digital-forensics-labs/SecGen
1
0
Fork 0
mirror of https://github.com/cliffe/SecGen.git synced 2026-02-22 03:38:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/cliffe/SecGen

Browse Source
This commit is contained in:
Z. Cliffe Schreuders
2017-04-19 00:13:19 +01:00
parent 4b6c3c2d37 ce61074bf1
commit 36f7bf4e49
21 changed files with 774 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
modules/generators/passwords/random_weak_password/secgen_local/local.rb
View File

@@ -14,9 +14,9 @@ class WeakPasswordGenerator < StringGenerator
all_words = nouns + male_names + female_names
# only keep words 3-6 characters
# only keep words 3-5 characters
all_words.delete_if { |word|
word.length >=7 || word.length <= 2
word.length >=6 || word.length <= 2
}
self.outputs << all_words.sample.chomp
end

78
modules/vulnerabilities/unix/system/symlinks/files/prompt.c Normal file
View File

@@ -0,0 +1,78 @@
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
int
main(int argc, char **argv)
{
FILE *f;
char b[BUFSIZ], c[BUFSIZ];
struct stat s;
// called correctly?
if(argc != 2) {
fprintf(stderr, "Usage: %s <file>\n", argv[0]);
exit(1);
}
// get the stat info for the file
if(stat(argv[1], &s) != 0) {
puts(strerror(errno));
exit(2);
}
// are 'others' allowed to read it?
if((s.st_mode & S_IROTH) != S_IROTH) {
puts(strerror(EPERM));
exit(3);
}
// so far so good ...
fputs("The file is accessible by all. Press ENTER to print its contents.", stdout);
do {
// read in a line from the command line
if(fgets(c, BUFSIZ, stdin) == NULL) {
if(feof(stdin)) { // stdin closed?
break;
} else {
// we have a problem
puts(strerror(errno));
exit(4);
}
}
// remove final enter
c[strlen(c) - 1] = '\0';
if(strlen(c) == 0) { // an enter will have zero characters
// open the file
if((f = fopen(argv[1], "r")) == NULL) {
puts(strerror(errno));
exit(4);
}
// read the entire file
while(fgets(b, BUFSIZ, f) != NULL) {
fputs(b, stdout); // print to console
}
// did we end cleanly?
if(feof(f)) {
fclose(f);
} else {
// no we did not.
puts(strerror(errno));
exit(5);
}
break;
} else {
// round again
fputs("Press ENTER to print its contents.", stdout);
}
// we can quit if we like.
} while(strncmp(c, "quit", 5) != 0);
return 0;
}

38
modules/vulnerabilities/unix/system/symlinks/manifests/account.pp Normal file
View File

@@ -0,0 +1,38 @@
define symlinks::account($username, $password, $strings_to_leak, $leaked_filenames) {
::accounts::user { $username:
shell => '/bin/bash',
password => pw_hash($password, 'SHA-512', 'mysalt'),
managehome => true,
home_mode => '0755',
}
# strings_to_leak[0]: flag in shadow file
$shadow_flag = $strings_to_leak[0]
exec{ 'append_flag_to_etc_shadow':
command => "/bin/echo '$shadow_flag' >> /etc/shadow"
}
# strings_to_leak[1]: flag in /home/<username>/flag.txt
::secgen_functions::leak_files { "$username-file-leak":
storage_directory => "/home/$username/",
leaked_filenames => $leaked_filenames,
strings_to_leak => [$strings_to_leak[1]],
owner => $username,
mode => '0600',
leaked_from => "accounts_$username",
}
file { "/home/$username/prompt.c":
owner => $username,
group => $username,
mode => '0644',
ensure => file,
source => 'puppet:///modules/symlinks/prompt.c',
}
exec { "$username-compileandsetup1":
cwd => "/home/$username/",
command => "gcc -o prompt prompt.c && sudo chown $username:shadow prompt && sudo chmod 2755 prompt",
path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ],
}
}

16
modules/vulnerabilities/unix/system/symlinks/manifests/init.pp Normal file
View File

@@ -0,0 +1,16 @@
class symlinks::init {
$json_inputs = base64('decode', $::base64_inputs)
$secgen_parameters = parsejson($json_inputs)
$accounts = $secgen_parameters['accounts']
$accounts.each |$raw_account| {
$account = parsejson($raw_account)
$username = $account['username']
symlinks::account { "symlinks_$username":
username => $username,
password => $account['password'],
strings_to_leak => $account['strings_to_leak'],
leaked_filenames => $account['leaked_filenames']
}
}
}

47
modules/vulnerabilities/unix/system/symlinks/secgen_metadata.xml Normal file
View File

@@ -0,0 +1,47 @@
<?xml version="1.0"?>
<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
<name>symlinks</name>
<author>Mihai Ordean</author>
<author>Puppet Labs</author>
<module_license>Apache v2</module_license>
<description>exploits symlink to shadow, weak password so users can crack the hash</description>
<type>system</type>
<privilege>none</privilege>
<access>local</access>
<platform>linux</platform>
<read_fact>accounts</read_fact>
<default_input into="accounts">
<generator type="account">
<input into="username">
<value>carolmiller</value>
</input>
<input into="password">
<!-- Use random_weak_password (5 chars long) as it's brute force-able -->
<generator module_path=".*random_weak_password"/>
</input>
<input into="leaked_filenames">
<value>flag.txt</value>
</input>
<input into="strings_to_leak">
<generator type="flag_generator"/> <!-- [0]: flag in shadow file -->
<generator type="flag_generator"/> <!-- [1]: flag in /home/<username>/flag.txt -->
</input>
</generator>
</default_input>
<requires>
<module_path>utilities/unix/system/accounts</module_path>
</requires>
<!-- Need a way on to the box. -->
<requires>
<privilege>user_rwx</privilege>
</requires>
</vulnerability>

1
modules/vulnerabilities/unix/system/symlinks/symlinks.pp Normal file
View File

@@ -0,0 +1 @@
require symlinks::init

37
modules/vulnerabilities/unix/system/two_shell_calls/files/shell.c Normal file
View File

@@ -0,0 +1,37 @@
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <wait.h>
int
main(int argc, char **argv)
{
pid_t pid;
int status;
// used correctly?
if(argc < 2) {
fprintf(stderr, "Usage:\n\t%1$s <command>\nExamples:\n\t%1$s ls\n\t%1$s cat /etc/groups\n", argv[0]);
exit(1);
}
// fork the process
if((pid = fork()) < 0) {
fprintf(stderr, "%s\n", strerror(errno));
exit(1);
} else if(pid == 0) {
// execute the command given in the child
if(execvp(argv[1], &argv[1]) < 0) {
fprintf(stderr, "%s\n", strerror(errno));
exit(1); // failed
}
} else {
// wait for the child to finish
while(wait(&status) != pid);
exit(status); // return the status of the childe
}
return 0;
}

42
modules/vulnerabilities/unix/system/two_shell_calls/manifests/account.pp Normal file
View File

@@ -0,0 +1,42 @@
define two_shell_calls::account($username, $password, $strings_to_leak, $leaked_filenames) {
::accounts::user { $username:
shell => '/bin/bash',
password => pw_hash($password, 'SHA-512', 'mysalt'),
managehome => true,
home_mode => '0755',
}
# Leak strings in a text file in the users home directory
::secgen_functions::leak_files { "$username-file-leak":
storage_directory => "/home/$username/",
leaked_filenames => $leaked_filenames,
strings_to_leak => $strings_to_leak,
owner => $username,
group => 'managers',
mode => '0600',
leaked_from => "accounts_$username",
}
file { "/home/$username/shell.c":
owner => $username,
group => $username,
mode => '0644',
ensure => file,
source => 'puppet:///modules/two_shell_calls/shell.c',
}
if ('none' in $strings_to_leak ){
exec { "$username-compileandsetup1":
cwd => "/home/$username/",
command => "gcc -o shell shell.c && sudo chown $username:managers shell && sudo chmod 2755 shell",
path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ],
}
} else {
exec { "$username-compileandsetup2":
cwd => "/home/$username/",
command => "gcc -o shell shell.c && sudo chown $username:managers shell && sudo chmod 4750 shell",
path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ],
}
}
}

20
modules/vulnerabilities/unix/system/two_shell_calls/manifests/init.pp Normal file
View File

@@ -0,0 +1,20 @@
class two_shell_calls::init {
$json_inputs = base64('decode', $::base64_inputs)
$secgen_parameters = parsejson($json_inputs)
group { 'managers':
ensure => 'present',
}
$accounts = $secgen_parameters['accounts']
$accounts.each |$raw_account| {
$account = parsejson($raw_account)
$username = $account['username']
two_shell_calls::account { "two_shell_calls_$username":
username => $username,
password => $account['password'],
strings_to_leak => $account['strings_to_leak'],
leaked_filenames => $account['leaked_filenames']
}
}
}

62
modules/vulnerabilities/unix/system/two_shell_calls/secgen_metadata.xml Normal file
View File

@@ -0,0 +1,62 @@
<?xml version="1.0"?>
<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
<name>2x Shell Module</name>
<author>Mihai Ordean</author>
<author>Puppet Labs</author>
<module_license>Apache v2</module_license>
<description>Creates a C file and a shell executable with permissions within two user directories. Drops a flag in a
user's home directory.
</description>
<type>system</type>
<privilege>none</privilege>
<access>local</access>
<platform>linux</platform>
<read_fact>accounts</read_fact>
<default_input into="accounts">
<generator type="account">
<input into="password">
<generator type="strong_password_generator"/>
</input>
<input into="leaked_filenames">
<value>flag.txt</value>
</input>
<input into="strings_to_leak">
<generator type="flag_generator"/>
</input>
</generator>
<generator type="account">
<input into="password">
<generator type="strong_password_generator"/>
</input>
<input into="leaked_filenames">
<value/>
</input>
<input into="strings_to_leak">
<!-- String 'none' used for setting permissions on 'shell' binary in puppet. -->
<value>none</value>
</input>
</generator>
</default_input>
<!--optional details-->
<hint>Find the 2 user accounts with '~/shell' binaries, investigate the shell.c code and their permissions. </hint>
<solution>Try to combine the two binaries to make something interesting happen.</solution>
<requires>
<module_path>utilities/unix/system/accounts</module_path>
</requires>
<!-- Need a way on to the box. -->
<requires>
<privilege>user_rwx</privilege>
</requires>
</vulnerability>

1
modules/vulnerabilities/unix/system/two_shell_calls/two_shell_calls.pp Normal file
View File

@@ -0,0 +1 @@
require two_shell_calls::init

198
modules/vulnerabilities/unix/webapp/onlinestore/files/csecvm.sql Normal file
View File

@@ -0,0 +1,198 @@
-- MySQL dump 10.13 Distrib 5.7.17, for Linux (i686)
--
-- Host: localhost Database: csecvm
-- ------------------------------------------------------
-- Server version 5.7.17
/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;
/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
/*!40103 SET TIME_ZONE='+00:00' */;
/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
--
-- Table structure for table `basket`
--
DROP TABLE IF EXISTS `basket`;
/*!40101 SET @saved_cs_client = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `basket` (
`user_id` int(11) NOT NULL DEFAULT '0',
`product_id` int(11) NOT NULL DEFAULT '0',
`quantity` int(11) DEFAULT NULL,
PRIMARY KEY (`user_id`,`product_id`),
KEY `product_id` (`product_id`),
CONSTRAINT `basket_ibfk_1` FOREIGN KEY (`user_id`) REFERENCES `users` (`id`),
CONSTRAINT `basket_ibfk_2` FOREIGN KEY (`product_id`) REFERENCES `products` (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;
--
-- Dumping data for table `basket`
--
LOCK TABLES `basket` WRITE;
/*!40000 ALTER TABLE `basket` DISABLE KEYS */;
/*!40000 ALTER TABLE `basket` ENABLE KEYS */;
UNLOCK TABLES;
--
-- Table structure for table `orders`
--
DROP TABLE IF EXISTS `orders`;
/*!40101 SET @saved_cs_client = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `orders` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`user_id` int(11) DEFAULT NULL,
`date` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
`cc` varchar(16) DEFAULT NULL,
`cvv` varchar(3) DEFAULT NULL,
`expire` date DEFAULT NULL,
`outfordelivery` tinyint(1) DEFAULT '0',
PRIMARY KEY (`id`),
KEY `user_id` (`user_id`),
CONSTRAINT `orders_ibfk_1` FOREIGN KEY (`user_id`) REFERENCES `users` (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;
--
-- Dumping data for table `orders`
--
LOCK TABLES `orders` WRITE;
/*!40000 ALTER TABLE `orders` DISABLE KEYS */;
/*!40000 ALTER TABLE `orders` ENABLE KEYS */;
UNLOCK TABLES;
--
-- Table structure for table `orders_items`
--
DROP TABLE IF EXISTS `orders_items`;
/*!40101 SET @saved_cs_client = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `orders_items` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`order_id` int(11) DEFAULT NULL,
`product_id` int(11) DEFAULT NULL,
`quantity` int(11) DEFAULT NULL,
`price` decimal(10,0) DEFAULT NULL,
PRIMARY KEY (`id`),
KEY `order_id` (`order_id`),
KEY `product_id` (`product_id`),
CONSTRAINT `orders_items_ibfk_1` FOREIGN KEY (`order_id`) REFERENCES `orders` (`id`),
CONSTRAINT `orders_items_ibfk_2` FOREIGN KEY (`product_id`) REFERENCES `products` (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;
--
-- Dumping data for table `orders_items`
--
LOCK TABLES `orders_items` WRITE;
/*!40000 ALTER TABLE `orders_items` DISABLE KEYS */;
/*!40000 ALTER TABLE `orders_items` ENABLE KEYS */;
UNLOCK TABLES;
--
-- Table structure for table `products`
--
DROP TABLE IF EXISTS `products`;
/*!40101 SET @saved_cs_client = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `products` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`name` varchar(128) DEFAULT NULL,
`image` varchar(128) DEFAULT NULL,
`description` text,
`price` text,
`danger` tinyint(1) DEFAULT '1',
PRIMARY KEY (`id`),
UNIQUE KEY `name` (`name`)
) ENGINE=InnoDB AUTO_INCREMENT=12 DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;
--
-- Dumping data for table `products`
--
LOCK TABLES `products` WRITE;
/*!40000 ALTER TABLE `products` DISABLE KEYS */;
INSERT INTO `products` VALUES (1,'A Table','/img/uploads/2015-01-02_Xgxtm2.jpg','A very big table, useful for ... putting things on and possibly eating at.','110.00',0),(2,'A Lamp','/img/uploads/2015-01-02_lzfzpK.jpg','For lighting things up in a dark room.','60.00',0),(3,'A Drinks Globe and Chair','/img/uploads/2015-01-02_rN4jBX.jpg','A Drinks Globe, something that should be in everyone\'s home!','90.00',0),(4,'Rocks of Cocaine','/img/uploads/2015-01-05_48A2N6.jpg','Lots and lots of coke!','5000.00',1),(5,'Weed','/img/uploads/2015-01-05_JYIUmP.jpg','Plenty of weed. Top quality stuff.','40.00',1),(6,'Heroin','/img/uploads/2015-01-05_MUSlKg.jpg','More Class As for you!','6000.00',1),(7,'ZeuS Source Code','/img/uploads/2015-01-05_2F6zjh.jpg','Get the source code to deploy your own botnet.','500.00',1),(8,'BlackHole Crimeware','/img/uploads/2015-01-05_lPh78V.jpg','Start a bot, maintain and control it. Your own crimewave.','800.00',1),(9,'DDOS your enemies','/img/uploads/2015-01-05_qHt6s3.jpg','We use ZeuS to DDOS a target server of your choice.','100.00',1),(10,'Web hacking','/img/uploads/2015-01-05_btQvWF.jpg','Give us a URL and you have an hour of our work to bring down a site of your choice.','50.00',1),(11,'My Little Pony','/img/uploads/2015-01-05_f7rk0d.jpg','022f844f138df4cd87af0d89189d8f57','999999.00',1);
/*!40000 ALTER TABLE `products` ENABLE KEYS */;
UNLOCK TABLES;
--
-- Table structure for table `token`
--
DROP TABLE IF EXISTS `token`;
/*!40101 SET @saved_cs_client = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `token` (
`token` varchar(256) DEFAULT NULL
) ENGINE=MyISAM DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;
--
-- Dumping data for table `token`
--
LOCK TABLES `token` WRITE;
/*!40000 ALTER TABLE `token` DISABLE KEYS */;
INSERT INTO `token` VALUES ('f46659047894a919ab5f43c3338811e6');
/*!40000 ALTER TABLE `token` ENABLE KEYS */;
UNLOCK TABLES;
--
-- Table structure for table `users`
--
DROP TABLE IF EXISTS `users`;
/*!40101 SET @saved_cs_client = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `users` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`name` varchar(128) DEFAULT NULL,
`full` varchar(128) DEFAULT NULL,
`password` varchar(128) DEFAULT NULL,
`is_dealer` tinyint(1) DEFAULT '0',
`email` varchar(128) DEFAULT NULL,
`killed_on` timestamp NULL DEFAULT NULL,
`killed_by` int(11) DEFAULT NULL,
PRIMARY KEY (`id`),
UNIQUE KEY `name` (`name`),
KEY `fk_killed` (`killed_by`),
CONSTRAINT `fk_killed` FOREIGN KEY (`killed_by`) REFERENCES `users` (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=7 DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;
--
-- Dumping data for table `users`
--
LOCK TABLES `users` WRITE;
/*!40000 ALTER TABLE `users` DISABLE KEYS */;
INSERT INTO `users` VALUES (1,'jts','John Saxon','*DC917E8329C06E9E7735775F8E8F5CF2F2AE1505',0,'j.t.saxon@cs.bham.ac.uk',NULL,NULL),(2,'tpc','Tom Chothia','*D13C4744CA50C108313F76D56E7C1C23F8844026',1,'t.chothia@cs.bham.ac.uk',NULL,NULL),(3,'csn','Chris Novakovic','*9C5B7560B497DFA8B05F1ED9E0D163FF1809DF7A',0,'c.novakovic@cs.bham.ac.uk','2015-01-02 16:39:01',2),(4,'igb','Ian Batten','*4A0F50F04E783107E072358BEB80DFD2CE206ABC',0,'i.batten@cs.bham.ac.uk','2015-01-02 16:39:01',2),(5,'air','Andreea Radu','*D03F2141E072304885CF0BB96B8E93B2F2F079E5',0,'a.i.radu@cs.bham.ac.uk',NULL,NULL),(6,'tom','tom','tom',0,'tom@bham.ac.uk',NULL,NULL);
/*!40000 ALTER TABLE `users` ENABLE KEYS */;
UNLOCK TABLES;
/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;
/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;
-- Dump completed on 2017-03-30 15:50:25

12
modules/vulnerabilities/unix/webapp/onlinestore/files/mysql_setup.sh Normal file
View File

@@ -0,0 +1,12 @@
#!/bin/sh
USERNAME=${1}
PASSWORD=${2}
token=${3}
echo "CREATE USER '${USERNAME}'@'localhost' IDENTIFIED BY '${PASSWORD}';"| mysql --force
echo "GRANT ALL PRIVILEGES ON * . * TO '${USERNAME}'@'localhost';"| mysql --force
echo "CREATE DATABASE csecvm;"| mysql --user=${USERNAME} --password=${PASSWORD} --force
mysql --force --user=${USERNAME} --password=${PASSWORD} csecvm < ./csecvm.sql
echo "USE csecvm; INSERT INTO token VALUES ('${token}');" | mysql --force --user=${USERNAME} --password=${PASSWORD}

BIN
modules/vulnerabilities/unix/webapp/onlinestore/files/www-data.tar.gz Normal file
View File

Binary file not shown.

89
modules/vulnerabilities/unix/webapp/onlinestore/manifests/install.pp Normal file
View File

@@ -0,0 +1,89 @@
class onlinestore::install {
$json_inputs = base64('decode', $::base64_inputs)
$secgen_parameters = parsejson($json_inputs)
# Parse out parameters
$db_flag = $secgen_parameters['strings_to_leak'][0]
$admin_flag = $secgen_parameters['strings_to_leak'][1]
$root_file_flag = $secgen_parameters['strings_to_leak'][2]
$black_market_flag = $secgen_parameters['strings_to_leak'][3]
$docroot = '/var/www'
$db_username = 'csecvm'
$db_password = $secgen_parameters['db_password'][0]
package { ['mysql-client','php5-mysql']:
ensure => 'installed',
}
file { "/var/www/index.html":
ensure => absent,
}
file { "/tmp/www-data.tar.gz":
owner => root,
group => root,
mode => '0600',
ensure => file,
source => 'puppet:///modules/onlinestore/www-data.tar.gz',
notify => Exec['unpack'],
}
exec { 'unpack':
cwd => "$docroot",
command => "tar -xzf /tmp/www-data.tar.gz && chown -R www-data:www-data $docroot && chmod 0600 $docroot/mysql.php",
path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ],
notify => Exec['add_generated_password_to_mysql_php'],
}
# Change the default database password to our randomly generated one
exec { 'add_generated_password_to_mysql_php':
cwd => $docroot,
command => "/bin/sed -ie 's/H93AtG6akq/$db_password/g' mysql.php",
notify => Exec['setup_mysql'],
}
file { "/tmp/csecvm.sql":
owner => root,
group => root,
mode => '0600',
ensure => file,
source => 'puppet:///modules/onlinestore/csecvm.sql',
}
file { "/tmp/mysql_setup.sh":
owner => root,
group => root,
mode => '0700',
ensure => file,
source => 'puppet:///modules/onlinestore/mysql_setup.sh',
notify => Exec['setup_mysql'],
}
exec { 'setup_mysql':
cwd => "/tmp",
command => "sudo ./mysql_setup.sh $db_username $db_password $db_flag",
path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ],
notify => Exec['create_root_flag'],
}
exec { 'create_root_flag':
cwd => "/home/vagrant",
command => "echo '$root_file_flag' > /webroot && chown -f root:root /webroot && chmod -f 0600 /webroot",
path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ],
notify => Exec['create_admin_flag'],
}
exec { 'create_admin_flag':
cwd => "$docroot",
command => "echo '$admin_flag' > ./.admin && chown -f www-data:www-data ./.admin && chmod -f 0600 ./.admin",
path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ],
notify => Exec['create_black_market_flag'],
}
exec { 'create_black_market_flag':
cwd => "$docroot",
command => "echo '$black_market_flag' > ./.marketToken && chown -f www-data:www-data ./.marketToken && chmod -f 0600 ./.marketToken",
path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ],
}
}

1
modules/vulnerabilities/unix/webapp/onlinestore/onlinestore.pp Normal file
View File

@@ -0,0 +1 @@
include onlinestore::install

39
modules/vulnerabilities/unix/webapp/onlinestore/secgen_metadata.xml Normal file
View File

@@ -0,0 +1,39 @@
<?xml version="1.0"?>
<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
<name>Online store website</name>
<author>Mihai Ordean</author>
<module_license>MIT</module_license>
<description>Online store website</description>
<type>webapp</type>
<privilege>info_leak</privilege>
<access>remote</access>
<platform>linux</platform>
<read_fact>strings_to_leak</read_fact>
<read_fact>db_password</read_fact>
<!--strings_to_leak contains the following flags: -->
<default_input into="strings_to_leak">
<generator type="flag_generator"/> <!-- [0]: db_flag -->
<generator type="flag_generator"/> <!-- [1]: admin_flag -->
<generator type="flag_generator"/> <!-- [2]: root_file_flag -->
<generator type="flag_generator"/> <!-- [3]: black_market_flag -->
</default_input>
<default_input into="db_password">
<generator type="strong_password_generator"/>
</default_input>
<conflict>
<type>webapp</type>
</conflict>
<requires>
<module_path>modules/services/unix/http/lamp</module_path>
</requires>
</vulnerability>

16
scenarios/examples/vulnerability_examples/online_store.xml Normal file
View File

@@ -0,0 +1,16 @@
<?xml version="1.0"?>
<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
<system>
<system_name>symlinks</system_name>
<base platform="linux"/>
<vulnerability module_path=".*onlinestore" />
<network type="private_network" range="dhcp"/>
</system>
</scenario>

16
scenarios/examples/vulnerability_examples/symlinks.xml Normal file
View File

@@ -0,0 +1,16 @@
<?xml version="1.0"?>
<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
<system>
<system_name>symlinks</system_name>
<base platform="linux"/>
<vulnerability module_path=".*symlinks" />
<network type="private_network" range="dhcp"/>
</system>
</scenario>

16
scenarios/examples/vulnerability_examples/two_shell_calls.xml Normal file
View File

@@ -0,0 +1,16 @@
<?xml version="1.0"?>
<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
<system>
<system_name>ssh_leaked_keys</system_name>
<base platform="linux"/>
<vulnerability module_path=".*two_shell_calls"/>
<network type="private_network" range="dhcp"/>
</system>
</scenario>

47
scenarios/seccourse.xml
View File

@@ -9,7 +9,9 @@
<!--base platform="linux" distro="Debian 8.2"/-->
<base platform="linux" distro="Debian 7.8"/>
<utility module_path=".*gnome"/>
<!--utility module_path=".*gnome"/-->
<!--utility module_path=".*xfce"/-->
<!--utility module_path=".*user_accounts"/-->
<vulnerability module_path=".*parameterised_accounts">
<input into="accounts">
@@ -36,20 +38,57 @@
<vulnerability module_path=".*ssh_leaked_keys">
<input into="accounts">
<generator type="account">
<input into="leaked_filenames">
<value>flag.txt</value>
<input into="username">
<value>davebakon</value>
</input>
<input into="password">
<generator module_path="modules/generators/random/random_base64"/>
</input>
<input into="leaked_filenames">
<value>flag.txt</value>
</input>
<input into="strings_to_leak">
<generator module_path="modules/generators/random/random_base64"/>
</input>
</generator>
</input>
</vulnerability>
<vulnerability module_path=".*two_shell_calls">
<input into="accounts">
<generator type="account">
<input into="username">
<value>jakkinkade</value>
</input>
<input into="password">
<generator module_path="modules/generators/random/random_base64"/>
</input>
<input into="leaked_filenames">
<value>flag.txt</value>
</input>
<input into="strings_to_leak">
<generator module_path="modules/generators/random/random_base64"/>
</input>
</generator>
<generator type="account">
<input into="username">
<value>nickadler</value>
</input>
<input into="password">
<generator module_path="modules/generators/random/random_base64"/>
</input>
<input into="strings_to_leak">
<value>none</value>
</input>
<input into="leaked_filenames">
<value></value>
</input>
</generator>
</input>
</vulnerability>
<vulnerability module_path=".*symlinks" />
<vulnerability module_path=".*onlinestore" />
<network type="private_network" range="dhcp"/>
</system>