From e6ff59c39a604fea282fd767401dcb8ff9d90ee6 Mon Sep 17 00:00:00 2001
From: JD <j.davis2344@student.leedsbeckett.ac.uk>
Date: Thu, 27 Apr 2023 16:08:58 +0100
Subject: [PATCH 1/6] Add Jenkins CTF Scenario

---
 scenarios/ctf/administration_woes.xml | 103 ++++++++++++++++++++++++++
 1 file changed, 103 insertions(+)
 create mode 100644 scenarios/ctf/administration_woes.xml

diff --git a/scenarios/ctf/administration_woes.xml b/scenarios/ctf/administration_woes.xml
new file mode 100644
index 000000000..45813ac26
--- /dev/null
+++ b/scenarios/ctf/administration_woes.xml
@@ -0,0 +1,103 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+    <name>Automation Woes</name>
+    <author>James Davis</author>
+    <description>
+        There is a process hosted on a remote server that is vulnerable to exploit.
+        Find a way in then escalate to root.
+    </description>
+
+    <type>ctf</type>
+    <type>attack-ctf</type>
+    <difficulty>intermediate</difficulty>
+
+    <CyBOK KA="MAT" topic="Attacks and exploitation">
+        <keyword>EXPLOITATION</keyword>
+        <keyword>EXPLOITATION FRAMEWORKS</keyword>
+    </CyBOK>
+    <CyBOK KA="SS" topic="Categories of Vulnerabilities">
+        <keyword>CVEs and CWEs</keyword>
+    </CyBOK>
+    <CyBOK KA="SOIM" topic="PENETRATION TESTING">
+        <keyword>PENETRATION TESTING - SOFTWARE TOOLS</keyword>
+        <keyword>PENETRATION TESTING - ACTIVE PENETRATION</keyword>
+    </CyBOK>
+    <CyBOK KA="WAM" topic="Server-Side Vulnerabilities and Mitigations">
+        <keyword>server-side misconfiguration and vulnerable components</keyword>
+        <keyword>Serialized objects</keyword>
+    </CyBOK>
+
+    <CyBOK KA="AAA" topic="Authorisation">
+        <keyword>access control</keyword>
+        <keyword>Elevated privileges</keyword>
+        <keyword>Vulnerabilities and attacks on access control misconfigurations</keyword>
+    </CyBOK>
+    <CyBOK KA="OSV" topic="Primitives for Isolation and Mediation">
+        <keyword>Access controls and operating systems</keyword>
+        <keyword>Linux security model</keyword>
+    </CyBOK>
+
+    <system>
+        <system_name>server</system_name>
+        <base distro="Debian 10" type="desktop" name="KDE" />
+
+        <vulnerability module_path=".*/jenkins_cli">
+            <input into="strings_to_leak">
+                <generator type="flag_generator" />
+            </input>
+            <input into="strings_to_pre_leak">
+                <encoder type="^(ascii|alpha)_reversible$" difficulty="low">
+                    <input into="strings_to_encode">
+                        <generator type="flag_generator" />
+                    </input>
+                </encoder>
+            </input>
+        </vulnerability>
+
+        <vulnerability module_path=".*/writable_groups" />
+
+        <network type="private_network">
+            <input into="IP_address">
+                <datastore access="1">IP_addresses</datastore>
+            </input>
+        </network>
+    </system>
+
+    <system>
+        <system_name>attack_vm</system_name>
+        <base distro="Kali" name="MSF" />
+
+        <input into_datastore="IP_addresses">
+            <!-- 0 attack_vm -->
+            <value>172.16.0.2</value>
+            <!-- 1 hackme_server -->
+            <value>172.16.0.3</value>
+        </input>
+
+        <utility module_path=".*/iceweasel">
+            <input into="accounts">
+                <value>
+                    {"username":"root","password":"toor","super_user":"","strings_to_leak":[],"leaked_filenames":[]}</value>
+            </input>
+            <input into="autostart">
+                <value>false</value>
+            </input>
+        </utility>
+
+        <utility module_path=".*/kali_web" />
+        <utility module_path=".*/metasploit_framework" />
+        <utility module_path=".*/nmap" />
+        <utility module_path=".*/handy_cli_tools" />
+
+        <network type="private_network">
+            <input into="IP_address">
+                <datastore access="0">IP_addresses</datastore>
+            </input>
+        </network>
+    </system>
+
+</scenario>
\ No newline at end of file

From a5e7dc23d9897f68baedc0d2b5b98b43711079b4 Mon Sep 17 00:00:00 2001
From: JD <j.davis2344@student.leedsbeckett.ac.uk>
Date: Thu, 27 Apr 2023 16:26:50 +0100
Subject: [PATCH 2/6] amend vulnerability tag

---
 scenarios/ctf/administration_woes.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scenarios/ctf/administration_woes.xml b/scenarios/ctf/administration_woes.xml
index 45813ac26..c52ac8a21 100644
--- a/scenarios/ctf/administration_woes.xml
+++ b/scenarios/ctf/administration_woes.xml
@@ -58,7 +58,7 @@
             </input>
         </vulnerability>
 
-        <vulnerability module_path=".*/writable_groups" />
+        <vulnerability module_path=".*/writable_groups"></vulnerability>
 
         <network type="private_network">
             <input into="IP_address">

From 68f91ee1e4bc9f2ea55006985cb0e7ec3490f330 Mon Sep 17 00:00:00 2001
From: JD <j.davis2344@student.leedsbeckett.ac.uk>
Date: Thu, 27 Apr 2023 16:30:27 +0100
Subject: [PATCH 3/6] Add couchdb CTF Scenario

---
 scenarios/ctf/erlang_explosion.xml | 105 +++++++++++++++++++++++++++++
 1 file changed, 105 insertions(+)
 create mode 100644 scenarios/ctf/erlang_explosion.xml

diff --git a/scenarios/ctf/erlang_explosion.xml b/scenarios/ctf/erlang_explosion.xml
new file mode 100644
index 000000000..0e4975248
--- /dev/null
+++ b/scenarios/ctf/erlang_explosion.xml
@@ -0,0 +1,105 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+    <name>Erlang Explosion</name>
+    <author>James Davis</author>
+    <description>
+        A vulnerable service utilises erlang that has a fatal flaw.
+        Exploit the server and get root access.
+    </description>
+
+    <type>ctf</type>
+    <type>attack-ctf</type>
+    <difficulty>intermediate</difficulty>
+
+    <CyBOK KA="WAM" topic="Server-Side Vulnerabilities and Mitigations">
+        <keyword>server-side misconfiguration and vulnerable components</keyword>
+        <keyword>Vulnerable defaults</keyword>
+    </CyBOK>
+    <CyBOK KA="MAT" topic="Attacks and exploitation">
+        <keyword>EXPLOITATION</keyword>
+        <keyword>EXPLOITATION FRAMEWORKS</keyword>
+    </CyBOK>
+    <CyBOK KA="SS" topic="Categories of Vulnerabilities">
+        <keyword>CVEs and CWEs</keyword>
+    </CyBOK>
+    <CyBOK KA="SOIM" topic="PENETRATION TESTING">
+        <keyword>PENETRATION TESTING - SOFTWARE TOOLS</keyword>
+        <keyword>PENETRATION TESTING - ACTIVE PENETRATION</keyword>
+    </CyBOK>
+
+    <CyBOK KA="AAA" topic="Authorisation">
+        <keyword>access control</keyword>
+        <keyword>Elevated privileges</keyword>
+        <keyword>Vulnerabilities and attacks on access control misconfigurations</keyword>
+    </CyBOK>
+    <CyBOK KA="OSV" topic="Primitives for Isolation and Mediation">
+        <keyword>Access controls and operating systems</keyword>
+        <keyword>Linux security model</keyword>
+        <keyword>Attacks against SUID</keyword>
+    </CyBOK>
+
+
+    <system>
+        <system_name>server</system_name>
+        <base distro="Debian 10" type="desktop" name="KDE" />
+
+        <vulnerability module_path=".*/apache_couchdb">
+            <input into="strings_to_leak">
+                <generator type="flag_generator" />
+            </input>
+            <input into="strings_to_pre_leak">
+                <encoder type="^(ascii|alpha)_reversible$" difficulty="low">
+                    <input into="strings_to_encode">
+                        <generator type="flag_generator" />
+                    </input>
+                </encoder>
+            </input>
+        </vulnerability>
+
+        <vulnerability module_path=".*/sudo_root_vi"></vulnerability>
+
+        <network type="private_network">
+            <input into="IP_address">
+                <datastore access="1">IP_addresses</datastore>
+            </input>
+        </network>
+    </system>
+
+    <system>
+        <system_name>attack_vm</system_name>
+        <base distro="Kali" name="MSF" />
+
+        <input into_datastore="IP_addresses">
+            <!-- 0 attack_vm -->
+            <value>172.16.0.2</value>
+            <!-- 1 hackme_server -->
+            <value>172.16.0.3</value>
+        </input>
+
+        <utility module_path=".*/iceweasel">
+            <input into="accounts">
+                <value>
+                    {"username":"root","password":"toor","super_user":"","strings_to_leak":[],"leaked_filenames":[]}</value>
+            </input>
+            <input into="autostart">
+                <value>false</value>
+            </input>
+        </utility>
+
+        <utility module_path=".*/kali_web" />
+        <utility module_path=".*/metasploit_framework" />
+        <utility module_path=".*/nmap" />
+        <utility module_path=".*/handy_cli_tools" />
+
+        <network type="private_network">
+            <input into="IP_address">
+                <datastore access="0">IP_addresses</datastore>
+            </input>
+        </network>
+    </system>
+
+</scenario>
\ No newline at end of file

From 1ef73cc6864b29061b9377fa5ee65991d5b9b7d6 Mon Sep 17 00:00:00 2001
From: JD <j.davis2344@student.leedsbeckett.ac.uk>
Date: Thu, 27 Apr 2023 16:35:35 +0100
Subject: [PATCH 4/6] Add druid CTF Scenario

---
 scenarios/ctf/eventful_data.xml | 103 ++++++++++++++++++++++++++++++++
 1 file changed, 103 insertions(+)
 create mode 100644 scenarios/ctf/eventful_data.xml

diff --git a/scenarios/ctf/eventful_data.xml b/scenarios/ctf/eventful_data.xml
new file mode 100644
index 000000000..d8c29077f
--- /dev/null
+++ b/scenarios/ctf/eventful_data.xml
@@ -0,0 +1,103 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+    <name>Eventful Data</name>
+    <author>James Davis</author>
+    <description>
+        There is a vulnerable webserver that can be exploited.
+        Find it and then get root.
+    </description>
+
+    <type>ctf</type>
+    <type>attack-ctf</type>
+    <difficulty>intermediate</difficulty>
+
+    <CyBOK KA="WAM" topic="Server-Side Vulnerabilities and Mitigations">
+        <keyword>server-side misconfiguration and vulnerable components</keyword>
+    </CyBOK>
+    <CyBOK KA="MAT" topic="Attacks and exploitation">
+        <keyword>EXPLOITATION</keyword>
+        <keyword>EXPLOITATION FRAMEWORKS</keyword>
+    </CyBOK>
+    <CyBOK KA="SS" topic="Categories of Vulnerabilities">
+        <keyword>CVEs and CWEs</keyword>
+    </CyBOK>
+    <CyBOK KA="SOIM" topic="PENETRATION TESTING">
+        <keyword>PENETRATION TESTING - SOFTWARE TOOLS</keyword>
+        <keyword>PENETRATION TESTING - ACTIVE PENETRATION</keyword>
+    </CyBOK>
+
+    <CyBOK KA="AAA" topic="Authorisation">
+        <keyword>access control</keyword>
+        <keyword>Elevated privileges</keyword>
+        <keyword>Vulnerabilities and attacks on access control misconfigurations</keyword>
+    </CyBOK>
+    <CyBOK KA="OSV" topic="Primitives for Isolation and Mediation">
+        <keyword>Access controls and operating systems</keyword>
+        <keyword>Linux security model</keyword>
+        <keyword>Attacks against SUDO</keyword>
+    </CyBOK>
+
+    <system>
+        <system_name>server</system_name>
+        <base distro="Debian 10" type="desktop" name="KDE" />
+
+        <vulnerability module_path=".*/apache_druid_rce">
+            <input into="strings_to_leak">
+                <generator type="flag_generator" />
+            </input>
+            <input into="strings_to_pre_leak">
+                <encoder type="^(ascii|alpha)_reversible$" difficulty="low">
+                    <input into="strings_to_encode">
+                        <generator type="flag_generator" />
+                    </input>
+                </encoder>
+            </input>
+        </vulnerability>
+
+        <vulnerability module_path=".*/sudo_root_more"></vulnerability>
+
+        <network type="private_network">
+            <input into="IP_address">
+                <datastore access="1">IP_addresses</datastore>
+            </input>
+        </network>
+    </system>
+
+    <system>
+        <system_name>attack_vm</system_name>
+        <base distro="Kali" name="MSF" />
+
+        <input into_datastore="IP_addresses">
+            <!-- 0 attack_vm -->
+            <value>172.16.0.2</value>
+            <!-- 1 hackme_server -->
+            <value>172.16.0.3</value>
+        </input>
+
+        <utility module_path=".*/iceweasel">
+            <input into="accounts">
+                <value>
+                    {"username":"root","password":"toor","super_user":"","strings_to_leak":[],"leaked_filenames":[]}</value>
+            </input>
+            <input into="autostart">
+                <value>false</value>
+            </input>
+        </utility>
+
+        <utility module_path=".*/kali_web" />
+        <utility module_path=".*/metasploit_framework" />
+        <utility module_path=".*/nmap" />
+        <utility module_path=".*/handy_cli_tools" />
+
+        <network type="private_network">
+            <input into="IP_address">
+                <datastore access="0">IP_addresses</datastore>
+            </input>
+        </network>
+    </system>
+
+</scenario>
\ No newline at end of file

From 94b1407cbd94606f9b2907a80221a1789e550cd1 Mon Sep 17 00:00:00 2001
From: JD <j.davis2344@student.leedsbeckett.ac.uk>
Date: Thu, 27 Apr 2023 16:40:26 +0100
Subject: [PATCH 5/6] Add apache spark CTF Scenario

---
 scenarios/ctf/catching_sparks.xml | 99 +++++++++++++++++++++++++++++++
 1 file changed, 99 insertions(+)
 create mode 100644 scenarios/ctf/catching_sparks.xml

diff --git a/scenarios/ctf/catching_sparks.xml b/scenarios/ctf/catching_sparks.xml
new file mode 100644
index 000000000..0bdfe6b1d
--- /dev/null
+++ b/scenarios/ctf/catching_sparks.xml
@@ -0,0 +1,99 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+    <name>Catching Sparks</name>
+    <author>James Davis</author>
+    <description>
+        A web vulnerability allows access to a server remotely. Find the website
+        and gain root privilege.
+    </description>
+
+    <type>ctf</type>
+    <type>attack-ctf</type>
+    <difficulty>intermediate</difficulty>
+
+    <CyBOK KA="WAM" topic="Server-Side Vulnerabilities and Mitigations">
+        <keyword>server-side misconfiguration and vulnerable components</keyword>
+        <keyword>Command injection</keyword>
+    </CyBOK>
+    <CyBOK KA="MAT" topic="Attacks and exploitation">
+        <keyword>EXPLOITATION</keyword>
+        <keyword>EXPLOITATION FRAMEWORKS</keyword>
+    </CyBOK>
+    <CyBOK KA="SS" topic="Categories of Vulnerabilities">
+        <keyword>CVEs and CWEs</keyword>
+    </CyBOK>
+    <CyBOK KA="SOIM" topic="PENETRATION TESTING">
+        <keyword>PENETRATION TESTING - SOFTWARE TOOLS</keyword>
+        <keyword>PENETRATION TESTING - ACTIVE PENETRATION</keyword>
+    </CyBOK>
+    <CyBOK KA="AB" topic="Models">
+        <keyword>kill chains</keyword>
+    </CyBOK>
+    <CyBOK KA="MAT" topic="Malicious Activities by Malware">
+        <keyword>cyber kill chain</keyword>
+    </CyBOK>
+
+    <system>
+        <system_name>server</system_name>
+        <base distro="Debian 10" type="desktop" name="KDE" />
+
+        <vulnerability module_path=".*/apache_spark_rce">
+            <input into="strings_to_leak">
+                <generator type="flag_generator" />
+            </input>
+            <input into="strings_to_pre_leak">
+                <encoder type="^(ascii|alpha)_reversible$" difficulty="low">
+                    <input into="strings_to_encode">
+                        <generator type="flag_generator" />
+                    </input>
+                </encoder>
+            </input>
+        </vulnerability>
+
+        <vulnerability module_path="*./chkrootkit"></vulnerability>
+
+        <network type="private_network">
+            <input into="IP_address">
+                <datastore access="1">IP_addresses</datastore>
+            </input>
+        </network>
+    </system>
+
+    <system>
+        <system_name>attack_vm</system_name>
+        <base distro="Kali" name="MSF" />
+
+        <input into_datastore="IP_addresses">
+            <!-- 0 attack_vm -->
+            <value>172.16.0.2</value>
+            <!-- 1 hackme_server -->
+            <value>172.16.0.3</value>
+        </input>
+
+        <utility module_path=".*/iceweasel">
+            <input into="accounts">
+                <value>
+                    {"username":"root","password":"toor","super_user":"","strings_to_leak":[],"leaked_filenames":[]}</value>
+            </input>
+            <input into="autostart">
+                <value>false</value>
+            </input>
+        </utility>
+
+        <utility module_path=".*/kali_web" />
+        <utility module_path=".*/metasploit_framework" />
+        <utility module_path=".*/nmap" />
+        <utility module_path=".*/handy_cli_tools" />
+
+        <network type="private_network">
+            <input into="IP_address">
+                <datastore access="0">IP_addresses</datastore>
+            </input>
+        </network>
+    </system>
+
+</scenario>
\ No newline at end of file

From 8f361d36f17183261b6a8978a65988446f2a6cb4 Mon Sep 17 00:00:00 2001
From: JD <j.davis2344@student.leedsbeckett.ac.uk>
Date: Thu, 27 Apr 2023 17:04:47 +0100
Subject: [PATCH 6/6] Add glpi CTF Scenario

---
 scenarios/ctf/manage_this.xml | 96 +++++++++++++++++++++++++++++++++++
 1 file changed, 96 insertions(+)
 create mode 100644 scenarios/ctf/manage_this.xml

diff --git a/scenarios/ctf/manage_this.xml b/scenarios/ctf/manage_this.xml
new file mode 100644
index 000000000..0ad6d8ad4
--- /dev/null
+++ b/scenarios/ctf/manage_this.xml
@@ -0,0 +1,96 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+    <name>Manage this!</name>
+    <author>James Davis</author>
+    <description>
+        A vulnerable website is active on a server. Find a way in and obtain root.
+    </description>
+
+    <type>ctf</type>
+    <type>attack-ctf</type>
+    <difficulty>intermediate</difficulty>
+
+    <CyBOK KA="WAM" topic="Server-Side Vulnerabilities and Mitigations">
+        <keyword>server-side misconfiguration and vulnerable components</keyword>
+        <keyword>Command injection</keyword>
+    </CyBOK>
+    <CyBOK KA="MAT" topic="Attacks and exploitation">
+        <keyword>EXPLOITATION</keyword>
+        <keyword>EXPLOITATION FRAMEWORKS</keyword>
+        <keyword>BACKDOOR TROJANS</keyword>
+    </CyBOK>
+    <CyBOK KA="SS" topic="Categories of Vulnerabilities">
+        <keyword>CVEs and CWEs</keyword>
+    </CyBOK>
+    <CyBOK KA="SOIM" topic="PENETRATION TESTING">
+        <keyword>PENETRATION TESTING - SOFTWARE TOOLS</keyword>
+        <keyword>PENETRATION TESTING - ACTIVE PENETRATION</keyword>
+    </CyBOK>
+    <CyBOK KA="NS" topic="PENETRATION TESTING">
+        <keyword>FILE - TRANSFER PROTOCOL (FTP)</keyword>
+    </CyBOK>
+
+    <system>
+        <system_name>server</system_name>
+        <base distro="Debian 10" type="desktop" name="KDE" />
+
+        <vulnerability module_path=".*/glpi_php_injection">
+            <input into="strings_to_leak">
+                <generator type="flag_generator" />
+            </input>
+            <input into="strings_to_pre_leak">
+                <encoder type="^(ascii|alpha)_reversible$" difficulty="low">
+                    <input into="strings_to_encode">
+                        <generator type="flag_generator" />
+                    </input>
+                </encoder>
+            </input>
+        </vulnerability>
+
+        <vulnerability module_path=".*/vsftpd_234_backdoor" />
+
+        <network type="private_network">
+            <input into="IP_address">
+                <datastore access="1">IP_addresses</datastore>
+            </input>
+        </network>
+    </system>
+
+    <system>
+        <system_name>attack_vm</system_name>
+        <base distro="Kali" name="MSF" />
+
+        <input into_datastore="IP_addresses">
+            <!-- 0 attack_vm -->
+            <value>172.16.0.2</value>
+            <!-- 1 hackme_server -->
+            <value>172.16.0.3</value>
+        </input>
+
+        <utility module_path=".*/iceweasel">
+            <input into="accounts">
+                <value>
+                    {"username":"root","password":"toor","super_user":"","strings_to_leak":[],"leaked_filenames":[]}</value>
+            </input>
+            <input into="autostart">
+                <value>false</value>
+            </input>
+        </utility>
+
+        <utility module_path=".*/kali_web" />
+        <utility module_path=".*/metasploit_framework" />
+        <utility module_path=".*/nmap" />
+        <utility module_path=".*/handy_cli_tools" />
+
+        <network type="private_network">
+            <input into="IP_address">
+                <datastore access="0">IP_addresses</datastore>
+            </input>
+        </network>
+    </system>
+
+</scenario>
\ No newline at end of file