From e2160095a12e4bb522e69f1006eb12dff4c5b591 Mon Sep 17 00:00:00 2001 From: "Z. Cliffe Schreuders" Date: Wed, 15 Sep 2021 17:24:06 +0100 Subject: [PATCH 1/9] ovirt base updates --- .../secgen_metadata.xml | 2 +- .../debian_stretch_server/secgen_metadata.xml | 5 ++-- modules/bases/kali_light/secgen_metadata.xml | 27 ------------------- 3 files changed, 4 insertions(+), 30 deletions(-) delete mode 100644 modules/bases/kali_light/secgen_metadata.xml diff --git a/modules/bases/debian_stretch_desktop_kde/secgen_metadata.xml b/modules/bases/debian_stretch_desktop_kde/secgen_metadata.xml index 8a9d61900..0470f174c 100644 --- a/modules/bases/debian_stretch_desktop_kde/secgen_metadata.xml +++ b/modules/bases/debian_stretch_desktop_kde/secgen_metadata.xml @@ -15,7 +15,7 @@ Debian 9.5.0 Stretch amd64 https://app.vagrantup.com/secgen/boxes/debian_stretch_desktop_kde/versions/1.2/providers/virtualbox.box https://app.vagrantup.com/redwiz666/boxes/debian_stretch_desktop_kde/versions/1.0.0/providers/vmware.box - stretch_desktop_kde_20210519 + stretch_desktop_kde_20210911 https://atlas.hashicorp.com/puppetlabs various diff --git a/modules/bases/debian_stretch_server/secgen_metadata.xml b/modules/bases/debian_stretch_server/secgen_metadata.xml index 178ed976f..337b826da 100644 --- a/modules/bases/debian_stretch_server/secgen_metadata.xml +++ b/modules/bases/debian_stretch_server/secgen_metadata.xml @@ -16,10 +16,11 @@ Debian 9.5.0 Stretch amd64 https://app.vagrantup.com/secgen/boxes/debian_stretch_server/versions/1.3/providers/virtualbox.box https://app.vagrantup.com/redwiz666/boxes/debian_stretch_server/versions/1.0.0/providers/vmware.box - debian_stretch_server_291118 + + stretch_desktop_kde_20210911 various - + bases/.* diff --git a/modules/bases/kali_light/secgen_metadata.xml b/modules/bases/kali_light/secgen_metadata.xml deleted file mode 100644 index dab0861da..000000000 --- a/modules/bases/kali_light/secgen_metadata.xml +++ /dev/null @@ -1,27 +0,0 @@ - - - - Kali Light and Puppet - Z. Cliffe Schreuders - GPLv3 - Kali Light 2018.3 with puppet. - 64-bit - attack - desktop - - linux - unix - Kali Linux 2018.3 - https://app.vagrantup.com/secgen/boxes/kali_light/versions/1.0/providers/virtualbox.box - https://app.vagrantup.com/redwiz666/boxes/kali_light/versions/1.0.0/providers/vmware.box - - https://app.vagrantup.com/secgen - various - - - - bases/.* - - From de92bb85160aabcd85df56fef351da0afde8bc05 Mon Sep 17 00:00:00 2001 From: "Z. Cliffe Schreuders" Date: Wed, 15 Sep 2021 17:24:58 +0100 Subject: [PATCH 2/9] ovirt affinity groups via ruby example --- lib/helpers/ovirt_affinity.rb | 97 +++++++++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 lib/helpers/ovirt_affinity.rb diff --git a/lib/helpers/ovirt_affinity.rb b/lib/helpers/ovirt_affinity.rb new file mode 100644 index 000000000..9a58d459e --- /dev/null +++ b/lib/helpers/ovirt_affinity.rb @@ -0,0 +1,97 @@ +# TODO: merge this ruby version into SecGen -- should be working now + +require 'ovirtsdk4' + +affinitygroup_opt = "secgen_affinity_group_4" +ovirt_vm_name = "p-37-317-0-fkRZ" + +conn_attr = {} +conn_attr[:url] = "XXX" +conn_attr[:username] = "XXX" +conn_attr[:password] = "XXX" +conn_attr[:debug] = true +# conn_attr[:proxy_url] = "XXX" + + +begin + connection = OvirtSDK4::Connection.new(conn_attr) + + + # # Get the reference to the affinity labels service: + # affinity_labels_service = connection.system_service.affinity_labels_service + # + # # Use the "add" method to create a affinity label: + # affinity_labels_service.add( + # OvirtSDK4::AffinityLabel.new( + # name: 'my_affinity_label' + # ) + # ) + + begin + affinity_group_name = "affinity_group_test123" + puts "Creating affinity group: #{affinity_group_name}" + + # cluster_affinitygroups_service.add(OvirtSDK4::AffinityGroup.new( + # name: affinity_group_name, + # description: 'a description', + # vms_rule: OvirtSDK4::AffinityRule.new( + # enabled: true, + # positive: true, + # enforcing: true + # ) + # )) + rescue Exception => e + warn "Failed to create affinity group" + warn e.message + end + + vms_service = connection.system_service.vms_service + + clusters_service = connection.system_service.clusters_service + cluster = clusters_service.list(search: 'name=Default') + cluster.each do |cluster_instance| + cluster_service = clusters_service.cluster_service(cluster_instance.id) + cluster_affinitygroups_service = cluster_service.affinity_groups_service + + # cluster_affinitygroups_service.add(OvirtSDK4::AffinityGroup.new( + # name: affinity_group_name, + # description: 'a description', + # vms_rule: OvirtSDK4::AffinityRule.new( + # enabled: true, + # positive: true, + # enforcing: true + # ) + # )) + + vms = vms_service.list(search: "name=#{ovirt_vm_name}*") + + affinitygroups = cluster_affinitygroups_service.list + + affinitygroups.each do |affinitygroup| + + puts affinitygroup.name + # + '--' + args.affinitygroup) + if affinitygroup.name == affinitygroup_opt + puts ("Using Affinity_Group: " + affinitygroup.name + " Affinity_Group ID: " + affinitygroup.id) + group_service = cluster_affinitygroups_service.group_service(affinitygroup.id) + puts group_service + group_vms_service = group_service.vms_service + puts group_vms_service + + vms.each do |vm| + puts ("Adding VM: " + vm.name) + # vm_service = vms_service.vm_service(vm.id) + vm_to_add = OvirtSDK4::Vm.new( + id: vm.id, + name: vm.name + ) + puts vm_to_add.id + group_vms_service.add(vm_to_add) + + end + end + end + end +# rescue Exception => e +# puts "Failed to control VM: #{e.message}" +end From ef6caf030de759871916864f10d9efb643fa16b4 Mon Sep 17 00:00:00 2001 From: "Z. Cliffe Schreuders" Date: Wed, 15 Sep 2021 17:32:03 +0100 Subject: [PATCH 3/9] Remove redundant --- lib/helpers/ovirt_affinity.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/lib/helpers/ovirt_affinity.py b/lib/helpers/ovirt_affinity.py index 2afae74a0..bc1a17762 100644 --- a/lib/helpers/ovirt_affinity.py +++ b/lib/helpers/ovirt_affinity.py @@ -38,8 +38,6 @@ cluster = clusters_service.list(search='name=default')[0] cluster_service = clusters_service.cluster_service(cluster.id) cluster_affinitygroups_service = cluster_service.affinity_groups_service() -cluster_service = clusters_service.cluster_service(cluster.id) -cluster_affinitygroups_service = cluster_service.affinity_groups_service() # could create the affinity group? # cluster_affinitygroups_service.add( From 47d973df5ae8fe3f1857485aa9cdacd97560b329 Mon Sep 17 00:00:00 2001 From: "Z. Cliffe Schreuders" Date: Mon, 18 Oct 2021 09:30:31 +0100 Subject: [PATCH 4/9] base update and ovirt timeout --- lib/templates/Vagrantfile.erb | 3 +++ modules/bases/kali_light_msf/secgen_metadata.xml | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/lib/templates/Vagrantfile.erb b/lib/templates/Vagrantfile.erb index fb8089961..5611134b8 100644 --- a/lib/templates/Vagrantfile.erb +++ b/lib/templates/Vagrantfile.erb @@ -127,6 +127,9 @@ end <%= system.name %>.vm.provision 'shell', inline: "echo 'datasource_list: [ None ] '> /etc/cloud/cloud.cfg.d/90_dpkg.cfg" <% end -%> + <%= system.name %>.vm.boot_timeout = 600 + <%= system.name %>.ssh.connect_timeout = 600 + # SecGen datastore # <%= JSON.generate($datastore) %> diff --git a/modules/bases/kali_light_msf/secgen_metadata.xml b/modules/bases/kali_light_msf/secgen_metadata.xml index 11b95d83c..d8be94306 100644 --- a/modules/bases/kali_light_msf/secgen_metadata.xml +++ b/modules/bases/kali_light_msf/secgen_metadata.xml @@ -6,17 +6,17 @@ Kali Light, MSF, XFCE and Puppet Z. Cliffe Schreuders GPLv3 - Kali Light 2017.1 XFCE minimal install, with metasploit framework and puppet. + Kali Light rolling release XFCE minimal install, with metasploit framework and puppet. 64-bit attack desktop linux unix - Kali Linux 2018.3 + Kali Linux Rolling https://app.vagrantup.com/secgen/boxes/kali_light_msf/versions/1.0/providers/virtualbox.box - kali_linux_msf_20210930 + kali_linux_msf_20211006_2 https://app.vagrantup.com/secgen From d254b3f633a6e2c7d32ed1716dad29bf22739ed0 Mon Sep 17 00:00:00 2001 From: thomashaw Date: Tue, 19 Oct 2021 15:33:57 +0100 Subject: [PATCH 5/9] MetaCTF GdbSetmem printflag fix --- .../Ch3_00_GdbSetmem/program.c.template | 56 +++++++++---------- .../Ch08Dbg_GdbSetmem/program.c.template | 12 ++-- 2 files changed, 35 insertions(+), 33 deletions(-) diff --git a/modules/utilities/unix/ctf/metactf/files/repository/src_csp/Ch3.1-3.5/Ch3_00_GdbSetmem/program.c.template b/modules/utilities/unix/ctf/metactf/files/repository/src_csp/Ch3.1-3.5/Ch3_00_GdbSetmem/program.c.template index bfee2e204..be09f94ac 100644 --- a/modules/utilities/unix/ctf/metactf/files/repository/src_csp/Ch3.1-3.5/Ch3_00_GdbSetmem/program.c.template +++ b/modules/utilities/unix/ctf/metactf/files/repository/src_csp/Ch3.1-3.5/Ch3_00_GdbSetmem/program.c.template @@ -10,6 +10,34 @@ void printflag(); +void printflag() +{ + int fd; + int len; + unsigned char data[128]; + + fd = open("flag", O_RDONLY); + + if ( fd <= 0 ) { + printf("Failed to open flag.\n"); + return; + } + + len = lseek( fd, 0, SEEK_END); + lseek(fd, 0, SEEK_SET); + + if ( len > 128 ) { + len = 128; + } + + memset(data, 0, 128); + read( fd, data, len); + close(fd); + + printf("%s\n", data); + return; +} + //Hash function created by Thomas Wang and taken from https://naml.us/post/inverse-of-a-hash-function/ unsigned long long int hash(unsigned long long int key) { @@ -100,34 +128,6 @@ void print_msg() { printf("%s",msg); } -void printflag() -{ - int fd; - int len; - unsigned char data[128]; - - fd = open("flag", O_RDONLY); - - if ( fd <= 0 ) { - printf("Failed to open flag.\n"); - return; - } - - len = lseek( fd, 0, SEEK_END); - lseek(fd, 0, SEEK_SET); - - if ( len > 128 ) { - len = 128; - } - - memset(data, 0, 128); - read( fd, data, len); - close(fd); - - printf("%s\n", data); - return; -} - int main(void) { signal(SIGSEGV, segv_handler); int x=1024; diff --git a/modules/utilities/unix/ctf/metactf/files/repository/src_malware/Ch01-08/Ch08Dbg_GdbSetmem/program.c.template b/modules/utilities/unix/ctf/metactf/files/repository/src_malware/Ch01-08/Ch08Dbg_GdbSetmem/program.c.template index a424b6459..a9911f897 100644 --- a/modules/utilities/unix/ctf/metactf/files/repository/src_malware/Ch01-08/Ch08Dbg_GdbSetmem/program.c.template +++ b/modules/utilities/unix/ctf/metactf/files/repository/src_malware/Ch01-08/Ch08Dbg_GdbSetmem/program.c.template @@ -8,6 +8,8 @@ #define USERDEF0 AAAAAA #define USERDEF1 BBBBBB +void printflag(); + //Hash function created by Thomas Wang and taken from https://naml.us/post/inverse-of-a-hash-function/ unsigned long long int hash(unsigned long long int key) { @@ -61,11 +63,6 @@ void print_pswd(unsigned long long int key) { printf("%llu\n", inverse_hash(key)); } -void print_good(void) { - puts("Good Job."); - printflag(); -} - void printflag() { int fd; @@ -94,6 +91,11 @@ void printflag() return; } +void print_good(void) { + puts("Good Job."); + printflag(); +} + void segv_handler(int sig) { printf("Segmentation fault. Try again.\n"); exit(0); From a21c3ccc62b53891051c139432137dd209f89c23 Mon Sep 17 00:00:00 2001 From: thomashaw Date: Wed, 20 Oct 2021 14:18:09 +0100 Subject: [PATCH 6/9] Lab metadata update --- README-CyBOK-Scenarios-Indexed.md | 2 +- scenarios/labs/software_and_malware_analysis/5_ghidra.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README-CyBOK-Scenarios-Indexed.md b/README-CyBOK-Scenarios-Indexed.md index 63a2b46a4..ac1295997 100644 --- a/README-CyBOK-Scenarios-Indexed.md +++ b/README-CyBOK-Scenarios-Indexed.md @@ -2764,7 +2764,7 @@ Command to build VMs and start scenario: | Key | Data | | --- | --- | |Name | Ghidra lab | -|Description | A MetaCTF lab. In your home directory you will find some binaries that you need to reverse engineer in order to determine the password that the program expects. Once you determing the password, run the program and enter the password to receive the file.

[Lab sheet here](https://docs.google.com/document/d/1l4tU49JhI65Q85Zv9I1Wm1kaHNENp6iyIwMUhM8j_14/edit?usp=sharing).
| +|Description | A MetaCTF lab. In your home directory you will find some binaries that you need to reverse engineer in order to determine the password that the program expects. Once you determing the password, run the program and enter the password to receive the file.

[Lab sheet here](https://docs.google.com/document/d/1d2l1Z5l3r-DOdt-MG96H8HdhmN2l54dz8TL-8iigxWU/edit?usp=sharing).
| |Type | ctf-lab; lab-sheet | |Author | Z. Cliffe Schreuders | |Linked videos| https://youtu.be/0zUmUZoEpC4; https://youtu.be/m73pHO_0vhI| diff --git a/scenarios/labs/software_and_malware_analysis/5_ghidra.xml b/scenarios/labs/software_and_malware_analysis/5_ghidra.xml index a996ccefa..0f6bbc451 100644 --- a/scenarios/labs/software_and_malware_analysis/5_ghidra.xml +++ b/scenarios/labs/software_and_malware_analysis/5_ghidra.xml @@ -9,7 +9,7 @@ A MetaCTF lab. In your home directory you will find some binaries that you need to reverse engineer in order to determine the password that the program expects. Once you have found the password, run the program and enter the password to receive the file. - [Lab sheet here](https://docs.google.com/document/d/1l4tU49JhI65Q85Zv9I1Wm1kaHNENp6iyIwMUhM8j_14/edit?usp=sharing). + [Lab sheet here](https://docs.google.com/document/d/1d2l1Z5l3r-DOdt-MG96H8HdhmN2l54dz8TL-8iigxWU/edit?usp=sharing). ctf-lab From 84910f8cec53daeac1fdd20cc700d33624f087ab Mon Sep 17 00:00:00 2001 From: ManuelPOISSON Date: Sun, 24 Oct 2021 22:36:53 +0200 Subject: [PATCH 7/9] fix README-Creating-scenario.md fix path removing "simple_examples" which doesn't exists --- README-Creating-Scenarios.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README-Creating-Scenarios.md b/README-Creating-Scenarios.md index d2c7f0e8f..6824e84cc 100644 --- a/README-Creating-Scenarios.md +++ b/README-Creating-Scenarios.md @@ -14,7 +14,7 @@ SecGen's scenario specification is a powerful interface for specifying the const The selection logic for choosing the modules to fulfill the specified constraints can filter on any of the attributes in each module's secgen_metadata.xml file (for example, difficulty level and/or CVE), and any ambiguity results in a random selection from the remaining matching options (for example, any vulnerability matching a specified difficulty level). -For example, scenarios/simple_examples/simple_any_random_vulnerability.xml specifies one system with a Debian Linux base, and a vulnerability. In this case the base module is specified by module name, so this selection is predefined (there is only one possible module that matches), and the vulnerability is randomly selected from the entire set of vulnerabilities because no attribute filters are specified, which could have limited down the potential matches. +For example, scenarios/simple_any_random_vulnerability.xml specifies one system with a Debian Linux base, and a vulnerability. In this case the base module is specified by module name, so this selection is predefined (there is only one possible module that matches), and the vulnerability is randomly selected from the entire set of vulnerabilities because no attribute filters are specified, which could have limited down the potential matches. ```xml From a295e6ad6854ef8f7e6ff850a9b3025adcff88bf Mon Sep 17 00:00:00 2001 From: ManuelPOISSON Date: Sun, 24 Oct 2021 22:44:33 +0200 Subject: [PATCH 8/9] fix README-Creating-scenario.md add "examples" to path --- README-Creating-Scenarios.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README-Creating-Scenarios.md b/README-Creating-Scenarios.md index 6824e84cc..451a697bd 100644 --- a/README-Creating-Scenarios.md +++ b/README-Creating-Scenarios.md @@ -14,7 +14,7 @@ SecGen's scenario specification is a powerful interface for specifying the const The selection logic for choosing the modules to fulfill the specified constraints can filter on any of the attributes in each module's secgen_metadata.xml file (for example, difficulty level and/or CVE), and any ambiguity results in a random selection from the remaining matching options (for example, any vulnerability matching a specified difficulty level). -For example, scenarios/simple_any_random_vulnerability.xml specifies one system with a Debian Linux base, and a vulnerability. In this case the base module is specified by module name, so this selection is predefined (there is only one possible module that matches), and the vulnerability is randomly selected from the entire set of vulnerabilities because no attribute filters are specified, which could have limited down the potential matches. +For example, scenarios/examples/simple_any_random_vulnerability.xml specifies one system with a Debian Linux base, and a vulnerability. In this case the base module is specified by module name, so this selection is predefined (there is only one possible module that matches), and the vulnerability is randomly selected from the entire set of vulnerabilities because no attribute filters are specified, which could have limited down the potential matches. ```xml From 48cfc1dfca1f3a99a6710ed7d121e28910085c2e Mon Sep 17 00:00:00 2001 From: ManuelPOISSON Date: Tue, 26 Oct 2021 08:34:49 +0200 Subject: [PATCH 9/9] fix path in README-Modules-Puppet.md --- README-Modules-Puppet.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README-Modules-Puppet.md b/README-Modules-Puppet.md index b6f903cd7..9c75e3eee 100644 --- a/README-Modules-Puppet.md +++ b/README-Modules-Puppet.md @@ -7,7 +7,7 @@ The module directory contains The following example should help illustrate. -Distcc has a documented security weakness that enables remote code execution. The below example comes from modules/vulnerabilities/misc/distcc_exec. +Distcc has a documented security weakness that enables remote code execution. The below example comes from modules/vulnerabilities/unix/misc/distcc_exec. A manifest/ directory contains the Puppet files for a distcc_exec Puppet class.