finished and tested with user and custom port

modules/vulnerabilities/unix/http/apache_druid_rce/manifests/configure.pp

@@ -2,16 +2,18 @@
 # Configuration for apache druid
 #
 class apache_druid_rce::configure {
-  $leaked_filenames = ['flagtest'] ##$secgen_parameters['leaked_filenames']
-  $strings_to_leak = ['this is a list of strings that are secrets / flags','another secret'] ##$secgen_parameters['strings_to_leak']
+  $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+  $user = $secgen_parameters['leaked_username'][0]
+  $leaked_filenames = $secgen_parameters['leaked_filenames']
+  $strings_to_leak = $secgen_parameters['strings_to_leak']
 
   Exec { path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ] }
 
   ::secgen_functions::leak_files { 'druid-flag-leak':
-    storage_directory => '/root',
+    storage_directory => "/home/${user}",
     leaked_filenames  => $leaked_filenames,
     strings_to_leak   => $strings_to_leak,
-    owner             => 'root',
+    owner             => $user,
     mode              => '0750',
     leaked_from       => 'apache_druid_rce',
   }

modules/vulnerabilities/unix/http/apache_druid_rce/manifests/install.pp

@@ -5,6 +5,18 @@ class apache_druid_rce::install {
   Exec { path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ] }
   $modulename = 'apache_druid_rce'
 
+  $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+  $port = $secgen_parameters['port'][0]
+  $user = $secgen_parameters['leaked_username'][0]
+  $user_home = "/home/${user}"
+
+  # Create user
+  user { $user:
+    ensure     => present,
+    home       => $user_home,
+    managehome => true,
+  }
+
   # This generates a repo file so we can get packages from debian stretch
   file { '/etc/apt/sources.list.d/stretch.list':
     ensure => file,
@@ -32,12 +44,13 @@ class apache_druid_rce::install {
   $currentsource.each |String $fsource| {
     file { "/tmp/${fsource}":
       ensure => file,
-      source => "puppet:///modules/modulename/${fsource}",
+      source => "puppet:///modules/${modulename}/${fsource}",
     }
   }
+
   exec { 'rebuild-archive':
     cwd     => '/tmp/',
-    command => "cat ${releasename}.parta* >${releasename}",
+    command => "cat ${releasename}.parta* > ${releasename}",
   }
   -> exec { 'unpack-druid':
     cwd     => '/tmp',
@@ -49,4 +62,13 @@ class apache_druid_rce::install {
     command => 'mv apache-druid-0.20.0 /usr/local/apache-druid/',
     creates => '/usr/local/apache-druid'
   }
+  -> exec { 'chmod-druid':
+    command => 'chmod -R 777 /usr/local/apache-druid/bin/',
+  }
+  -> exec { 'chown-druid':
+    command => "chown -R ${user}:${user} /usr/local/apache-druid/",
+  }
+  -> exec { 'change-port':
+    command => "sed -i 's/8888/${port}/' /usr/local/apache-druid/conf/druid/single-server/nano-quickstart/router/runtime.properties",
+  }
 }

modules/vulnerabilities/unix/http/apache_druid_rce/manifests/service.pp

@@ -2,13 +2,15 @@
 # Service behaviour
 #
 class apache_druid_rce::service {
-  file { '/etc/systemd/system/druid.service':
-    source => 'puppet:///modules/apache_druid_rce/druid.service',
-    owner  => 'root',
-    mode   => '0777',
-  }
+  $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+  $user = $secgen_parameters['leaked_username'][0]
 
-  service { 'druid':
+  file { '/etc/systemd/system/druid.service':
+    content => template('apache_druid_rce/druid.service.erb'),
+    owner   => 'root',
+    mode    => '0755',
+  }
+  -> service { 'druid':
     ensure => running,
     enable => true,
   }

modules/vulnerabilities/unix/http/apache_druid_rce/secgen_metadata.xml

@@ -15,7 +15,7 @@
         Server process. More critically, authentication is not enabled in Apache Druid by default.</description>
 
     <type>http</type>
-    <privilege>root_rwx</privilege>
+    <privilege>user_rwx</privilege>
     <access>remote</access>
     <platform>linux</platform>
     <difficulty>low</difficulty>
@@ -25,7 +25,7 @@
     <read_fact>leaked_filenames</read_fact>
 
     <default_input into="port">
-        <value>8888</value>
+        <generator module_path=".*/random_unregistered_port" />
     </default_input>
 
     <!-- flags or other secrets exposed after exploitation -->
@@ -37,23 +37,22 @@
         <generator type="filename_generator" />
     </default_input>
 
-    <!--optional vulnerability details-->
+    <default_input into="leaked_username">
+        <value>druid</value>
+    </default_input>
+
+    <!--optional
+    vulnerability details-->
     <cve>CVE-2021-25646</cve>
     <cvss_base_score>8.8</cvss_base_score>
-    <cvss_vector>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H</cvss_vector>
-    <software_name>Apache Druid</software_name>
-    <software_license>Apache License 2.0</software_license>
-
+    <cvss_vector>AV:N/AC:L/Au:N/C:C/I:C/A:C</cvss_vector>
     <reference>
         https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/apache_druid_js_rce.rb</reference>
     <reference>
         https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/http/apache_druid_js_rce.md</reference>
-    <reference>
-        https://archive.apache.org/dist/druid/0.20.0/</reference>
+    <reference>https://archive.apache.org/dist/druid/0.20.0/</reference>
     <reference>https://github.com/apache/druid</reference>
-
-    <!--optional hints-->
-    <hint>Scan the servers for other
-        machines </hint>
+    <software_name>Apache Druid</software_name>
+    <software_license>Apache License 2.0</software_license>
 
 </vulnerability>

modules/vulnerabilities/unix/http/apache_druid_rce/templates/druid.service.erb

@@ -4,10 +4,10 @@ After=network.target
 
 [Service]
 Type=simple
-User=root
+User=<%= @user %>
 WorkingDirectory=/usr/local/apache-druid/
 ExecStart=/usr/local/apache-druid/bin/start-nano-quickstart
-Restart=on-abort
+Restart=always
 RestartSec=1
 
 [Install]

scenarios/examples/vulnerability_examples/apache_druid.xml

@@ -0,0 +1,16 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+    <system>
+        <system_name>druid</system_name>
+        <base distro="Debian 10" type="desktop" name="KDE" />
+
+        <vulnerability module_path=".*/apache_druid_rce" />
+
+        <network type="private_network" range="dhcp" />
+    </system>
+
+</scenario>