Combine dc16_amadhj and dc16_amadhj_group

2026-02-21 11:18:06 +00:00 · 2018-08-02 11:19:01 +01:00
parent d506f1d3c9
commit 257f739c93
5 changed files with 108 additions and 63 deletions
--- a/modules/build/puppet/secgen_functions/manifests/install_setgid_binary.pp
+++ b/modules/build/puppet/secgen_functions/manifests/install_setgid_binary.pp
@@ -1,11 +1,5 @@
-# Install function for setuid_root binaries
+# Install function for setgid binaries
 # -- Modules calling this function must provide a Makefile and any .c files within it's <module_name>/files directory
-#
-# ** NOTES ***
-#   Do we really need a user account or can we just pass in the directory path?
-#
-
-

 define secgen_functions::install_setgid_binary (
  $challenge_name, # Challenge name, used for the wrapper-directory
@@ -38,16 +32,10 @@ define secgen_functions::install_setgid_binary (
    fail
  }

-
  $compile_directory = "$storage_directory/tmp"
  $challenge_directory = "$storage_directory/$challenge_name"
  $modules_source = "puppet:///modules/$source_module_name"

-  notice("compile_directory: ")
-  notice($compile_directory)
-  notice("challenge_directory: ")
-  notice($challenge_directory)
-
  group { $group:
    ensure => present,
  }
@@ -90,7 +78,7 @@ define secgen_functions::install_setgid_binary (
    strings_to_leak   => [$flag],
    owner             => 'root',
    group             => $group,
-    mode              => '4440',
+    mode              => '0440',
    leaked_from       => "accounts_$username",
    require           => [Group[$group], Exec["gcc_$challenge_name-$compile_directory"]],
    notify            => Exec["remove_$compile_directory"],
--- a/modules/build/puppet/secgen_functions/manifests/install_setuid_root_binary.pp
+++ b/modules/build/puppet/secgen_functions/manifests/install_setuid_root_binary.pp
@@ -4,25 +4,18 @@
 define secgen_functions::install_setuid_root_binary (
  $challenge_name,           # Challenge name, used for the wrapper-directory
  $source_module_name,      # Name of the module that calls this function
-  $gcc_output_binary_name,  # Temporary name of the binary output by gcc when when /bin/make runs the Makefile
-  $challenge_binary_name,   # Renamed binary on copy to challenge directory, could differ from above
  $account,                 # User account (leak here if $storage_directory is not supplied)
  $flag,                    # ctf flag string
-  $storage_dir = [''],      # Optional: Storage directory (takes precedent if supplied, e.g. nfs / smb share dir)
+  $flag_name, # ctf flag name
+  $storage_dir = '',      # Optional: Storage directory (takes precedent if supplied, e.g. nfs / smb share dir)
  $strings_to_leak = [''],  # Optional: strings to leak (could contain instructions or a message)
 ) {

  ensure_packages('build-essential')
  ensure_packages('gcc-multilib')

-  # Use either storage directory or account's home directory. storage_directory takes precedent
-  if $storage_dir[0] != '' {
-    $storage_directory = $storage_dir[0]
-    $leaked_filenames = ["$challenge_name-instructions"]
-  } elsif $account {
+  if $account {
    $username = $account['username']
-    $storage_directory = "/home/$username"
-    $leaked_filenames = $account['leaked_filenames']

    ::accounts::user { $username:
      shell      => '/bin/bash',
@@ -30,8 +23,14 @@ define secgen_functions::install_setuid_root_binary (
      managehome => true,
      home_mode  => '0755',
    }
+
+    $storage_directory = "/home/$username"
+
+  } elsif $storage_dir {
+    $storage_directory = $storage_dir
+
  } else {
-    err('install: Either storage_directory or account is required')
+    err('install: either account or storage_dir is required')
    fail
  }

@@ -40,54 +39,51 @@ define secgen_functions::install_setuid_root_binary (
  $modules_source = "puppet:///modules/$source_module_name"

  # Create challenge directory
-  file { $challenge_directory:
+  file { "create_$challenge_directory":
+    path => $challenge_directory,
    ensure => directory,
  }

  # Move contents of the module's files directory into compile directory
-  file { $compile_directory:
+  file { "create_$compile_directory":
+    path => $compile_directory,
    ensure  => directory,
    recurse => true,
    source  => $modules_source,
-    notify  => Exec["gcc_$gcc_output_binary_name-$compile_directory"],
  }

  # Build the binary with gcc
-  exec { "gcc_$gcc_output_binary_name-$compile_directory":
+  exec { "gcc_$challenge_name-$compile_directory":
    cwd     => $compile_directory,
    command => "/usr/bin/make",
-    require => [File[$challenge_directory, $compile_directory], Package['build-essential', 'gcc-multilib']]
+    require => [File["create_$challenge_directory", "create_$compile_directory"], Package['build-essential', 'gcc-multilib']]
  }

  # Move the compiled binary into the challenge directory
-  file { "$challenge_directory/$challenge_binary_name":
+  file { "$challenge_directory/$challenge_name":
    ensure  => present,
    owner   => 'root',
    group   => 'root',
    mode    => '4755',
-    source  => "$compile_directory/$gcc_output_binary_name",
-    require => Exec["gcc_$gcc_output_binary_name-$compile_directory"],
+    source  => "$compile_directory/$challenge_name",
+    require => Exec["gcc_$challenge_name-$compile_directory"],
  }

  # Drop the flag file on the box and set permissions
-  file { "$challenge_directory/flag":
-    ensure   => present,
-    content => $flag,
-    mode     => '0600',
-    require  => Exec["gcc_$gcc_output_binary_name-$compile_directory"],
+  ::secgen_functions::leak_files { "$username-file-leak":
+    storage_directory => "$challenge_directory",
+    leaked_filenames  => [$flag_name],
+    strings_to_leak   => [$flag],
+    owner             => 'root',
+    mode              => '0400',
+    leaked_from       => "accounts_$username",
+    require           => Exec["gcc_$challenge_name-$compile_directory"],
+    notify            => Exec["remove_$compile_directory"],
  }

  # Remove compile directory
  exec { "remove_$compile_directory":
    command => "/bin/rm -rf $compile_directory",
-    require => File["$challenge_directory/$challenge_binary_name", "$challenge_directory/flag"]
-  }
-
-  # Leak messages / instructions in a text file in the storage directory / home directory
-  ::secgen_functions::leak_files { "$challenge_directory-strings_to_leak":
-    storage_directory => $challenge_directory,
-    leaked_filenames  => $leaked_filenames,
-    strings_to_leak   => $strings_to_leak,
-    leaked_from       => $source_module_name,
+    require => [File["$challenge_directory/$challenge_name"]]
  }
 }
--- a/modules/vulnerabilities/unix/ctf/defcon_quals_2016/dc16_amadhj/manifests/install.pp
+++ b/modules/vulnerabilities/unix/ctf/defcon_quals_2016/dc16_amadhj/manifests/install.pp
@@ -1,15 +1,39 @@
 class dc16_amadhj::install {
  $secgen_params = secgen_functions::get_parameters($::base64_inputs_file)
-  $account = parsejson($secgen_params['account'][0])
+  $group = $secgen_params['group']

-  ::secgen_functions::install_setuid_root_binary { 'defcon16_amadhj':
-    source_module_name     => $module_name,
-    challenge_name         => $secgen_params['challenge_name'][0],
-    gcc_output_binary_name => 'amadhj',
-    challenge_binary_name  => $secgen_params['binary_name'][0],
-    account                => $account,
-    flag                   => $secgen_params['flag'][0],
-    storage_dir            => $secgen_params['storage_directory'],
-    strings_to_leak        => $secgen_params['strings_to_leak'],
+  if $secgen_params['account'][0] and $secgen_params['account'][0] != '' {
+    $account = parsejson($secgen_params['account'][0])
+  } else {
+    $account = undef
+  }
+
+  if $secgen_params['storage_directory'] and $secgen_params['storage_directory'][0] {
+    $storage_dir = $secgen_params['storage_directory'][0]
+  } else {
+    $storage_dir = undef
+  }
+
+  if $group {
+    ::secgen_functions::install_setgid_binary { 'defcon16_amadhj_group':
+      source_module_name     => $module_name,
+      challenge_name         => $secgen_params['challenge_name'][0],
+      group                  => $group[0],
+      account                => $account,
+      flag                   => $secgen_params['flag'][0],
+      flag_name              => 'flag',
+      storage_dir            => $storage_dir,
+      strings_to_leak        => $secgen_params['strings_to_leak'],
+    }
+  } else {
+    ::secgen_functions::install_setuid_root_binary { 'defcon16_amadhj':
+      source_module_name     => $module_name,
+      challenge_name         => $secgen_params['challenge_name'][0],
+      account                => $account,
+      flag                   => $secgen_params['flag'][0],
+      flag_name              => 'flag',
+      storage_dir            => $storage_dir,
+      strings_to_leak        => $secgen_params['strings_to_leak'],
+    }
  }
 }
--- a/scenarios/examples/ctf_challenge_examples/setgid_pwnable_binary_example.xml
+++ b/scenarios/examples/ctf_challenge_examples/setgid_pwnable_binary_example.xml
@@ -4,24 +4,30 @@
 	   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	   xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">

-	<!-- an example system with dc16_amadhj setuid binary reversing challenge installed with default parameters.
-			username/pw: challenges/password  -->
+	<!-- an example system with a setgid binary. -->
 	<system>
-		<system_name>reverse_me</system_name>
+		<system_name>group_challenges</system_name>
 		<base platform="linux" type="server"/>

-		<!--TODO: Combine the dc16_amadhj with dc16_amadhj_group, use same pattern for all type=".*pwnable_binary" -->
+		<!--TODO: use same pattern for all type=".*pwnable_binary" -->

 		<!-- 1) Default uses an account and drops the binary in the users home directory -->
-		<vulnerability module_path=".*dc16_amadhj_group.*"/>
+		<vulnerability module_path=".*dc16_amadhj">
+          <input into="group">
+            <value>task1</value>
+          </input>
+        </vulnerability>

 		<!-- 2) Using a custom storage directory -->
 		<!--<vulnerability module_path=".*dc16_amadhj_group.*">-->
+          <!--<input into="group">-->
+            <!--<value>task2</value>-->
+          <!--</input>-->
          <!--<input into="account">-->
            <!--<value/>-->
          <!--</input>-->
          <!--<input into="storage_directory">-->
-            <!--<value>/test</value>-->
+            <!--<value>/home</value>-->
          <!--</input>-->
        <!--</vulnerability>-->

--- a/scenarios/examples/ctf_challenge_examples/setuid_pwnable_binary_example.xml
+++ b/scenarios/examples/ctf_challenge_examples/setuid_pwnable_binary_example.xml
@@ -0,0 +1,31 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+	   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	   xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+	<!-- an example system with a setuid root binary. -->
+	<system>
+		<system_name>reverse_me</system_name>
+		<base platform="linux" type="server"/>
+
+		<!--TODO: use same pattern for all type=".*pwnable_binary" -->
+
+		<!-- 1) Default uses an account and drops the binary in the users home directory
+				(username/pw: challenges/password) -->
+		<vulnerability module_path=".*dc16_amadhj"/>
+
+		<!-- 2) Using a custom storage directory -->
+		<!--<vulnerability module_path=".*dc16_amadhj">-->
+          <!--<input into="account">-->
+            <!--<value/>-->
+          <!--</input>-->
+          <!--<input into="storage_directory">-->
+            <!--<value>/home</value>-->
+          <!--</input>-->
+        <!--</vulnerability>-->
+
+		<network type="private_network" range="dhcp"/>
+	</system>
+
+</scenario>