From 010eeb195bcd22cb27010f7f5ddfcc622267efc4 Mon Sep 17 00:00:00 2001
From: Patrick Double <pat@patdouble.com>
Date: Tue, 19 Nov 2024 13:04:10 -0600
Subject: [PATCH] Refactor to support kasm

---
 .github/workflows/publish.yaml                | 148 ++++++++++++++++++
 .gitignore                                    |   1 +
 attackhost/Dockerfile.kasm-kali               |  22 +++
 attackhost/Dockerfile.kasm-parrot             |  22 +++
 attackhost/Dockerfile.openvpn                 |  21 +++
 {kali => attackhost}/Vagrantfile              |  26 +--
 attackhost/build-oci.sh                       |   5 +
 attackhost/hosts.ini                          |   2 +
 attackhost/kasm.yml                           |  13 ++
 attackhost/openvpn/entrypoint.sh              |  13 ++
 .../provisioners}/autologin.sh                |   0
 .../provisioners}/caido-install.sh            |   0
 {kali => attackhost/provisioners}/chsh-zsh.sh |   0
 .../provisioners}/docker-install.sh           |   0
 .../provisioners}/dropbox-docker.sh           |   0
 .../provisioners}/dropbox-install.sh          |   0
 .../provisioners}/dropbox-maestral.sh         |   0
 .../provisioners}/google-chrome-install.sh    |   0
 .../provisioners}/host_arch.sh                |   0
 .../provisioners/htbacademy-compose.yml       |  28 ++++
 attackhost/provisioners/htblab-compose.yml    |  28 ++++
 .../jetbrains-toolbox-install.sh              |   0
 .../provisioners}/llm-functions.sh            |   0
 .../provisioners}/local-bin.sh                |   0
 .../provisioners}/lockscreen-disable.sh       |   0
 .../provisioners/mount-shared-folders.sh      |  47 ++++++
 .../provisioners}/obsidian-install.sh         |   0
 {kali => attackhost/provisioners}/packages.sh |  22 +--
 attackhost/provisioners/pia-compose.yml       |  28 ++++
 .../provisioners}/pia-install.sh              |   0
 .../provisioners}/provision.sh                |   7 +-
 {kali => attackhost/provisioners}/reg_user.sh |   0
 {kali => attackhost/provisioners}/repos.sh    |   3 -
 {kali => attackhost/provisioners}/sudoers.sh  |   0
 .../provisioners}/vimrc-fix.sh                |   0
 .../provisioners}/virt-check.sh               |  14 +-
 attackhost/provisioners/wordlists.sh          |  21 +++
 .../provisioners}/zap-excludes.txt            |   0
 .../provisioners}/zap-install.sh              |   0
 attackhost/tasks/install_docker.yml           |  43 +++++
 attackhost/tasks/install_kasm.yml             |  54 +++++++
 attackhost/tasks/repos.yml                    |  15 ++
 attackhost/tasks/vpn_containers.yml           |  29 ++++
 attackhost/tasks/wordlists.yml                |  15 ++
 attackhost/vars/kasm.yml                      |   6 +
 kali/container/kali/Dockerfile                |   5 -
 46 files changed, 598 insertions(+), 40 deletions(-)
 create mode 100644 .github/workflows/publish.yaml
 create mode 100644 attackhost/Dockerfile.kasm-kali
 create mode 100644 attackhost/Dockerfile.kasm-parrot
 create mode 100644 attackhost/Dockerfile.openvpn
 rename {kali => attackhost}/Vagrantfile (63%)
 create mode 100755 attackhost/build-oci.sh
 create mode 100644 attackhost/hosts.ini
 create mode 100644 attackhost/kasm.yml
 create mode 100755 attackhost/openvpn/entrypoint.sh
 rename {kali => attackhost/provisioners}/autologin.sh (100%)
 rename {kali => attackhost/provisioners}/caido-install.sh (100%)
 rename {kali => attackhost/provisioners}/chsh-zsh.sh (100%)
 rename {kali => attackhost/provisioners}/docker-install.sh (100%)
 rename {kali => attackhost/provisioners}/dropbox-docker.sh (100%)
 rename {kali => attackhost/provisioners}/dropbox-install.sh (100%)
 rename {kali => attackhost/provisioners}/dropbox-maestral.sh (100%)
 rename {kali => attackhost/provisioners}/google-chrome-install.sh (100%)
 rename {kali => attackhost/provisioners}/host_arch.sh (100%)
 create mode 100644 attackhost/provisioners/htbacademy-compose.yml
 create mode 100644 attackhost/provisioners/htblab-compose.yml
 rename {kali => attackhost/provisioners}/jetbrains-toolbox-install.sh (100%)
 rename {kali/container/kali => attackhost/provisioners}/llm-functions.sh (100%)
 rename {kali/container/kali => attackhost/provisioners}/local-bin.sh (100%)
 rename {kali => attackhost/provisioners}/lockscreen-disable.sh (100%)
 create mode 100755 attackhost/provisioners/mount-shared-folders.sh
 rename {kali => attackhost/provisioners}/obsidian-install.sh (100%)
 rename {kali => attackhost/provisioners}/packages.sh (79%)
 create mode 100644 attackhost/provisioners/pia-compose.yml
 rename {kali => attackhost/provisioners}/pia-install.sh (100%)
 rename {kali => attackhost/provisioners}/provision.sh (76%)
 rename {kali => attackhost/provisioners}/reg_user.sh (100%)
 rename {kali => attackhost/provisioners}/repos.sh (91%)
 rename {kali => attackhost/provisioners}/sudoers.sh (100%)
 rename {kali => attackhost/provisioners}/vimrc-fix.sh (100%)
 rename {kali => attackhost/provisioners}/virt-check.sh (69%)
 create mode 100755 attackhost/provisioners/wordlists.sh
 rename {kali => attackhost/provisioners}/zap-excludes.txt (100%)
 rename {kali => attackhost/provisioners}/zap-install.sh (100%)
 create mode 100644 attackhost/tasks/install_docker.yml
 create mode 100644 attackhost/tasks/install_kasm.yml
 create mode 100644 attackhost/tasks/repos.yml
 create mode 100644 attackhost/tasks/vpn_containers.yml
 create mode 100644 attackhost/tasks/wordlists.yml
 create mode 100644 attackhost/vars/kasm.yml

diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
new file mode 100644
index 0000000..82d06a0
--- /dev/null
+++ b/.github/workflows/publish.yaml
@@ -0,0 +1,148 @@
+name: Build
+
+on:
+  release:
+    types: [published]
+  push:
+    branches:    
+      - 'main'
+    paths-ignore:
+      - '**.md'
+      - 'docs/**'
+  pull_request:
+    branches:
+      - 'main'
+    paths-ignore:
+      - '**.md'
+      - 'docs/**'
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+
+jobs:
+  openvpn:
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/double16/openvpn
+        env:
+          DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: openvpn
+        uses: docker/build-push-action@v6
+        with:
+          context: attackhost
+          file: attackhost/Dockerfile.openvpn
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          annotations: ${{ steps.meta.outputs.annotations }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+  kasm-kali:
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/double16/kasm-kali
+        env:
+          DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: kasm-kali
+        uses: docker/build-push-action@v6
+        with:
+          context: attackhost
+          file: attackhost/Dockerfile.kasm-kali
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          annotations: ${{ steps.meta.outputs.annotations }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+  kasm-parrot:
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/double16/kasm-parrot
+        env:
+          DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: kasm-parrot
+        uses: docker/build-push-action@v6
+        with:
+          context: attackhost
+          file: attackhost/Dockerfile.kasm-parrot
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          annotations: ${{ steps.meta.outputs.annotations }}
+          labels: ${{ steps.meta.outputs.labels }}
diff --git a/.gitignore b/.gitignore
index 4accb1b..e5797e5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,4 @@
 *.asc
 .DS_Store
 clipboard.txt
+.hosts.ini
diff --git a/attackhost/Dockerfile.kasm-kali b/attackhost/Dockerfile.kasm-kali
new file mode 100644
index 0000000..a76cbdc
--- /dev/null
+++ b/attackhost/Dockerfile.kasm-kali
@@ -0,0 +1,22 @@
+FROM kasmweb/kali-rolling-desktop:1.16.0-rolling-weekly
+USER root
+
+ENV HOME /home/kasm-default-profile
+ENV STARTUPDIR /dockerstartup
+ENV INST_SCRIPTS $STARTUPDIR/install
+WORKDIR $HOME
+
+######### Customize Container Here ###########
+
+
+
+######### End Customizations ###########
+
+RUN chown 1000:0 $HOME
+RUN $STARTUPDIR/set_user_permission.sh $HOME
+
+ENV HOME /home/kasm-user
+WORKDIR $HOME
+RUN mkdir -p $HOME && chown -R 1000:0 $HOME
+
+USER 1000
diff --git a/attackhost/Dockerfile.kasm-parrot b/attackhost/Dockerfile.kasm-parrot
new file mode 100644
index 0000000..9927321
--- /dev/null
+++ b/attackhost/Dockerfile.kasm-parrot
@@ -0,0 +1,22 @@
+FROM kasmweb/parrotos-6-desktop:1.16.0-rolling-weekly
+USER root
+
+ENV HOME /home/kasm-default-profile
+ENV STARTUPDIR /dockerstartup
+ENV INST_SCRIPTS $STARTUPDIR/install
+WORKDIR $HOME
+
+######### Customize Container Here ###########
+
+
+
+######### End Customizations ###########
+
+RUN chown 1000:0 $HOME
+RUN $STARTUPDIR/set_user_permission.sh $HOME
+
+ENV HOME /home/kasm-user
+WORKDIR $HOME
+RUN mkdir -p $HOME && chown -R 1000:0 $HOME
+
+USER 1000
diff --git a/attackhost/Dockerfile.openvpn b/attackhost/Dockerfile.openvpn
new file mode 100644
index 0000000..d0ac6b1
--- /dev/null
+++ b/attackhost/Dockerfile.openvpn
@@ -0,0 +1,21 @@
+FROM debian:latest
+
+RUN apt update && \
+    apt install -y \
+    iptables \
+    openvpn && \
+    apt clean
+
+# add local files
+COPY /openvpn /
+
+VOLUME [ "/config" ]
+ENTRYPOINT [ "/entrypoint.sh" ]
+
+#
+# Usage:
+#
+# docker network create --driver=bridge --opt icc=true --subnet=172.20.0.0/16 vpn-1
+# docker run -d --cap-add NET_ADMIN --name openvpn-1 --net vpn-1 --ip 172.20.0.2 \
+#   -e VPN_CONFIG=kasm.ovpn -v $(pwd):/config --restart unless-stopped openvpn-client
+#
diff --git a/kali/Vagrantfile b/attackhost/Vagrantfile
similarity index 63%
rename from kali/Vagrantfile
rename to attackhost/Vagrantfile
index b24f1ad..a759fea 100644
--- a/kali/Vagrantfile
+++ b/attackhost/Vagrantfile
@@ -25,28 +25,28 @@ Vagrant.configure("2") do |config|
 
   config.vm.provision "shell", name: "config", privileged: true, inline: <<-SCRIPT
     ln -sf /usr/share/zoneinfo/US/Central /etc/localtime
-    cp -u /vagrant/host_arch.sh /vagrant/reg_user.sh /usr/local/bin
+    cp -u /vagrant/provisioners/host_arch.sh /vagrant/provisioners/reg_user.sh /usr/local/bin
   SCRIPT
 
   config.vm.provision "shell", name: "profile", privileged: true, env: { 'DEBIAN_FRONTEND': 'noninteractive'}, inline: <<-SCRIPT
-    cp -u /vagrant/container/kali/{llm-functions,local-bin}.sh /etc/profile.d/
+    cp -u /vagrant/provisioners/llm-functions.sh /vagrant/provisioners/local-bin.sh /etc/profile.d/
   SCRIPT
 
-  config.vm.provision "shell", name: "packages", path: "packages.sh", privileged: true
+  config.vm.provision "shell", name: "packages", path: "provisioners/packages.sh", privileged: true
   config.vm.provision "shell", name: "google-chrome",
-                      path: "google-chrome-install.sh",
+                      path: "provisioners/google-chrome-install.sh",
                       privileged: true,
                       run: host_arch == 'amd64' ? "once" : "never"
-  config.vm.provision "shell", name: "docker", path: "docker-install.sh", privileged: true, run: "never"
-  config.vm.provision "shell", name: "repos", path: "repos.sh", privileged: false
-  config.vm.provision "shell", name: "pia", path: "pia-install.sh", privileged: false
-  config.vm.provision "shell", name: "obsidian", path: "obsidian-install.sh", privileged: false
-  config.vm.provision "shell", name: "caido", path: "caido-install.sh", privileged: false
-  config.vm.provision "shell", name: "zap", path: "zap-install.sh", privileged: false
-  config.vm.provision "shell", name: "autologin", path: "autologin.sh", privileged: true
-  config.vm.provision "shell", name: "lockscreen", path: "lockscreen-disable.sh", privileged: false
+  config.vm.provision "shell", name: "docker", path: "provisioners/docker-install.sh", privileged: true, run: "never"
+  config.vm.provision "shell", name: "repos", path: "provisioners/repos.sh", privileged: false
+  config.vm.provision "shell", name: "pia", path: "provisioners/pia-install.sh", privileged: false
+  config.vm.provision "shell", name: "obsidian", path: "provisioners/obsidian-install.sh", privileged: false
+  config.vm.provision "shell", name: "caido", path: "provisioners/caido-install.sh", privileged: false
+  config.vm.provision "shell", name: "zap", path: "provisioners/zap-install.sh", privileged: false
+  config.vm.provision "shell", name: "autologin", path: "provisioners/autologin.sh", privileged: true
+  config.vm.provision "shell", name: "lockscreen", path: "provisioners/lockscreen-disable.sh", privileged: false
   config.vm.provision "shell", name: "dropbox",
-                      path: "dropbox-install.sh",
+                      path: "provisioners/dropbox-install.sh",
                       privileged: false,
                       run: "never"
 
diff --git a/attackhost/build-oci.sh b/attackhost/build-oci.sh
new file mode 100755
index 0000000..1487169
--- /dev/null
+++ b/attackhost/build-oci.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+docker build -f Dockerfile.openvpn -t ghcr.io/double16/openvpn:latest .
+docker build -f Dockerfile.kasm-kali -t ghcr.io/double16/kasm-kali:1.16.0-rolling-weekly .
+docker build -f Dockerfile.kasm-parrot -t ghcr.io/double16/kasm-parrot:1.16.0-rolling-weekly .
diff --git a/attackhost/hosts.ini b/attackhost/hosts.ini
new file mode 100644
index 0000000..526eb27
--- /dev/null
+++ b/attackhost/hosts.ini
@@ -0,0 +1,2 @@
+# [ubuntu_server]
+# 192.168.1.100 ansible_user=your_username ansible_ssh_private_key_file=~/.ssh/id_rsa
diff --git a/attackhost/kasm.yml b/attackhost/kasm.yml
new file mode 100644
index 0000000..8d0c3aa
--- /dev/null
+++ b/attackhost/kasm.yml
@@ -0,0 +1,13 @@
+---
+- name: KASM Workspaces
+  hosts: kasm_server
+  become: yes
+  vars_files:
+    - vars/kasm.yml
+
+  tasks:
+#   - include_tasks: tasks/install_docker.yml
+#   - include_tasks: tasks/vpn_containers.yml
+#   - include_tasks: tasks/install_kasm.yml
+   - include_tasks: tasks/repos.yml
+   - include_tasks: tasks/wordlists.yml
diff --git a/attackhost/openvpn/entrypoint.sh b/attackhost/openvpn/entrypoint.sh
new file mode 100755
index 0000000..1737643
--- /dev/null
+++ b/attackhost/openvpn/entrypoint.sh
@@ -0,0 +1,13 @@
+#!/usr/bin/env sh
+
+# create tun device
+if [ ! -c /dev/net/tun ]; then
+  mkdir -p /dev/net
+  mknod /dev/net/tun c 10 200
+fi
+
+# Enable devices MASQUERADE mode
+iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE
+
+# start vpn client
+openvpn --config /config/${VPN_CONFIG}
diff --git a/kali/autologin.sh b/attackhost/provisioners/autologin.sh
similarity index 100%
rename from kali/autologin.sh
rename to attackhost/provisioners/autologin.sh
diff --git a/kali/caido-install.sh b/attackhost/provisioners/caido-install.sh
similarity index 100%
rename from kali/caido-install.sh
rename to attackhost/provisioners/caido-install.sh
diff --git a/kali/chsh-zsh.sh b/attackhost/provisioners/chsh-zsh.sh
similarity index 100%
rename from kali/chsh-zsh.sh
rename to attackhost/provisioners/chsh-zsh.sh
diff --git a/kali/docker-install.sh b/attackhost/provisioners/docker-install.sh
similarity index 100%
rename from kali/docker-install.sh
rename to attackhost/provisioners/docker-install.sh
diff --git a/kali/dropbox-docker.sh b/attackhost/provisioners/dropbox-docker.sh
similarity index 100%
rename from kali/dropbox-docker.sh
rename to attackhost/provisioners/dropbox-docker.sh
diff --git a/kali/dropbox-install.sh b/attackhost/provisioners/dropbox-install.sh
similarity index 100%
rename from kali/dropbox-install.sh
rename to attackhost/provisioners/dropbox-install.sh
diff --git a/kali/dropbox-maestral.sh b/attackhost/provisioners/dropbox-maestral.sh
similarity index 100%
rename from kali/dropbox-maestral.sh
rename to attackhost/provisioners/dropbox-maestral.sh
diff --git a/kali/google-chrome-install.sh b/attackhost/provisioners/google-chrome-install.sh
similarity index 100%
rename from kali/google-chrome-install.sh
rename to attackhost/provisioners/google-chrome-install.sh
diff --git a/kali/host_arch.sh b/attackhost/provisioners/host_arch.sh
similarity index 100%
rename from kali/host_arch.sh
rename to attackhost/provisioners/host_arch.sh
diff --git a/attackhost/provisioners/htbacademy-compose.yml b/attackhost/provisioners/htbacademy-compose.yml
new file mode 100644
index 0000000..f828f38
--- /dev/null
+++ b/attackhost/provisioners/htbacademy-compose.yml
@@ -0,0 +1,28 @@
+volumes:
+  config:
+
+networks:
+  htbacademy:
+    driver: bridge
+    driver_opts:
+      icc: "true"
+    ipam:
+      config:
+        - subnet: 172.22.0.0/16
+
+services:
+  vpn:
+    image: ghcr.io/double16/openvpn:latest
+    restart: no
+    cap_add:
+      - NET_ADMIN
+    networks:
+      htbacademy:
+        ipv4_address: 172.22.0.2
+    dns:
+      - 8.8.8.8
+      - 8.8.4.4
+    environment:
+      VPN_CONFIG: config.ovpn
+    volumes:
+      - config:/config
diff --git a/attackhost/provisioners/htblab-compose.yml b/attackhost/provisioners/htblab-compose.yml
new file mode 100644
index 0000000..cec0b97
--- /dev/null
+++ b/attackhost/provisioners/htblab-compose.yml
@@ -0,0 +1,28 @@
+volumes:
+  config:
+
+networks:
+  htblab:
+    driver: bridge
+    driver_opts:
+      icc: "true"
+    ipam:
+      config:
+        - subnet: 172.21.0.0/16
+
+services:
+  vpn:
+    image: ghcr.io/double16/openvpn:latest
+    restart: no
+    cap_add:
+      - NET_ADMIN
+    networks:
+      htblab:
+        ipv4_address: 172.21.0.2
+    dns:
+      - 8.8.8.8
+      - 8.8.4.4
+    environment:
+      VPN_CONFIG: config.ovpn
+    volumes:
+      - config:/config
diff --git a/kali/jetbrains-toolbox-install.sh b/attackhost/provisioners/jetbrains-toolbox-install.sh
similarity index 100%
rename from kali/jetbrains-toolbox-install.sh
rename to attackhost/provisioners/jetbrains-toolbox-install.sh
diff --git a/kali/container/kali/llm-functions.sh b/attackhost/provisioners/llm-functions.sh
similarity index 100%
rename from kali/container/kali/llm-functions.sh
rename to attackhost/provisioners/llm-functions.sh
diff --git a/kali/container/kali/local-bin.sh b/attackhost/provisioners/local-bin.sh
similarity index 100%
rename from kali/container/kali/local-bin.sh
rename to attackhost/provisioners/local-bin.sh
diff --git a/kali/lockscreen-disable.sh b/attackhost/provisioners/lockscreen-disable.sh
similarity index 100%
rename from kali/lockscreen-disable.sh
rename to attackhost/provisioners/lockscreen-disable.sh
diff --git a/attackhost/provisioners/mount-shared-folders.sh b/attackhost/provisioners/mount-shared-folders.sh
new file mode 100755
index 0000000..66d93d7
--- /dev/null
+++ b/attackhost/provisioners/mount-shared-folders.sh
@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+set -e
+
+if [[ $UID -ne 0 ]]; then
+  echo "Must be run as root" >&2
+  exit 1
+fi
+
+CMD="$(command -v mount-shared-folders)"
+
+if [[ -n "${CMD}" ]]; then
+  cat > /usr/local/sbin/mount-shared-folders <<EOF
+#!/bin/sh
+test $(id -u) -eq 0 || { echo "Please call this script with sudo" >&2; exit 1; }
+vmware-hgfsclient | while read folder; do
+  vmwpath="/mnt/hgfs/${folder}"
+  echo "[i] Mounting ${folder}   (${vmwpath})"
+  mkdir -p "${vmwpath}"
+  umount -f "${vmwpath}" 2>/dev/null
+  vmhgfs-fuse -o allow_other -o auto_unmount ".host:/${folder}" "${vmwpath}"
+done
+sleep 2s
+EOF
+  chmod +x /usr/local/sbin/mount-shared-folders
+  CMD=/usr/local/sbin/mount-shared-folders
+fi
+
+if [[ -n "${CMD}" ]] && [[ ! -f /etc/systemd/system/mount-shared-folders.service ]]; then
+  cat > /etc/systemd/system/mount-shared-folders.service <<EOF
+[Unit]
+Description=Mount VMware Shared Folders
+ConditionPathExists=${CMD}
+ConditionVirtualization=vmware
+After=vmtoolsd.service
+RequiresMountsFor=/run/vmblock-fuse
+
+[Service]
+Type=oneshot
+ExecStart=${CMD}
+
+[Install]
+WantedBy=default.target
+EOF
+  systemctl daemon-reload
+  systemctl enable mount-shared-folders.service
+fi
diff --git a/kali/obsidian-install.sh b/attackhost/provisioners/obsidian-install.sh
similarity index 100%
rename from kali/obsidian-install.sh
rename to attackhost/provisioners/obsidian-install.sh
diff --git a/kali/packages.sh b/attackhost/provisioners/packages.sh
similarity index 79%
rename from kali/packages.sh
rename to attackhost/provisioners/packages.sh
index 7e1f0dc..479e984 100755
--- a/kali/packages.sh
+++ b/attackhost/provisioners/packages.sh
@@ -10,14 +10,8 @@ source reg_user.sh
 
 apt-get update
 
-if ! command -v snap && ( ./virt-check.sh | grep -qvi container ) ; then
-  apt install -y snapd
-  systemctl enable --now snapd
-  systemctl enable --now snapd.apparmor
-fi
-
-ALL_SNAPS="rustscan"
-ALL_PKGS="build-essential linux-headers-${host_arch} zsh-autosuggestions zsh-syntax-highlighting seclists payloadsallthethings jq htop code-oss golang-go neovim vim-gtk3 pipx cool-retro-term gobuster xxd file nikto  joomscan nuclei whatweb hydra xsser python3-selenium httprobe ghidra flameshot gron zbar-tools xclip python3-pwntools dnsrecon tnscmd10g redis-tools wkhtmltopdf cupp jsbeautifier strace mc zenity html2text rlwrap"
+ALL_CARGOS="rustscan"
+ALL_PKGS="build-essential linux-headers-${host_arch} zsh-autosuggestions zsh-syntax-highlighting jq htop code-oss golang-go neovim vim-gtk3 pipx cool-retro-term gobuster xxd file nikto joomscan nuclei whatweb hydra xsser python3-selenium httprobe ghidra flameshot gron zbar-tools xclip python3-pwntools dnsrecon tnscmd10g redis-tools wkhtmltopdf cupp jsbeautifier strace mc zenity html2text rlwrap zstd cargo"
 
 if grep -qi "kali" /etc/*release; then
 # https://www.kali.org/docs/general-use/metapackages/
@@ -26,8 +20,8 @@ if grep -qi "kali" /etc/*release; then
 fi
 
 if grep -qi "parrot" /etc/*release; then
-  ALL_PKGS="${ALL_PKGS}"
-  ALL_SNAPS="${ALL_SNAPS} feroxbuster"
+#  ALL_PKGS="${ALL_PKGS}"
+  ALL_CARGOS="${ALL_CARGOS} feroxbuster"
   # ciphey can be run with `docker run remnux/ciphey`
 fi
 
@@ -36,11 +30,11 @@ apt install -y --install-recommends ${ALL_PKGS}
 apt autoremove -y
 
 #
-# snap
+# cargo (rust)
 #
-if command -v snap && [ -n "${ALL_SNAPS}" ]; then
-  for SNAP in ${ALL_SNAPS}; do
-    snap install "${SNAP}"
+if command -v cargo && [ -n "${ALL_CARGOS}" ]; then
+  for CARGO in ${ALL_CARGOS}; do
+    cargo install "${CARGO}"
   done
 fi
 
diff --git a/attackhost/provisioners/pia-compose.yml b/attackhost/provisioners/pia-compose.yml
new file mode 100644
index 0000000..252e4be
--- /dev/null
+++ b/attackhost/provisioners/pia-compose.yml
@@ -0,0 +1,28 @@
+volumes:
+  config:
+  piaetc:
+
+networks:
+  pia:
+    driver: bridge
+    driver_opts:
+      icc: "true"
+    ipam:
+      config:
+        - subnet: 172.20.0.0/16
+
+services:
+  pia:
+    image: ghcr.io/double16/pia-container:3.5.7-2
+    restart: unless-stopped
+    cap_add:
+      - NET_ADMIN
+    networks:
+      pia:
+        ipv4_address: 172.20.0.2
+    dns:
+      - 8.8.8.8
+      - 8.8.4.4
+    volumes:
+      - config:/config
+      - piaetc:/opt/piavpn/etc
diff --git a/kali/pia-install.sh b/attackhost/provisioners/pia-install.sh
similarity index 100%
rename from kali/pia-install.sh
rename to attackhost/provisioners/pia-install.sh
diff --git a/kali/provision.sh b/attackhost/provisioners/provision.sh
similarity index 76%
rename from kali/provision.sh
rename to attackhost/provisioners/provision.sh
index 5e62568..cc13f57 100755
--- a/kali/provision.sh
+++ b/attackhost/provisioners/provision.sh
@@ -8,21 +8,22 @@ set -e
 
 sudo bash -c "cp -u host_arch.sh reg_user.sh /usr/local/bin &&\
    chmod +x /usr/local/bin/host_arch.sh /usr/local/bin/reg_user.sh &&\
-   cp -u container/kali/{llm-functions,local-bin}.sh /etc/profile.d/ &&\
+   cp -u llm-functions.sh local-bin.sh /etc/profile.d/ &&\
    ./vimrc-fix.sh &&\
    ./sudoers.sh &&\
    ./packages.sh &&\
    ./chsh-zsh.sh &&\
    ./jetbrains-toolbox-install.sh &&\
    ./google-chrome-install.sh &&\
-   (./virt-check.sh && ./autologin.sh)"
+   (./virt-check.sh vm && ./autologin.sh)"
 
+./wordlists.sh
 ./repos.sh
 ./pia-install.sh
 ./obsidian-install.sh
 ./caido-install.sh
 ./zap-install.sh
 
-if ./virt-check.sh; then
+if ./virt-check.sh vm; then
   ./lockscreen-disable.sh
 fi
diff --git a/kali/reg_user.sh b/attackhost/provisioners/reg_user.sh
similarity index 100%
rename from kali/reg_user.sh
rename to attackhost/provisioners/reg_user.sh
diff --git a/kali/repos.sh b/attackhost/provisioners/repos.sh
similarity index 91%
rename from kali/repos.sh
rename to attackhost/provisioners/repos.sh
index 83fe9a7..c346e7c 100755
--- a/kali/repos.sh
+++ b/attackhost/provisioners/repos.sh
@@ -6,11 +6,9 @@ git config --global pull.rebase true
 mkdir -p "${HOME}/src" || exit $?
 cd "${HOME}/src" || exit
 for URL in \
-    https://github.com/fuzzdb-project/fuzzdb.git \
     https://github.com/szski/shapeshifter.git \
     https://github.com/vladko312/SSTImap.git \
     https://github.com/swisskyrepo/SSRFmap.git \
-    https://github.com/carlospolop/Auto_Wordlists.git \
     https://github.com/hansmach1ne/LFImap.git \
     https://github.com/double16/shadycompass.git \
     https://github.com/gwen001/github-search.git \
@@ -19,7 +17,6 @@ for URL in \
     https://github.com/urbanadventurer/username-anarchy.git \
     https://github.com/ambionics/phpggc.git \
     https://github.com/enjoiz/XXEinjector.git \
-    https://github.com/DragonJAR/Security-Wordlist.git \
     https://github.com/ticarpi/jwt_tool.git \
     https://github.com/Sjord/jwtcrack.git \
     https://github.com/nemesida-waf/waf_bypass.git \
diff --git a/kali/sudoers.sh b/attackhost/provisioners/sudoers.sh
similarity index 100%
rename from kali/sudoers.sh
rename to attackhost/provisioners/sudoers.sh
diff --git a/kali/vimrc-fix.sh b/attackhost/provisioners/vimrc-fix.sh
similarity index 100%
rename from kali/vimrc-fix.sh
rename to attackhost/provisioners/vimrc-fix.sh
diff --git a/kali/virt-check.sh b/attackhost/provisioners/virt-check.sh
similarity index 69%
rename from kali/virt-check.sh
rename to attackhost/provisioners/virt-check.sh
index 1503f4c..459a634 100755
--- a/kali/virt-check.sh
+++ b/attackhost/provisioners/virt-check.sh
@@ -1,12 +1,22 @@
 #!/usr/bin/env bash
 
+type="$1"
+
 if grep -qE '/docker|/lxc' /proc/1/cgroup 2>/dev/null || [ -f /run/.containerenv ] || [ -f /.dockerenv ]; then
     echo "Running in a container."
-    exit 0
+    if [[ -z "$type" ]] || [[ "$type" =~ "con" ]]; then
+      exit 0
+    else
+      exit 1
+    fi
 elif grep -qiE 'vmware|virtualbox|qemu|kvm|xen' /sys/class/dmi/id/product_name 2>/dev/null || \
      grep -qiE 'vmware|virtualbox|qemu|kvm|xen' /sys/class/dmi/id/sys_vendor 2>/dev/null; then
     echo "Running in a virtual machine."
-    exit 0
+    if [[ -z "$type" ]] || [[ "$type" =~ "vm" ]]; then
+      exit 0
+    else
+      exit 1
+    fi
 else
     echo "Running on bare metal (not in a VM or container)."
     exit 1
diff --git a/attackhost/provisioners/wordlists.sh b/attackhost/provisioners/wordlists.sh
new file mode 100755
index 0000000..6470c1f
--- /dev/null
+++ b/attackhost/provisioners/wordlists.sh
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+
+export DEBIAN_FRONTEND=noninteractive
+
+git config --global pull.rebase true
+mkdir -p "${HOME}/wordlists" || exit $?
+cd "${HOME}/wordlists" || exit
+for URL in \
+    https://github.com/fuzzdb-project/fuzzdb.git \
+    https://github.com/carlospolop/Auto_Wordlists.git \
+    https://github.com/DragonJAR/Security-Wordlist.git \
+  ; do
+  D="$(basename "${URL}" | sed 's/.git$//')"
+  if [[ -d "${D}" ]]; then
+    ( cd "${D}" && git pull --depth=1 )
+  else
+    git clone --depth 1 "${URL}"
+  fi
+done
+
+# TODO: seclists payloadsallthethings
diff --git a/kali/zap-excludes.txt b/attackhost/provisioners/zap-excludes.txt
similarity index 100%
rename from kali/zap-excludes.txt
rename to attackhost/provisioners/zap-excludes.txt
diff --git a/kali/zap-install.sh b/attackhost/provisioners/zap-install.sh
similarity index 100%
rename from kali/zap-install.sh
rename to attackhost/provisioners/zap-install.sh
diff --git a/attackhost/tasks/install_docker.yml b/attackhost/tasks/install_docker.yml
new file mode 100644
index 0000000..05d4576
--- /dev/null
+++ b/attackhost/tasks/install_docker.yml
@@ -0,0 +1,43 @@
+---
+- name: Update apt package index
+  apt:
+    update_cache: yes
+
+- name: Install Docker dependencies
+  apt:
+    name:
+      - apt-transport-https
+      - ca-certificates
+      - curl
+      - software-properties-common
+    state: present
+
+- name: Docker GPG key exists
+  ansible.builtin.stat:
+    path: /usr/share/keyrings/docker-archive-keyring.gpg
+  register: docker_gpg_exists
+
+- name: Add Docker GPG key
+  ansible.builtin.shell: |
+    curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
+  when: not docker_gpg_exists.stat.exists
+
+- name: Add Docker apt repository
+  apt_repository:
+    repo: "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable"
+    state: present
+
+- name: Install Docker
+  apt:
+    name:
+      - docker-ce
+      - docker-ce-cli
+      - containerd.io
+      - docker-compose-plugin
+    state: present
+
+- name: Add current user to the docker group
+  ansible.builtin.user:
+    name: "{{ ansible_user }}"
+    groups: docker
+    append: yes
diff --git a/attackhost/tasks/install_kasm.yml b/attackhost/tasks/install_kasm.yml
new file mode 100644
index 0000000..1076651
--- /dev/null
+++ b/attackhost/tasks/install_kasm.yml
@@ -0,0 +1,54 @@
+---
+- name: Download Kasm release archive
+  ansible.builtin.get_url:
+    url: "{{ kasm_url }}"
+    dest: "{{ kasm_archive }}"
+    mode: '0644'
+
+- name: Extract Kasm release archive
+  ansible.builtin.unarchive:
+    src: "{{ kasm_archive }}"
+    dest: /tmp
+    remote_src: yes
+
+- name: Check if Kasm is already installed
+  ansible.builtin.stat:
+    path: "{{ kasm_install_dir }}"
+  register: kasm_installed
+
+- name: Check if Kasm version is already installed
+  ansible.builtin.stat:
+    path: "{{ kasm_version_dir }}"
+  register: kasm_version_installed
+
+- name: Run Kasm installation script
+  ansible.builtin.command: sudo bash /tmp/kasm_release/install.sh --accept-eula --use-rolling-images --enable-lossless --default-registry-url https://registry.kasmweb.com/
+  when: not kasm_installed.stat.exists
+  register: install_output
+
+- name: Extract Kasm credentials from installation output
+  when: not kasm_installed.stat.exists
+  ansible.builtin.set_fact:
+    kasm_credentials: >-
+      {{
+        install_output.stdout
+        | regex_findall('username: (.+?)\\s+password: (.+)')
+        | map('zip', ['username', 'password'])
+        | list
+      }}
+
+- name: Save credentials to a file
+  when: not kasm_installed.stat.exists
+  ansible.builtin.copy:
+    content: "{{ kasm_credentials | to_yaml }}"
+    dest: "{{ credentials_file }}"
+    mode: '0600'
+
+- name: Display extracted credentials
+  when: not kasm_installed.stat.exists
+  debug:
+    msg: "{{ kasm_credentials }}"
+
+- name: Run Kasm upgrade script
+  ansible.builtin.command: sudo bash /tmp/kasm_release/upgrade.sh --proxy-port 443
+  when: kasm_installed.stat.exists and not kasm_version_installed.stat.exists
diff --git a/attackhost/tasks/repos.yml b/attackhost/tasks/repos.yml
new file mode 100644
index 0000000..11aa37a
--- /dev/null
+++ b/attackhost/tasks/repos.yml
@@ -0,0 +1,15 @@
+- name: Create directory for source repos
+  file:
+    path: /opt/src
+    state: directory
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
+    mode: '0755'
+
+- name: clone repos
+  ansible.builtin.script:
+    cmd: ./provisioners/repos.sh
+  args:
+    chdir: /opt/src
+  environment:
+    HOME: /opt
diff --git a/attackhost/tasks/vpn_containers.yml b/attackhost/tasks/vpn_containers.yml
new file mode 100644
index 0000000..55a3234
--- /dev/null
+++ b/attackhost/tasks/vpn_containers.yml
@@ -0,0 +1,29 @@
+- name: Create directory for docker compose files
+  file:
+    path: /opt/vpn
+    state: directory
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
+    mode: '0755'
+
+- name: Copy docker-compose.yml to the target machine
+  copy:
+    src: "provisioners/{{ item }}"
+    dest: "/opt/vpn/{{ item }}"
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
+    mode: '0644'
+  with_items:
+    - pia-compose.yml
+    - htblab-compose.yml
+    - htbacademy-compose.yml
+
+- name: Pull and start containers using Docker Compose
+  ansible.builtin.shell: |
+    docker compose -p {{ item.project }} -f /opt/vpn/{{ item.file }} up -d
+  args:
+    chdir: /opt/vpn
+  with_items:
+    - { file: pia-compose.yml, project: pia }
+    - { file: htblab-compose.yml, project: htblab }
+    - { file: htbacademy-compose.yml, project: htbacademy }
diff --git a/attackhost/tasks/wordlists.yml b/attackhost/tasks/wordlists.yml
new file mode 100644
index 0000000..091fbcc
--- /dev/null
+++ b/attackhost/tasks/wordlists.yml
@@ -0,0 +1,15 @@
+- name: Create directory for wordlists
+  file:
+    path: /opt/wordlists
+    state: directory
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
+    mode: '0755'
+
+- name: clone wordlists
+  ansible.builtin.script:
+    cmd: ./provisioners/wordlists.sh
+  args:
+    chdir: /opt/wordlists
+  environment:
+    HOME: /opt
diff --git a/attackhost/vars/kasm.yml b/attackhost/vars/kasm.yml
new file mode 100644
index 0000000..9f2d4b6
--- /dev/null
+++ b/attackhost/vars/kasm.yml
@@ -0,0 +1,6 @@
+kasm_version: "1.16.1"
+kasm_build: "98d6fa"
+kasm_url: "https://kasm-static-content.s3.amazonaws.com/kasm_release_{{ kasm_version }}.{{ kasm_build }}.tar.gz"
+kasm_archive: "/tmp/kasm_release_{{ kasm_version }}.{{ kasm_build }}.tar.gz"
+kasm_install_dir: "/opt/kasm"
+kasm_version_dir: "/opt/kasm/{{ kasm_version }}"
diff --git a/kali/container/kali/Dockerfile b/kali/container/kali/Dockerfile
index b0f63c9..aafaffb 100644
--- a/kali/container/kali/Dockerfile
+++ b/kali/container/kali/Dockerfile
@@ -23,11 +23,6 @@ ENV DEBIAN_FRONTEND=noninteractive
 RUN apt-get update &&\
     apt-get install -y curl gnupg zsh zsh-autosuggestions zsh-syntax-highlighting procps psmisc iputils-ping vim neovim nano less python3-pip pipx
 
-# wordlists
-RUN apt-get update &&\
-    apt-get install -y \
-    seclists payloadsallthethings
-
 #RUN curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \
 #      chmod 755 msfinstall && \
 #      ./msfinstall