and does not have a package management tool, you can choose to manually install the latest version of Docker.

Docker is divided into CE version and EE version, among which CE version is aimed at the open source community and is freesoftware;We just choose the CE version.

Common operating system installation methods can be viewed in the documentation, so I will not repeat them:/engine/installation/.

Note that docker is a system service, so after installation, you may need to manually start the service:systemctl restart docker, otherwise the connection will fail. Similarly, if docker does not start automatically, you also need to start the docker service manually.

accelerator

Since all Vulhub resources come from Dockerhub/Github/software official website, the above-mentioned site servers may have problems such as slow access and high packet loss rate in China, which leads to too stuck when starting the Vulhub vulnerability environment, which affects the normal experience.

Therefore, we first recommend using foreign VPS to build a vulnerable environment. In this case, it only takes 30 seconds to start an environment on average.

If you really don’t have the conditions to purchase a foreign VPS, you can also accelerate Dockerhub with Dockerac (of course, you can only accelerate Dockerhub).
Link:/mirror

Configure Docker Image Station

Linux

curl -sSL /daotools/set_mirror.sh | sh -s

This script can add --registry-mirror to your Docker configuration file /etc/docker/. Suitable for Ubuntu14.04, Debian, CentOS6,CentOS7, Fedora, Arch Linux, openSUSE Leap 42.1, other versions may have subtle differences. For more details, please visit the documentation.

macOS

Docker For Mac

Right-click the docker icon in the top bar of the desktop, select Preferences, and add the following mirror address to the Registry mirrors list under the Daemon tag (the version before Docker 17.03 was Advanced tag):

Click the Apply & Restart button to make the settings take effect.

Please refer to Docker Toolbox and other configuration methodsHelp Documentation。

Windows

Docker For Windows

Right-click the docker icon in the status bar in the lower right corner of the desktop, modify the json in the Docker Daemon tab, and place the following address:

Add to the array of "registry-mirrors". Click Apply.

Please refer to Docker Toolbox and other configuration methodsHelp Documentation。

2. Install docker-compose

Docker-compose is used to combine services and intranet. Some environments involve multiple containers, and the ports and directories opened by different environments are also different, so Vulhub chooses to use docker-compose as an environment one-click management tool. Users no longer need to learn various parameters and usages of docker commands, they only need to simply execute them.docker-compose up -dYou can start the container.

Docker-compose is based on Python development, so we can usepipPerform installation.

1. Install Python3

1. Install the corresponding compilation tool
Under root user (don't use ordinary users, please copy and paste them all and install them at one time.

yum -y groupinstall "Development tools"
yum -y install zlib-devel bzip2-devel openssl-devel ncurses-devel sqlite-devel readline-devel tk-devel gdbm-devel db4-devel libpcap-devel xz-devel
yum install -y libffi-devel zlib1g-dev
yum install zlib* -y

2. Download the installation package

wget wget /ftp/python/3.7.2/Python-3.7.

3. Decompression

tar -xvJf  Python-3.7.

4. Create a compiled installation directory

mkdir /usr/local/python3

5. Installation

cd Python-3.7.2
./configure --prefix=/usr/local/python3 --enable-optimizations --with-ssl

The first one specifies the installation path. If it is not specified, the files required by the software may be copied to other different directories during the installation process. It is inconvenient to delete the software and copy the software.
The second one can improve the running speed of python by 10%-20%.
The third one is to use ssl to install pip, and an error will be mentioned later.

make && make install
what-does-enable-optimizations-do-while-compiling-python

6. Create a soft link

ln -s /usr/local/python3/bin/python3 /usr/local/bin/python3
ln -s /usr/local/python3/bin/pip3 /usr/local/bin/pip3

7. Verify whether it is successful

python3 -V
pip3 -V

Please refer to the errorXiu JinBig Boss' Blog
Link:/xiujin/p/.

2. Install PIP

Pip3 was already installed when python3 was installed above, so this step can be skipped

If you do not have pip installed in your environment, you also need to install pip first. It is recommended to use the following command for installation. This method will reduce the number of unnecessary dependencies:

curl -s / | python3

3. Install docker-compose

After you have pip, you can use pip to install docker-compose directly:

pip3 install docker-compose

After the installation is completed, executedocker-compose -v, if it returns, the installation will be successful.

After testing, most of the execution of docker-compose failed, so I sought other ways to install docker-compose.
Reference here:/daiyekun-blog/p/.

wget /docker/compose/releases/download/1.14.0-rc2/docker-compose-Linux-x86_64
rename docker-compose-Linux-x86_64 docker-compose docker-compose-Linux-x86_64
chmod +x /usr/local/bin/docker-compose
docker-compose version

3. Download Vulhub

After installing docker and docker-compose, pull Vulhub to any local directory:

git clone /vulhub/

If the pulling speed is too slow, you can directly download the compressed package of the master branch:.。

4. Start the environment

Start the vulnerable environment
docker-compose will automatically find the configuration file in the current directory (the default file name is) and compile the image and start the container according to its content. Therefore, to run a vulnerability range, you need to first enter the directory where the vulnerability is located.

Select an environment in Vulhub and enter the corresponding directory. For example, if the Flask server template injection vulnerability is injected, we enter the flask/ssti directory:

cd flask/ssti

Directly execute the following commands to compile and run the vulnerable shooting range:

# Optional
 docker-compose build
 docker-compose up -d

Whydocker-compose buildIs it optional?

docker-compose up -dAfter running, the configuration files in the current directory will be automatically searched. If all environments contained in the configuration file already exist, they will not compile again; if the environments contained in the configuration file do not exist, they will be compiled automatically. So, actuallydocker-compose up -dThe command containsdocker-compose buildof.

If the configuration file is updated, you can manually execute docker-compose build to recompile the shooting range environment.

Vulnerability testing

All vulnerability environments in Vulhub are configured with detailed documentation, including how to compile, start, principle, and reproduction.

We canThis documentSearch and view all vulnerable environments, and will not be repeated here.

6. Remove the environment

All environments in Vulhub are vulnerable shooting ranges. After the test is completed, please close and remove the environment in time to avoid malicious use by others.

Although the shooting ranges are all running in Docker, most malware will not lose its effect just because it runs in a container!

As mentioned earlier, docker-compose will start the container based on the configuration file in the current directory by default. When closing and removing the environment, it also needs to be in the corresponding directory. We performdocker-compose up -dAfter that, do not leave the current directory. After the vulnerability test is completed, execute the following command to remove the environment:

docker-compose down

The above command will perform the following actions:

Close the running container
Delete all related containers
Remove NAT (docker-compose will create a NAT network segment when it is running)
However, the compiled vulnerability image will not be removed, and it will be executed next timedocker-compose up -dThe command does not need to compile the related image again.

7. Configuration requirements

Vulhub is a vulnerable shooting range, all of which run programs that have real vulnerabilities. Therefore, different vulnerability programs lead to different requirements for the environment.

In the current Vulhub environment, most environments do not have high configuration requirements, so we recommend using 1G memory VPS for testing. But similar to gitlab/CVE-2016-9086, the configuration requirements are relatively high and may require 2G memory to run. This is because the configuration requirements of the Gitlab software itself are relatively high.

Problems caused by insufficient inodes
In addition, during the Vulhub test, there are many problems in configurations that are insufficient hard disk inode.

Read "Understand inode》, learn about inode. After a long time,docker-compose downIf the image is not removed, we may have downloaded or compiled many vulnerable images. Each vulnerability image is actually equivalent to a Linux system, with more small files and occupies inode.

When some VPS allocate space, the number of inodes allocated is small. We can execute df -i to view the inode of the current file system:

# root @ docker-demo in ~ [20:26:48]
$ df -i
Filesystem      Inodes  IUsed   IFree IUse% Mounted on
udev             56787    404   56383    1% /dev
tmpfs            62210    537   61673    1% /run
/dev/vda1      1280000 136309 1143691   11% /
tmpfs            62210      2   62208    1% /dev/shm
tmpfs            62210      3   62207    1% /run/lock
tmpfs            62210     16   62194    1% /sys/fs/cgroup
tmpfs            62210      4   62206    1% /run/user/0

If you find that the hard disk space has not been used up yet, but the prompt is insufficient space, you can check the current inode, maybe the number of inodes is insufficient.