diff --git a/modules/build/puppet/secgen_functions/manifests/install_setgid_script.pp b/modules/build/puppet/secgen_functions/manifests/install_setgid_script.pp index d3c348c23..6b7fa03eb 100644 --- a/modules/build/puppet/secgen_functions/manifests/install_setgid_script.pp +++ b/modules/build/puppet/secgen_functions/manifests/install_setgid_script.pp @@ -12,35 +12,42 @@ define secgen_functions::install_setgid_script ( $flag, # ctf flag string $flag_name = 'flag', # ctf flag name $port, # Optional: script will be run on network port using xinetd - $storage_dir = '', # Optional: Storage directory (takes precedent if supplied, e.g. nfs / smb share dir) + $storage_directory = '', # Optional: Storage directory (takes precedent if supplied, e.g. nfs / smb share dir) $strings_to_leak = [''], # Optional: strings to leak (could contain instructions or a message) ) { - if $account { - $username = $account['username'] + if $group and $group[0] { + $grp = $group[0] + } else { + $grp = $challenge_name + } + + if $account and $account[0] and $account[0] != ''{ + $acc = parsejson($account[0]) + $username = $acc['username'] ::accounts::user { $username: shell => '/bin/bash', - password => pw_hash($account['password'], 'SHA-512', 'mysalt'), + password => pw_hash($acc['password'], 'SHA-512', 'mysalt'), managehome => true, home_mode => '0755', } - $storage_directory = "/home/$username" + $storage_dir = "/home/$username" - } elsif $storage_dir { - $storage_directory = $storage_dir + } elsif $storage_directory and $storage_directory[0]{ + $storage_dir = $storage_directory[0] $username = 'root' } else { err('install: either account or storage_dir is required') fail } - $compile_directory = "$storage_directory/tmp" - $challenge_directory = "$storage_directory/$challenge_name" + $compile_directory = "$storage_dir/tmp" + $challenge_directory = "$storage_dir/$challenge_name" $modules_source = "puppet:///modules/$source_module_name" - group { $group: + group { $grp: ensure => present, } @@ -54,34 +61,35 @@ define secgen_functions::install_setgid_script ( file { "$challenge_directory/$script_name": ensure => present, owner => 'root', - group => $group, + group => $grp, mode => '2775', - content => $script_data, - require => Group[$group], + content => $script_data[0], + require => Group[$grp], } # Drop the flag file on the box and set permissions ::secgen_functions::leak_files { "$username-file-leak": storage_directory => "$challenge_directory", leaked_filenames => [$flag_name], - strings_to_leak => [$flag], + strings_to_leak => [$flag[0]], owner => 'root', - group => $group, + group => $grp, mode => '0440', leaked_from => "$source_module_name-$module_name", - require => Group[$group], + require => Group[$grp], } - if $port { - notice("Running $challenge_name on port $port (dir: $challenge_directory") + if $port and $port[0] { + $p = $port[0] + notice("Running $challenge_name on port $p (dir: $challenge_directory") xinetd::service { "xinetd_$challenge_name": - port => $port, + port => $p, server => "$challenge_directory/$script_name", require => File["$challenge_directory/$script_name"], service_type => 'UNLISTED', server_args => $challenge_directory, user => $username, - group => $group, + group => $grp, } } } diff --git a/modules/vulnerabilities/unix/ctf/ruby_challenge_example/manifests/install.pp b/modules/vulnerabilities/unix/ctf/ruby_challenge_example/manifests/install.pp index 65fa892a5..bbfa7ec6c 100644 --- a/modules/vulnerabilities/unix/ctf/ruby_challenge_example/manifests/install.pp +++ b/modules/vulnerabilities/unix/ctf/ruby_challenge_example/manifests/install.pp @@ -1,46 +1,17 @@ class ruby_challenge_example::install { $secgen_params = secgen_functions::get_parameters($::base64_inputs_file) $challenge_name = $secgen_params['challenge_name'][0] - $script_data = $secgen_params['script_data'] - # TODO: Do we move the if populated checks (below) inside the install function? Might be worthwhile. - # TODO: It would result in reduced boilerplate for script / binary challenge install modules. - - if $secgen_params['group'] and $secgen_params['group'][0]{ - $group = $secgen_params['group'][0] - } else { - $group = $challenge_name - } - - if $secgen_params['account'][0] and $secgen_params['account'][0] != '' { - $account = parsejson($secgen_params['account'][0]) - } else { - $account = undef - } - - if $secgen_params['storage_directory'] and $secgen_params['storage_directory'][0] { - $storage_dir = $secgen_params['storage_directory'][0] - } else { - $storage_dir = undef - } - - if $secgen_params['port'] and $secgen_params['port'][0] { - $port = $secgen_params['port'][0] - notice("$module_name - running on port: $port") - } else { - $port = undef - } - - ::secgen_functions::install_setgid_script { 'ruby_challenge_example': + ::secgen_functions::install_setgid_script { $challenge_name: source_module_name => $module_name, challenge_name => $challenge_name, script_name => 'test.rb', - script_data => $script_data[0], - group => $group, - account => $account, - flag => $secgen_params['flag'][0], - port => $port, - storage_dir => $storage_dir, + script_data => $secgen_params['script_data'], + group => $secgen_params['group'], + account => $secgen_params['account'], + flag => $secgen_params['flag'], + port => $secgen_params['port'], + storage_directory => $secgen_params['storage_directory'], strings_to_leak => $secgen_params['strings_to_leak'], } }