Here are the minimum requirements for running Kahyangan:
- Processor AMD Ryzen 3
- RAM 6 GB
- SSD DDR 3
- Docker
- Docker compose
Navigate to /wazuh-docker/single-node folder.
Type docker-compose -f generate-indexer-certs.yml run --rm generator to generate an SSL Certificate for Wazuh.
Then, run all the services by typing the following commands in the terminal.
docker compose build
docker compose up
Access https://localhost:5601 to access Wazuh.
If it appears like the following image, wait for a while and refresh it.
After that, we will get a page like this.
On this page, we can log in using the username credentials admin and password SecretPassword.
After logging in using the credentials above, we will be directed to a page like this.
We can use Wazuh by looking at the reference as follows https://documentation.wazuh.com/current/user-manual/index.html
We can also see the services available by accessing http://localhost:80 as shown below.
There are 4 vulnerable web app services that can be attacked with certain attack techniques, namely SQL Injection, SSTI, LFI, and PHP Arbitary File Upload. We will use these four web apps to test the Wazuh that we have installed.
To integrate a Discord bot, we need to turn off the container first using the docker compose down --volumes command.
After that, we can edit the file /config/wazuh_cluster/wazuh_manager.conf as follows.
You need to add your hook_url there.
<integration>
<name>custom-discord.py</name>
<hook_url>https://webhooks</hook_url>
<level>7</level>
<alert_format>json</alert_format>
</integration>Then, run the container again with the docker compose up --build command. After running, we will get an alert like the following on our Discord server.
For a more detailed explanation, see the following website https://eugenio-chaves.github.io/blog/2022/creating-a-custom-wazuh-integration/ .
These web apps are web applications that we create to test the alerting system within Wazuh that we installed. We can access this application at http://localhost or we can also access it through the attacker PC at the url http://apps.proxy/.
We intentionally make this web service vulnerable to various kinds of attacks to be an asset for this lab. The attacks that we can exploit from these services are:
- Server-Side Template Injection
- PHP Arbitary File Upload
- SQL Injection
- and Local File Inclusion
The Wazuh Services is the place where our Wazuh services run. The services included are:
- Wazuh Dashboard
- Wazuh Indexer
- Wazuh Manager
The Attacker PC is a container that we will use to simulate attacks on our services. This is where we will test the alerting system of Wazuh as an attacker/red teamer.
We have also provided some exploit scripts on this PC, which can be checked in the /exploit folder. There are several exploits for Web Apps services that we can run.
Here is an example of an exploitation script that we can run on the attacker machine to attack the php_arbitary_file_upload service on the web service.
