Teachers Guide to the UWEcyber Raspberry Pi Cyber Range

This worksheet will provide guidance for setting up the UWEcyber Raspberry Pi Cyber Range. The purpose of this cyber range is to provide an "out-of-the-box" solution for schools to deploy a networked infrastructure that can then be used to model attack and defence. The range can be easily extended with "containerised" applications that provide further challenges for students, and we provide OWASP Juice Shop and CTFd as pre-installed containerised applications.

Please note:A new simplified version of this guide is available in the CyberWEST teachers workshop repository. We have kept this as the full documentation, however some aspects may be out of date for the latest release of the PiLab environment.

---

1. Setup
2. Starting Out
3. UWEcyber-KaliPi
4. Juice Shop
5. CTFd
6. Red Team-Blue Team
7. More on the UWEcyber-RasPwnOS

---

0. Setup

The first step is to download the two Raspberry Pi images available from the UWEcyber website:

• Download PiLab-Client (32GB) (v2 - updated 8th March 2024)
• Download PiLab-Hotspot (8GB) (v2 - updated 8th March 2024)

(The downloads are password-protected: uwecyber2024).

We have created these two images specifically for this guided lab. The images are customised versions of the RasPwnOS image and the Kali for Raspberry Pi (ARM) image, that we have extended with further functionality. You will also need to download Etcher which is a tool for writing the image file to an SD card that will be used to boot the Raspberry Pi. You will require:

• One instance of the UWEcyber-RasPwnOS, running on either a Raspberry Pi 3 or above, using a SD card with at least 8GB capacity.
• One or more instance of UWEcyber-KaliPi (one for each student/client Pi available), running on (preferably) a Raspberry Pi 4, using a SD card with at least 32GB capacity.

When you boot up the UWEcyber-KaliPi devices, you will need to log in. Use the username kali and the password kali. This is the default for each of the student devices - we will come back to this later on. On booting all devices, you should find that there is a wireless network called UWEcyber-RasPwnOS hosted by the UWEcyber-RasPwnOS device. You should also find that all UWE-KaliPi devices connect automatically to this access point. We now have a networked infrastructure hosted through the RasPwnOS! (Should you need to manually configure access to this network, the default password is UWEcyber_In53cur3!)

1. Starting out

If you are connected to the UWEcyber-RasPwnOS network, try bringing up a "Terminal", and then type: nmap 192.168.99.0/24. This will perform a scan of the IP subnet 192.168.99.* that the RasPwnOS access point is hosting. You should be able to find out information about all other connected devices. What services are running? Can you connect to any of these?

• The main playground of the RasPwnOS is hosted at playground.raspwn.org or 192.168.99.13.

2. UWEcyber-KaliPi

Using the UWEcyber-KaliPi, double-click the Terminal icon on the Desktop. You can navigate the file system using the Terminal. The two most commonly used commands are:

• ls: List directory
• cd: Change directory

Type cd UWEcyber to navigate to the main resources folder. Here you will see the following scripts that can be launched:

• ./run_burp_suite.sh
• ./run_juice_shop.sh
• ./run_ctfd.sh

• Juice Shop: This is a vulnerable web application developed by OWASP that is available as standard on the UWEcyber-KaliPi. On launch of the script, this can be accessed through the web browser at http://localhost:3000.
• CTFd: This is a Capture-The-Flag scoring server, suitable for running competitions with multiple students. On launch of the script, this can be accessed through the web browser at http://localhost:8000.
• Burp Suite: This is a web application testing tool that we have discussed during this course. The community edition is free and is pre-installed on the UWEcyber Kali-Pi. On launch of the script, this application window will appear.

3. Juice Shop

The UWEcyber-KaliPi comes pre-configured with an instance of OWASP Juice Shop that can be used either locally or remotely across the UWEcyber-RasPwnOS network.

To initiate the Juice Shop example, bring up a Terminal, and type cd Desktop/UWEcyber, followed by ./run_juice_shop.sh. This will start a Docker container of the application, that can be accessed in a web browser at localhost:3000. If you are connected on the UWEcyber-RasPwnOS network, then other devices can also access this service by navigating to <IP_ADDRESS>:3000 (e.g., 192.168.99.165:3000) in then web browser.

• Official Guide: https://pwning.owasp-juice.shop/
• TryHackMe Walkthrough Guide: https://www.tryhackme.com/room/owaspjuiceshop

4. CTFd

CTFd is a Capture-The-Flag competition server, that allows you to set up a question and answer service for submitting answers (flags) from a given challenge. This can be configured in many ways, but most likely is to use it in conjunction with a tool like Juice Shop that providees flags on completion of tasks. The service is fully installed, however you would need to custom the setup for your own event. Full details are available on the GitHub repository: https://github.com/CTFd/CTFd

5. Example: Red Team - Blue Team

There is much you can do with a Raspberry Pi network to help teach cyber security. As an example, here we will describe the steps taken in the sessions for conducting some red team/blue team challenges.

• Scanning the network: Launch the Terminal, and find out what your IP address is. Type ifconfig and you will be able to find this. Now, can you also find out what the IP address of the other devices in the room are that below to the other students? We can scan the full subnet range uing a tool called nmap by typing nmap 192.168.99.0/24. Devices associated with the raspwnos should be ruled out - these are out of scope and are for the access point. However, we should now have a set of IP addresses that correspond to other users in the room.
• Connecting to other devices: Choose a target. At this stage we do not know which students have which IP address, so pick any (other than those deemed out of scope previously). Let us assume we choose X.X.X.127. You can type ssh kali@192.168.59.127 to connect to this. We know that the default credentials for all devicecs are kali:kali so you should be able to log in.
• Create a file on the Desktop: Now that you have gained access, perhaps you want to let your target know? You could type cd Desktop to navigate to the Desktop folder. You could then also type nano README.txt. Here you have a text editor, why not write them a message - "I AM ON YOUR COMPUTER!" - you can then save your document by pressing Ctrl+S and exit the editor by pressing Ctrl+X.
• (Alternative) Edit their webpage: Similarly, each Pi is also hosting a web server, and so you could edit the text file that has the webpage content. Currently this is the default Apache2 page, however you could add something more interesting. This can be found at cd /var/www/html/ and then by typing sudo nano index.html (note that you need to run as sudo - this means "superuser do"). Edit this document (perhaps change the title) and then save. Anyone accessing their page via a web browser will see this change.
• Harden our security: Ok, so the attacker gained access and left us a note to tell us so. We may want to think about changing our password. We could have it so that students can "request" to change their password - one idea would be to pick a word out of a raffle (this being a word from our known wordlist, rockyou.txt). To change the password, type passwd. You can enter the new password as prompted - note that it will not display on the screen.
• Brute force the password: So the blue team have changed their password, can we get in? We can try and perform a brute force attack using Hydra. Type hydra -l kali -P /usr/share/wordlists/rockyou.txt <IP_ADDRESS> ssh. Here, we are specifying the username, the password wordlist to try, the IP address of the machine to attack, and the protocol to attack. If the password is on this list, this will work (depending on where on the list, this could take a while).
• Change SSH port: Another hardening technique may be to change the SSH port. On the defender machine, type sudo nano /etc/ssh/sshd_config. Where it says, Port 22 change this number to be something greater than 1000. Save and exit the file. You will also need to restart your SSH server sudo systemctl reload sshd. For the attackers, they will need to now change their scanning range, sudo nmap -p -sV 1000-3000 192.168.99.127. We are using -sV and sudo to scan for version numbers of services, which requires administrator access.

You can extend this concept much further - for example, you could have students open and close ports using a firewall. UFW or iptables would be recommended for this.

• https://linuxconfig.org/how-to-install-and-use-ufw-firewall-on-linux
• https://bobcares.com/blog/iptables-block-ip-range/
• https://www.digitalocean.com/community/tutorials/how-to-list-and-delete-iptables-firewall-rules

---

6. More on the UWEcyber-RasPwnOS

The UWEcyber-RasPwnOS provides a simple and pre-configured wireless access point for your client machines (Kali-Pi). It also acts as a web server with some vulnerable applications pre-installed. The most popular application available on the RasPwnOS is the Damn Vulnerable Web Application (DVWA). This is a widely used vulnerable application. A detailed guide is available for the 2019 version of DVWA at https://github.com/mrudnitsky/dvwa-guide-2019. One of the key features of DVWA is that it allows you to modify the security level, essentially giving you a means to experiment where low security is imposed, and seeing how these attacks hold up when security is increased.

For now, let's focus on a few key challenges:

Brute force the password page

URL: playground.raspwn.org/dvwa/vulnerabilities/brute/index.php

• Unzip the RockYou word list: gunzip /usr/share/wordlists/rockyou.tar.gz
• Use Hydra to brute force the web form: hydra -l admin -P /usr/share/wordlists/rockyou.txt -s 80 dvwa http-get-form "/dvwa/vulnerabilities/brute/index.php:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.
• Use Hydra to brute force the web form, providing the necessary session cookie for your login. hydra -l admin -P rockyou.txt -s 80 dvwa http-get-form "/dvwa/vulnerabilities/brute/index.php:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie: security=low; PHPSESSID=[your_value_here]"

This is a useful means to demonstrate how hydra can be used not only against a SSH connection, but also against services such as login pages on a web form.

Command Injection

URL: playground.raspwn.org/dvwa/vulnerabilities/exec/index.php

• Ping the local host, and then also perform additional commands: 127.0.0.1 & whoami & hostname

This is a useful example to show where a vulnerable text field is being used to take command line arguments. Given that there appears to be no input sanitisation, we can therefore append to the query and make other requests on the command line, such as whoami and hostname (or something much more malicious should we decide to).

SQL Injection

URL: playground.raspwn.org/dvwa/vulnerabilities/sqli/index.php

• Terminate the query at %, or insert a true statement: %' or '0'='0

This is a useful example to explore SQL injection, to see whether terminating characters are being sanitised by the input prompt.

Useful resources

• Brute Force using Burp Suite and OWASP ZAP
• DVWA 2019 Guide.

Author: Phil Legg
Last updated: 25/03/2022