1
00:00:08,160 --> 00:00:15,210
All right, so in the last picture, we set up Dacher in our Moonta server and we confirmed that the

2
00:00:15,210 --> 00:00:16,890
juice shop container works.

3
00:00:17,340 --> 00:00:22,830
Now we need to set up this universe of Otar and then we need to go through the somewhat convoluted process

4
00:00:22,830 --> 00:00:29,340
of forwarding the logs from the container to the host, which is the input to the virtual machine.

5
00:00:30,100 --> 00:00:31,050
Some ambiguity, right?

6
00:00:31,050 --> 00:00:37,470
Because in Docker, a host is the computer that contains some more ambiguity.

7
00:00:37,830 --> 00:00:46,600
The Docker container right in the virtual machine, speak to the host is our physical machine.

8
00:00:46,620 --> 00:00:52,740
So there's two different ways we're using host here when it comes to the containers and docker, the

9
00:00:52,740 --> 00:00:58,640
host is just the computer that has the Docker demon running, OK?

10
00:00:58,920 --> 00:01:00,830
And that's our Moonta system.

11
00:01:01,260 --> 00:01:05,430
So what we're going to do is first let's go ahead and grab the universal order.

12
00:01:05,880 --> 00:01:09,180
So if we go to Splunk products, I can scroll down.

13
00:01:09,330 --> 00:01:10,980
We can go to free trials and download.

14
00:01:14,680 --> 00:01:16,360
Click on Download now.

15
00:01:17,490 --> 00:01:18,690
When I click on login.

16
00:01:20,600 --> 00:01:25,820
Because I already have an account, I'm going to walk in with my account, it's free to make an account.

17
00:01:26,300 --> 00:01:26,760
All right.

18
00:01:26,900 --> 00:01:27,600
Really, really cool.

19
00:01:27,620 --> 00:01:28,340
So we're logged in.

20
00:01:28,610 --> 00:01:31,720
What we want is want the Linux Debian package.

21
00:01:32,990 --> 00:01:35,960
So I just click Linux and then I go to the dot.

22
00:01:35,960 --> 00:01:37,850
Deb, move over to download now.

23
00:01:38,240 --> 00:01:40,160
And it's going to take me to I get like.

24
00:01:42,060 --> 00:01:47,220
And now that we've got that going, we're going to come in line, you get click here to select everything,

25
00:01:47,220 --> 00:01:56,160
right, click and copy or tab to switch over and then we should be able to see what directory when we're

26
00:01:56,160 --> 00:01:57,300
in the home directory produce.

27
00:01:57,810 --> 00:01:58,020
Right.

28
00:01:58,020 --> 00:01:58,470
Click here.

29
00:01:59,530 --> 00:02:00,480
And we'll just download.

30
00:02:01,450 --> 00:02:04,360
The University of Florida into the home directory.

31
00:02:05,440 --> 00:02:06,430
All right, so do we have it?

32
00:02:06,490 --> 00:02:14,410
Yes, and you can see it is a Debian binary package, so we can actually use the package to install

33
00:02:14,410 --> 00:02:14,560
it.

34
00:02:14,560 --> 00:02:22,390
So I can say, you know, package tech, I espie tab install.

35
00:02:23,750 --> 00:02:28,000
I love doing it this way, it's a lot easier than using TARP, the TARP package, tarballs.

36
00:02:28,490 --> 00:02:31,450
All right, so now we can go to the Splunk.

37
00:02:31,550 --> 00:02:35,110
If everything worked out correctly, it did very cool.

38
00:02:35,630 --> 00:02:41,480
And what we can do in here is we're just going to run the Splunk binary, OK?

39
00:02:42,800 --> 00:02:45,850
And we're going to tell it to start up.

40
00:02:47,450 --> 00:02:55,760
So start we're going to accept the license on start except license going to enter a user name for the

41
00:02:55,910 --> 00:03:00,590
universal order and then an admin password.

42
00:03:03,440 --> 00:03:10,070
OK, so think this already listening, it's already bound import 1889, so we could change course,

43
00:03:10,070 --> 00:03:11,680
but let me show you some little tricks here.

44
00:03:11,900 --> 00:03:12,970
Do you want to change sports now?

45
00:03:13,940 --> 00:03:20,650
I'm going to say yes, orks grap eighty eighty nine it.

46
00:03:20,720 --> 00:03:22,910
I can see it's Plunket running with this pide.

47
00:03:23,660 --> 00:03:24,300
Thirty nine.

48
00:03:24,320 --> 00:03:24,530
Right.

49
00:03:24,530 --> 00:03:26,450
So zero kill minus nine.

50
00:03:26,750 --> 00:03:27,470
Patiño nine.

51
00:03:29,600 --> 00:03:35,360
Now, it's not there anymore, so we should be able to start the universal voter.

52
00:03:36,740 --> 00:03:38,300
All right, so it's done very good.

53
00:03:38,870 --> 00:03:44,600
Let's also tell Splunk to start on Bhoot, so they want the universal forwarder to start on.

54
00:03:44,600 --> 00:03:46,160
Bhoot would start.

55
00:03:47,760 --> 00:03:48,190
Sweet.

56
00:03:48,840 --> 00:03:57,540
And now we want to set up the forwarding server, so we're going to say forward server is going to be

57
00:03:57,900 --> 00:04:00,670
10, 100 zero ninety nine nine nine seven.

58
00:04:00,690 --> 00:04:03,680
This is going to be our Splunk indexer, which will set up in a future lesson.

59
00:04:05,160 --> 00:04:08,520
We're going to use these credentials and password dash.

60
00:04:08,520 --> 00:04:09,510
One, two, three, bang.

61
00:04:10,920 --> 00:04:11,310
All right.

62
00:04:11,520 --> 00:04:12,070
Very cool.

63
00:04:12,540 --> 00:04:17,990
So now we need to do is set up our log directory on the host.

64
00:04:19,470 --> 00:04:25,320
This directory doesn't exist, so we want the container logs in the container to go here.

65
00:04:26,220 --> 00:04:27,380
So we're going to create that directory

66
00:04:32,040 --> 00:04:35,460
and the P p just tells it to create the entire path.

67
00:04:36,460 --> 00:04:37,890
The VA dub dub dub.

68
00:04:40,470 --> 00:04:41,280
Now we can go there

69
00:04:47,200 --> 00:04:47,570
right now.

70
00:04:47,580 --> 00:04:48,180
We have nothing here.

71
00:04:48,180 --> 00:04:48,410
Right.

72
00:04:51,600 --> 00:04:52,860
And it's currently on BIRUTE.

73
00:04:53,280 --> 00:04:54,410
So we're gonna have to fix this.

74
00:04:54,600 --> 00:05:00,150
We're gonna have to change the user and the group to match the user and group process running documents,

75
00:05:00,150 --> 00:05:01,680
I think running the container.

76
00:05:02,650 --> 00:05:13,270
OK, so what we're going to do is take a look at zero images, OK, that's the image we have.

77
00:05:14,050 --> 00:05:15,340
Yes, nothing's running.

78
00:05:17,230 --> 00:05:19,630
It shows you the running container's Takasugi.

79
00:05:19,630 --> 00:05:20,290
All container's.

80
00:05:21,040 --> 00:05:32,680
So I'm going to delete this container with R.M. and the container name is romantic song, and it just

81
00:05:32,680 --> 00:05:33,430
makes it randomly.

82
00:05:34,420 --> 00:05:35,380
I'll be freaked out by that.

83
00:05:36,070 --> 00:05:36,490
All right.

84
00:05:36,820 --> 00:05:46,720
So now what we can do so we can say, Dacher, run as a demon and we want to map the directory we just

85
00:05:46,720 --> 00:05:54,880
created almost to the directory and you shop that contains our logs and we're going to forward Port

86
00:05:54,880 --> 00:05:55,480
3000.

87
00:05:56,320 --> 00:06:04,990
Oh, we're going to need it to use container so we don't get crazy names like Romantic right now if

88
00:06:04,990 --> 00:06:07,150
we run, you know, dustups.

89
00:06:10,600 --> 00:06:12,110
Well, it's still giving us an error message.

90
00:06:12,910 --> 00:06:15,040
Let's try this command from GitHub page.

91
00:06:16,270 --> 00:06:17,980
All right, so that runs.

92
00:06:20,350 --> 00:06:26,310
Let's just run it as a demon so we get the command from back zero docker.

93
00:06:26,700 --> 00:06:27,190
Yes.

94
00:06:27,680 --> 00:06:28,050
All right.

95
00:06:28,060 --> 00:06:29,260
So it's running now.

96
00:06:29,270 --> 00:06:31,870
We want to do it because we want to go into this docker container.

97
00:06:33,610 --> 00:06:40,420
So we're going to say exactly interact with the terminal and we want to go into Brave Newton and we're

98
00:06:40,420 --> 00:06:41,170
going to run the shell.

99
00:06:42,560 --> 00:06:48,380
All right, so now we need to look at the processes and you can see this user juicer is the process

100
00:06:48,380 --> 00:06:51,040
inside the container, running the juice shop app.

101
00:06:51,550 --> 00:06:58,040
And if you do ID on user, you'll see it's one thousand and one, you know, so it's one thousand and

102
00:06:58,040 --> 00:06:58,870
one for the Goodbody.

103
00:06:59,600 --> 00:07:01,460
So that is what we need to make.

104
00:07:04,150 --> 00:07:12,130
This folder said to you, so if we say zero change ownership, the recursive to 1001 for the user and

105
00:07:12,130 --> 00:07:14,110
the group for each team holder,

106
00:07:17,140 --> 00:07:20,270
it says Blank Gunlock for you, it's not related to Splunk.

107
00:07:20,710 --> 00:07:25,090
That's probably because in the past already

108
00:07:29,260 --> 00:07:31,660
it has blank mapped to group I.D. 1001.

109
00:07:31,690 --> 00:07:34,990
So as far as the containers concerned, one doesn't want us to use it or not.

110
00:07:34,990 --> 00:07:35,380
Spok.

111
00:07:35,940 --> 00:07:36,310
All right.

112
00:07:36,640 --> 00:07:42,250
So now that we have that mapping in place, we should be able to stop the container and started again

113
00:07:42,400 --> 00:07:43,120
and get everything to work.

114
00:07:43,120 --> 00:07:43,440
Right.

115
00:07:46,530 --> 00:07:57,720
Zero ducker, stop breathing, eating, and then we'll run it through Dukkha run, we're running in

116
00:07:57,720 --> 00:08:02,760
privileged mode to make it increasingly vulnerable, especially if they contain a root access to your

117
00:08:02,760 --> 00:08:03,120
host.

118
00:08:04,110 --> 00:08:05,190
Never do the same production.

119
00:08:05,520 --> 00:08:06,420
We're doing it in the lab.

120
00:08:06,420 --> 00:08:08,640
So if we compromised the container, we can pivot to the host.

121
00:08:08,970 --> 00:08:10,880
Right, truly for learning.

122
00:08:11,310 --> 00:08:18,890
Make it a demon and make sure that the process, Heidi, is one thousand and one and everybody going

123
00:08:18,940 --> 00:08:19,440
down to one.

124
00:08:20,700 --> 00:08:28,650
And we're going to map each team folder O to the G shop logs directly

125
00:08:31,910 --> 00:08:36,880
on the images container and we use the ports.

126
00:08:37,440 --> 00:08:38,100
Three thousand

127
00:08:43,680 --> 00:08:44,250
it's running.

128
00:08:44,580 --> 00:08:45,440
That looks really good.

129
00:08:45,450 --> 00:08:49,920
So what we can do now is zero dark.

130
00:08:50,010 --> 00:08:50,450
Exactly.

131
00:08:51,570 --> 00:08:52,620
It just container.

132
00:08:54,120 --> 00:08:55,150
Let's go to the lock for the

133
00:08:58,670 --> 00:09:02,760
if you look in here and see there's an access library going there.

134
00:09:03,650 --> 00:09:07,120
But if we hit the page, the logs would show up.

135
00:09:10,360 --> 00:09:12,250
Right, because I'm going to get request to the server.

136
00:09:14,070 --> 00:09:21,570
Klepec over glogg is now inside the container, if we exit the container, this is the moment of truth.

137
00:09:22,270 --> 00:09:23,640
You're going to e-mail the host.

138
00:09:24,300 --> 00:09:26,620
We should have access like there and we do.

139
00:09:28,500 --> 00:09:28,810
Sweet.

140
00:09:29,400 --> 00:09:33,030
So now we have a way of monitoring that file, right?

141
00:09:33,030 --> 00:09:47,550
So we can just say zero opt Splunk, then zero Splunk ad monitor farther to the east now and we just

142
00:09:47,550 --> 00:09:48,240
restarts Splunk

143
00:09:51,000 --> 00:09:53,250
and now should be able to monitor our logs.

144
00:09:53,520 --> 00:09:53,800
All right.

145
00:09:53,820 --> 00:09:54,930
I know that is kind of complicated.

146
00:09:55,260 --> 00:09:55,890
Do you have any questions?

147
00:09:55,890 --> 00:09:56,900
Just hit me up now.

148
00:09:56,910 --> 00:09:58,050
We're going to start monkeying around.