3.3c

Makefile

@@ -1,4 +1,4 @@
-VER := 0.3.3
+VER := 0.3.3c
 
 all:
 	make -C guest
@@ -21,6 +21,14 @@ FILES_GUEST += "segfault-$(VER)/guest/fs-root/sf/bin/sf-motd.sh"
 FILES_GUEST += "segfault-$(VER)/guest/fs-root/sf/bin/sf-setup.sh"
 FILES_GUEST += "segfault-$(VER)/guest/fs-root/etc/rc.local-example"
 FILES_GUEST += "segfault-$(VER)/guest/fs-root/etc/vim/vimrc.local"
+FILES_GUEST += "segfault-$(VER)/guest/fs-root/usr/share/www/pelicanconf.py"
+FILES_GUEST += "segfault-$(VER)/guest/fs-root/usr/share/www/tasks.py"
+FILES_GUEST += "segfault-$(VER)/guest/fs-root/usr/share/www/Makefile"
+FILES_GUEST += "segfault-$(VER)/guest/fs-root/usr/share/www/content/Articles/hello.md"
+FILES_GUEST += "segfault-$(VER)/guest/fs-root/usr/share/www/content/Articles/world.md"
+FILES_GUEST += "segfault-$(VER)/guest/fs-root/usr/share/www/content/pages/mydw.md"
+FILES_GUEST += "segfault-$(VER)/guest/fs-root/usr/share/www/content/pages/about.md"
+FILES_GUEST += "segfault-$(VER)/guest/fs-root/usr/share/www/content/images"
 
 FILES_HOST += "segfault-$(VER)/host/Dockerfile"
 FILES_HOST += "segfault-$(VER)/host/Makefile"

docker-compose.yml

@@ -114,6 +114,7 @@ services:
     depends_on:
       - dnsmasq
       - sf-redis
+      - router
     dns: 172.20.0.53
     cap_add:
       - NET_ADMIN #required
@@ -146,6 +147,7 @@ services:
     depends_on:
       - dnsmasq
       - sf-redis
+      - router
     dns: 172.20.0.53
     cap_add:
       - NET_ADMIN #required
@@ -178,6 +180,7 @@ services:
     depends_on:
       - dnsmasq
       - sf-redis
+      - router
     dns: 172.20.0.53
     cap_add:
       - NET_ADMIN #required
@@ -226,6 +229,7 @@ services:
       - net.ipv4.conf.all.rp_filter=2
     ports:
       - "${SF_SSH_PORT:-22}:22"
+      - "${SF_SSH_PORT2:-443}:22"
     environment:
       - SF_DEBUG
       - SF_MAXOUT

encfsd/encfsd.sh

@@ -26,7 +26,12 @@ xmkdir()
 	[[ -d "$1" ]] && return
 	# Odd occasion when no EncFS is running but kernel still has a stale mountpoint
 	# mountpoint: everyone-root: Transport endpoint is not connected
-	fusermount -zu "$1" 2>/dev/null
+	# If EncFS died then a stale mount point might exist.
+	# -d/-e/-f all fail (Transport endpoint is not connected)
+	# Force an unmount if it's not a directory.
+	# After unmounting check again if it's a directory (it should be!)
+	fusermount -zu "${1}" 2>/dev/null && [[ -d "$1" ]] && return 
+
 	mkdir "$1"
 }
 
@@ -58,6 +63,7 @@ encfs_mount()
 		return 255
 	}
 
+
 	xmkdir "${secdir}" || return 255
 	xmkdir "${rawdir}" || return 255
 

encfsd/portd.sh

@@ -234,12 +234,16 @@ remport_provider()
 cmd_remport()
 {
 	local lid
-	lid="$1"
 	local c_ipports
 	local n_ipports
 	local m_ipports
 	local provider
+	local selfdir
+	lid="$1"
+	selfdir="/config/self-for-guest/lg-${lid}"
 
+	# Remove files from instance
+	rm -f "${selfdir}/reverse_ip" "${selfdir}/reverse_port" 2>/dev/null
 	# Remove routing
 	# -> Dont need to. There is no harm leaving it.
 

guest/Dockerfile

@@ -3,7 +3,7 @@ FROM kalilinux/kali-rolling
 WORKDIR /root/
 
 # Valid options are:
-#   MINI BASE DEVEL NET HACK LARGE HUGE ALL
+#   MINI BASE DEVEL NET WEB HACK LARGE HUGE ALL
 #   SF_PACKAGES=ALL make
 # Default is "MINI BASE NET" (see pkg-install.sh)
 ARG SF_PACKAGES
@@ -29,8 +29,10 @@ RUN	apt-get update -y \
 		bc \
 		bsdmainutils \
 		dos2unix \
+		file \
 		less \
 		openssh-sftp-server \
+		python3-pip \
 		screen \
 		sharutils \
 		tmux \
@@ -146,7 +148,9 @@ RUN	apt-get update -y \
 		ruby \
 		x11-apps \
 	&& /pkg-install.sh HUGE go install -v github.com/projectdiscovery/uncover/cmd/uncover@latest \
-	&& /pkg-install.sh LARGE pip install --pre scapy[basic] \
+	&& /pkg-install.sh LARGE pip install --pre 'scapy[basic]' \
+	&& /pkg-install.sh WEB pip install \
+		'pelican[Markdown]' \
 	&& /pkg-install.sh LARGE pip install \
 		git-dumper \
 		ipython \

guest/Makefile

@@ -1,3 +1,3 @@
 all: Dockerfile
-	docker build --build-arg SF_PACKAGES=$(SF_PACKAGES) -t sf-guest .
+	docker build --build-arg SF_PACKAGES="$(SF_PACKAGES)" -t sf-guest .
 

guest/fs-root/sf/bin/sf-setup.sh

@@ -103,6 +103,12 @@ setup()
 	xmkdir /sec/usr/sbin
 	xmkdir /sec/usr/share
 
+	# Copy Pelican www
+	[[ ! -d /sec/www ]] && {
+		cp -a /usr/share/www /sec
+		sed "s/^SITEURL.*/SITEURL = '\/${SF_HOSTNAME,,}'/" -i /sec/www/pelicanconf.py
+	}
+
 	# Setup rc.local (if not exist) and execute rc.local
 	[[ ! -f /sec/usr/etc/rc.local ]] && setup_rclocal
 	/bin/bash /sec/usr/etc/rc.local

guest/setup.sh

@@ -30,7 +30,11 @@ chown root:root /etc /etc/profile.d /etc/profile.d/segfault.sh && \
 chmod 755 /usr /etc /etc/profile.d && \
 chmod 644 /etc/profile.d/segfault.sh && \
 chmod 644 /etc/shellrc /etc/zsh_command_not_found /etc/zsh_profile && \
+find /usr/share/www -type f -exec chmod 644 {} \; && \
+find /usr/share/www -type d -exec chmod 755 {} \; && \
 ln -s batcat /usr/bin/bat && \
+ln -s /sf/bin/sf-motd.sh /usr/bin/motd && \
+ln -s /sf/bin/sf-motd.sh /usr/bin/help && \
 echo DONE && exit 0
 
 exit 254

host/fs-root/bin/segfaultsh

@@ -287,12 +287,12 @@ print_goodbye()
 	n="$(bash -c "docker exec \"lg-${LID}\" pgrep . 2>/dev/null|wc -l")"
 	DEBUGF "Processes running: $n"
 	if [[ "$n" -gt 2 ]]; then
-		echo -e "Number of processes running: ${CDY}$((n-2))${CN}"
+		# echo -e "Number of processes running: ${CDY}$((n-2))${CN}"
 		# Display the running processes
 		str="process is"
 		[[ "$n" -gt 3 ]] && str="processes are"
 		echo -e "${CY}WARNING: ${CR}$((n-2))${CY} ${str} still running:${CN}"
-		exec_errnull docker exec "lg-${LID}" pgrep -v '^\[SF' -al | tail -n+2 | while read x; do p="${x%% *}      "; n="${x#* }"; echo -e "${CDY}--> ${CDR}${p:0:8}${CDG}${n:0:68}${CN}"; done
+		exec_errnull docker exec "lg-${LID}" pgrep -v '^\[SF' -al | tail -n+3 | while read x; do p="${x%% *}        "; n="${x#* }"; echo -e "${CDY}--> ${CDR}${p:0:8}${CDG}${n:0:68}${CN}"; done
 		echo -e "\
 -------> The encrypted filesystem in /sec will remain accessible until
 -------> the last shell exits or all background processes terminate.
@@ -334,6 +334,7 @@ spawn_shell_exit()
 	DEBUGF "ARG(${#})=$*"
 
 	# Update current IP:
+	touch "/config/self-for-guest/lg-${LID}/THIS-DIRECTORY-IS-IN-MEMORY-ONLY"
 	tofile "${YOUR_IP}" "/config/self-for-guest/lg-${LID}/ip"
 	[[ -n $YOUR_GEOIP ]] && tofile "${YOUR_GEOIP}" "/config/self-for-guest/lg-${LID}/geoip"
 
@@ -687,7 +688,9 @@ echo_pty -n "...."
 # FIXME: Could write my own tiny-init that spawns itself, sleeps forever and
 # waits for child. Would save memory.
 ### Start the care taker...
-xmkdir "/config/self-for-guest/lg-${LID}"
+selfdir="/config/self-for-guest/lg-${LID}"
+xmkdir "${selfdir}"
+# rm -f "${selfdir}/reverse_ip" "${selfdir}/reverse_port" # NOTE: Deleted by portd.sh
 exec_devnull docker run \
 	--hostname "sf-${SF_HOSTNAME}" \
 	"${DOCKER_ARGS[@]}" \

provision/env.example

@@ -3,6 +3,7 @@ SF_BASEDIR=${HOME}/segfault
 ## Status information between containers is exchanged via _SHMDIR/run
 #SF_SHMDIR=/dev/shm/sf
 #SF_SSH_PORT=22
+#SF_SSH_PORT2=443
 #SF_DEBUG=1
 #SF_USER=root
 #SF_USER_PASSWORD=segfault

router/Dockerfile

@@ -1,17 +1,18 @@
 FROM ubuntu:22.04
 RUN    apt-get update \
        && apt-get install -y --no-install-recommends curl \
-              wget \
-              curl \
               ca-certificates \
-              net-tools \
+              curl \
+              fping \
               inetutils-ping \
-              netcat \
               iptables \
               iproute2 \
               iperf \
+              net-tools \
+              netcat \
               tcpdump \
-              fping \
+              wget \
+              vim \
        && rm -rf /var/lib/apt/lists/*
 
 COPY tc.sh init.sh fix-network.sh /

router/init.sh

@@ -55,7 +55,6 @@ init_revport()
 {
 	[[ -n $IS_REVPORT_INIT ]] && return
 	IS_REVPORT_INIT=1
-	# -----BEGIN REVERSE CONNECTION-----
 	### Create routing tables for reverse connection and when multipath routing is used:
 	# We are using multipath routing _and_ reverse port forwarding from the VPN Provider.
 	# See Cryptostorm's http://10.31.33.7/fwd as an example:
@@ -88,6 +87,8 @@ init_revport()
 	done
 	iptables -A PREROUTING -t mangle -i "${DEV_GW}" -j CONNMARK --save-mark
 
+	echo -e >&2 "[$(date '+%F %T' -u)] RevPort set up for 172.20.0.[${ips[@]}]"
+
 	# Route return traffic back to VPN-GW the packet came in from.
 	# Every return packet is marked (11nnn). If it is marked (e.g. it is a return packet)
 	# then also mark it as 12nnn. Then use customer routing rule for all packets
@@ -104,8 +105,6 @@ init_revport()
 		ip rule add fwmark "12${n}" table "8${n}"
 		ip route add default via "172.20.0.${n}" dev ${DEV_GW} table "8${n}"
 	done
-
-	# -----END REVERSE CONNECTION-----
 }
 
 use_vpn()
@@ -150,10 +149,9 @@ use_tor()
 
 monitor_failover()
 {
-	# ts=$(date +%s)
 	local status_sha
 
-
+	# FIXME: use redis here instead of polling
 	while :; do
 		bash -c "exec -a '[sleep router failover]' sleep 1"
 		sha="$(sha256sum /config/guest/vpn_status 2>/dev/null)"
@@ -169,6 +167,10 @@ monitor_failover()
 	done
 }
 
+
+# Delete old vpn_status
+[[ -f /config/guest/vpn_status ]] && rm -f /config/guest/vpn_status
+
 DEV_I22="$(devbyip 172.28.0. eth0)"
 DEV="$(devbyip 10.11. eth1)"
 DEV_SSHD="$(devbyip 172.22.0. eth2)"
@@ -227,8 +229,6 @@ iptables -t nat -A POSTROUTING -s 172.28.0.1 -o ${DEV_SSHD} -j MASQUERADE && \
 iptables -A PREROUTING -i ${DEV_SSHD} -t mangle -p tcp -s 172.22.0.21 -j MARK --set-mark 22
 # -----END GSNC traffic is routed via Internet----
 
-
-
 ifconfig "$DEV" 10.11.0.1/16 && \
 # MASQ all traffic because the VPN/TOR instances dont know the route back
 # to sf-guest (10.11.0.0/16).