diff --git a/modules/generators/passwords/random_weak_password/secgen_local/local.rb b/modules/generators/passwords/random_weak_password/secgen_local/local.rb index c9244383c..da5a1d971 100644 --- a/modules/generators/passwords/random_weak_password/secgen_local/local.rb +++ b/modules/generators/passwords/random_weak_password/secgen_local/local.rb @@ -14,9 +14,9 @@ class WeakPasswordGenerator < StringGenerator all_words = nouns + male_names + female_names - # only keep words 3-6 characters + # only keep words 3-5 characters all_words.delete_if { |word| - word.length >=7 || word.length <= 2 + word.length >=6 || word.length <= 2 } self.outputs << all_words.sample.chomp end diff --git a/modules/vulnerabilities/unix/system/symlinks/files/prompt.c b/modules/vulnerabilities/unix/system/symlinks/files/prompt.c new file mode 100644 index 000000000..e9a1b65b7 --- /dev/null +++ b/modules/vulnerabilities/unix/system/symlinks/files/prompt.c @@ -0,0 +1,78 @@ +#include +#include +#include +#include +#include + +int +main(int argc, char **argv) +{ + FILE *f; + char b[BUFSIZ], c[BUFSIZ]; + struct stat s; + + // called correctly? + if(argc != 2) { + fprintf(stderr, "Usage: %s \n", argv[0]); + exit(1); + } + + // get the stat info for the file + if(stat(argv[1], &s) != 0) { + puts(strerror(errno)); + exit(2); + } + + // are 'others' allowed to read it? + if((s.st_mode & S_IROTH) != S_IROTH) { + puts(strerror(EPERM)); + exit(3); + } + + // so far so good ... + fputs("The file is accessible by all. Press ENTER to print its contents.", stdout); + do { + // read in a line from the command line + if(fgets(c, BUFSIZ, stdin) == NULL) { + if(feof(stdin)) { // stdin closed? + break; + } else { + // we have a problem + puts(strerror(errno)); + exit(4); + } + } + + // remove final enter + c[strlen(c) - 1] = '\0'; + if(strlen(c) == 0) { // an enter will have zero characters + // open the file + if((f = fopen(argv[1], "r")) == NULL) { + puts(strerror(errno)); + exit(4); + } + + // read the entire file + while(fgets(b, BUFSIZ, f) != NULL) { + fputs(b, stdout); // print to console + } + + // did we end cleanly? + if(feof(f)) { + fclose(f); + } else { + // no we did not. + puts(strerror(errno)); + exit(5); + } + + break; + } else { + // round again + fputs("Press ENTER to print its contents.", stdout); + } + // we can quit if we like. + } while(strncmp(c, "quit", 5) != 0); + + return 0; +} diff --git a/modules/vulnerabilities/unix/system/symlinks/manifests/account.pp b/modules/vulnerabilities/unix/system/symlinks/manifests/account.pp new file mode 100644 index 000000000..0393b6394 --- /dev/null +++ b/modules/vulnerabilities/unix/system/symlinks/manifests/account.pp @@ -0,0 +1,38 @@ +define symlinks::account($username, $password, $strings_to_leak, $leaked_filenames) { + ::accounts::user { $username: + shell => '/bin/bash', + password => pw_hash($password, 'SHA-512', 'mysalt'), + managehome => true, + home_mode => '0755', + } + + # strings_to_leak[0]: flag in shadow file + $shadow_flag = $strings_to_leak[0] + exec{ 'append_flag_to_etc_shadow': + command => "/bin/echo '$shadow_flag' >> /etc/shadow" + } + + # strings_to_leak[1]: flag in /home//flag.txt + ::secgen_functions::leak_files { "$username-file-leak": + storage_directory => "/home/$username/", + leaked_filenames => $leaked_filenames, + strings_to_leak => [$strings_to_leak[1]], + owner => $username, + mode => '0600', + leaked_from => "accounts_$username", + } + + file { "/home/$username/prompt.c": + owner => $username, + group => $username, + mode => '0644', + ensure => file, + source => 'puppet:///modules/symlinks/prompt.c', + } + + exec { "$username-compileandsetup1": + cwd => "/home/$username/", + command => "gcc -o prompt prompt.c && sudo chown $username:shadow prompt && sudo chmod 2755 prompt", + path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ], + } +} \ No newline at end of file diff --git a/modules/vulnerabilities/unix/system/symlinks/manifests/init.pp b/modules/vulnerabilities/unix/system/symlinks/manifests/init.pp new file mode 100644 index 000000000..952afa523 --- /dev/null +++ b/modules/vulnerabilities/unix/system/symlinks/manifests/init.pp @@ -0,0 +1,16 @@ +class symlinks::init { + $json_inputs = base64('decode', $::base64_inputs) + $secgen_parameters = parsejson($json_inputs) + + $accounts = $secgen_parameters['accounts'] + $accounts.each |$raw_account| { + $account = parsejson($raw_account) + $username = $account['username'] + symlinks::account { "symlinks_$username": + username => $username, + password => $account['password'], + strings_to_leak => $account['strings_to_leak'], + leaked_filenames => $account['leaked_filenames'] + } + } +} \ No newline at end of file diff --git a/modules/vulnerabilities/unix/system/symlinks/secgen_metadata.xml b/modules/vulnerabilities/unix/system/symlinks/secgen_metadata.xml new file mode 100644 index 000000000..55ed23c46 --- /dev/null +++ b/modules/vulnerabilities/unix/system/symlinks/secgen_metadata.xml @@ -0,0 +1,47 @@ + + + + symlinks + Mihai Ordean + Puppet Labs + Apache v2 + exploits symlink to shadow, weak password so users can crack the hash + + system + none + local + linux + + accounts + + + + + carolmiller + + + + + + + flag.txt + + + + + + + + + + utilities/unix/system/accounts + + + + + user_rwx + + + \ No newline at end of file diff --git a/modules/vulnerabilities/unix/system/symlinks/symlinks.pp b/modules/vulnerabilities/unix/system/symlinks/symlinks.pp new file mode 100644 index 000000000..7a83573c9 --- /dev/null +++ b/modules/vulnerabilities/unix/system/symlinks/symlinks.pp @@ -0,0 +1 @@ +require symlinks::init \ No newline at end of file diff --git a/modules/vulnerabilities/unix/system/two_shell_calls/files/shell.c b/modules/vulnerabilities/unix/system/two_shell_calls/files/shell.c new file mode 100644 index 000000000..9debacdc3 --- /dev/null +++ b/modules/vulnerabilities/unix/system/two_shell_calls/files/shell.c @@ -0,0 +1,37 @@ +#include +#include +#include +#include +#include +#include + +int +main(int argc, char **argv) +{ + pid_t pid; + int status; + + // used correctly? + if(argc < 2) { + fprintf(stderr, "Usage:\n\t%1$s \nExamples:\n\t%1$s ls\n\t%1$s cat /etc/groups\n", argv[0]); + exit(1); + } + + // fork the process + if((pid = fork()) < 0) { + fprintf(stderr, "%s\n", strerror(errno)); + exit(1); + } else if(pid == 0) { + // execute the command given in the child + if(execvp(argv[1], &argv[1]) < 0) { + fprintf(stderr, "%s\n", strerror(errno)); + exit(1); // failed + } + } else { + // wait for the child to finish + while(wait(&status) != pid); + exit(status); // return the status of the childe + } + + return 0; +} diff --git a/modules/vulnerabilities/unix/system/two_shell_calls/manifests/account.pp b/modules/vulnerabilities/unix/system/two_shell_calls/manifests/account.pp new file mode 100644 index 000000000..8a031c9c2 --- /dev/null +++ b/modules/vulnerabilities/unix/system/two_shell_calls/manifests/account.pp @@ -0,0 +1,42 @@ +define two_shell_calls::account($username, $password, $strings_to_leak, $leaked_filenames) { + ::accounts::user { $username: + shell => '/bin/bash', + password => pw_hash($password, 'SHA-512', 'mysalt'), + managehome => true, + home_mode => '0755', + } + + # Leak strings in a text file in the users home directory + ::secgen_functions::leak_files { "$username-file-leak": + storage_directory => "/home/$username/", + leaked_filenames => $leaked_filenames, + strings_to_leak => $strings_to_leak, + owner => $username, + group => 'managers', + mode => '0600', + leaked_from => "accounts_$username", + } + + file { "/home/$username/shell.c": + owner => $username, + group => $username, + mode => '0644', + ensure => file, + source => 'puppet:///modules/two_shell_calls/shell.c', + } + + if ('none' in $strings_to_leak ){ + exec { "$username-compileandsetup1": + cwd => "/home/$username/", + command => "gcc -o shell shell.c && sudo chown $username:managers shell && sudo chmod 2755 shell", + path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ], + } + } else { + exec { "$username-compileandsetup2": + cwd => "/home/$username/", + command => "gcc -o shell shell.c && sudo chown $username:managers shell && sudo chmod 4750 shell", + path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ], + } + } + +} \ No newline at end of file diff --git a/modules/vulnerabilities/unix/system/two_shell_calls/manifests/init.pp b/modules/vulnerabilities/unix/system/two_shell_calls/manifests/init.pp new file mode 100644 index 000000000..45bb95be4 --- /dev/null +++ b/modules/vulnerabilities/unix/system/two_shell_calls/manifests/init.pp @@ -0,0 +1,20 @@ +class two_shell_calls::init { + $json_inputs = base64('decode', $::base64_inputs) + $secgen_parameters = parsejson($json_inputs) + + group { 'managers': + ensure => 'present', + } + + $accounts = $secgen_parameters['accounts'] + $accounts.each |$raw_account| { + $account = parsejson($raw_account) + $username = $account['username'] + two_shell_calls::account { "two_shell_calls_$username": + username => $username, + password => $account['password'], + strings_to_leak => $account['strings_to_leak'], + leaked_filenames => $account['leaked_filenames'] + } + } +} \ No newline at end of file diff --git a/modules/vulnerabilities/unix/system/two_shell_calls/secgen_metadata.xml b/modules/vulnerabilities/unix/system/two_shell_calls/secgen_metadata.xml new file mode 100644 index 000000000..38bcf066a --- /dev/null +++ b/modules/vulnerabilities/unix/system/two_shell_calls/secgen_metadata.xml @@ -0,0 +1,62 @@ + + + + 2x Shell Module + Mihai Ordean + Puppet Labs + Apache v2 + Creates a C file and a shell executable with permissions within two user directories. Drops a flag in a + user's home directory. + + + system + none + local + linux + + accounts + + + + + + + + + flag.txt + + + + + + + + + + + + + + + + none + + + + + + Find the 2 user accounts with '~/shell' binaries, investigate the shell.c code and their permissions. + Try to combine the two binaries to make something interesting happen. + + + utilities/unix/system/accounts + + + + + user_rwx + + + \ No newline at end of file diff --git a/modules/vulnerabilities/unix/system/two_shell_calls/two_shell_calls.pp b/modules/vulnerabilities/unix/system/two_shell_calls/two_shell_calls.pp new file mode 100644 index 000000000..7eebc85b3 --- /dev/null +++ b/modules/vulnerabilities/unix/system/two_shell_calls/two_shell_calls.pp @@ -0,0 +1 @@ +require two_shell_calls::init \ No newline at end of file diff --git a/modules/vulnerabilities/unix/webapp/onlinestore/files/csecvm.sql b/modules/vulnerabilities/unix/webapp/onlinestore/files/csecvm.sql new file mode 100644 index 000000000..aa7bde748 --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/onlinestore/files/csecvm.sql @@ -0,0 +1,198 @@ +-- MySQL dump 10.13 Distrib 5.7.17, for Linux (i686) +-- +-- Host: localhost Database: csecvm +-- ------------------------------------------------------ +-- Server version 5.7.17 + +/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */; +/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */; +/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */; +/*!40101 SET NAMES utf8 */; +/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */; +/*!40103 SET TIME_ZONE='+00:00' */; +/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */; +/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */; +/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */; +/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */; + +-- +-- Table structure for table `basket` +-- + +DROP TABLE IF EXISTS `basket`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `basket` ( + `user_id` int(11) NOT NULL DEFAULT '0', + `product_id` int(11) NOT NULL DEFAULT '0', + `quantity` int(11) DEFAULT NULL, + PRIMARY KEY (`user_id`,`product_id`), + KEY `product_id` (`product_id`), + CONSTRAINT `basket_ibfk_1` FOREIGN KEY (`user_id`) REFERENCES `users` (`id`), + CONSTRAINT `basket_ibfk_2` FOREIGN KEY (`product_id`) REFERENCES `products` (`id`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `basket` +-- + +LOCK TABLES `basket` WRITE; +/*!40000 ALTER TABLE `basket` DISABLE KEYS */; +/*!40000 ALTER TABLE `basket` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `orders` +-- + +DROP TABLE IF EXISTS `orders`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `orders` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `user_id` int(11) DEFAULT NULL, + `date` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP, + `cc` varchar(16) DEFAULT NULL, + `cvv` varchar(3) DEFAULT NULL, + `expire` date DEFAULT NULL, + `outfordelivery` tinyint(1) DEFAULT '0', + PRIMARY KEY (`id`), + KEY `user_id` (`user_id`), + CONSTRAINT `orders_ibfk_1` FOREIGN KEY (`user_id`) REFERENCES `users` (`id`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `orders` +-- + +LOCK TABLES `orders` WRITE; +/*!40000 ALTER TABLE `orders` DISABLE KEYS */; +/*!40000 ALTER TABLE `orders` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `orders_items` +-- + +DROP TABLE IF EXISTS `orders_items`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `orders_items` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `order_id` int(11) DEFAULT NULL, + `product_id` int(11) DEFAULT NULL, + `quantity` int(11) DEFAULT NULL, + `price` decimal(10,0) DEFAULT NULL, + PRIMARY KEY (`id`), + KEY `order_id` (`order_id`), + KEY `product_id` (`product_id`), + CONSTRAINT `orders_items_ibfk_1` FOREIGN KEY (`order_id`) REFERENCES `orders` (`id`), + CONSTRAINT `orders_items_ibfk_2` FOREIGN KEY (`product_id`) REFERENCES `products` (`id`) +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `orders_items` +-- + +LOCK TABLES `orders_items` WRITE; +/*!40000 ALTER TABLE `orders_items` DISABLE KEYS */; +/*!40000 ALTER TABLE `orders_items` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `products` +-- + +DROP TABLE IF EXISTS `products`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `products` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `name` varchar(128) DEFAULT NULL, + `image` varchar(128) DEFAULT NULL, + `description` text, + `price` text, + `danger` tinyint(1) DEFAULT '1', + PRIMARY KEY (`id`), + UNIQUE KEY `name` (`name`) +) ENGINE=InnoDB AUTO_INCREMENT=12 DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `products` +-- + +LOCK TABLES `products` WRITE; +/*!40000 ALTER TABLE `products` DISABLE KEYS */; +INSERT INTO `products` VALUES (1,'A Table','/img/uploads/2015-01-02_Xgxtm2.jpg','A very big table, useful for ... putting things on and possibly eating at.','110.00',0),(2,'A Lamp','/img/uploads/2015-01-02_lzfzpK.jpg','For lighting things up in a dark room.','60.00',0),(3,'A Drinks Globe and Chair','/img/uploads/2015-01-02_rN4jBX.jpg','A Drinks Globe, something that should be in everyone\'s home!','90.00',0),(4,'Rocks of Cocaine','/img/uploads/2015-01-05_48A2N6.jpg','Lots and lots of coke!','5000.00',1),(5,'Weed','/img/uploads/2015-01-05_JYIUmP.jpg','Plenty of weed. Top quality stuff.','40.00',1),(6,'Heroin','/img/uploads/2015-01-05_MUSlKg.jpg','More Class As for you!','6000.00',1),(7,'ZeuS Source Code','/img/uploads/2015-01-05_2F6zjh.jpg','Get the source code to deploy your own botnet.','500.00',1),(8,'BlackHole Crimeware','/img/uploads/2015-01-05_lPh78V.jpg','Start a bot, maintain and control it. Your own crimewave.','800.00',1),(9,'DDOS your enemies','/img/uploads/2015-01-05_qHt6s3.jpg','We use ZeuS to DDOS a target server of your choice.','100.00',1),(10,'Web hacking','/img/uploads/2015-01-05_btQvWF.jpg','Give us a URL and you have an hour of our work to bring down a site of your choice.','50.00',1),(11,'My Little Pony','/img/uploads/2015-01-05_f7rk0d.jpg','022f844f138df4cd87af0d89189d8f57','999999.00',1); +/*!40000 ALTER TABLE `products` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `token` +-- + +DROP TABLE IF EXISTS `token`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `token` ( + `token` varchar(256) DEFAULT NULL +) ENGINE=MyISAM DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `token` +-- + +LOCK TABLES `token` WRITE; +/*!40000 ALTER TABLE `token` DISABLE KEYS */; +INSERT INTO `token` VALUES ('f46659047894a919ab5f43c3338811e6'); +/*!40000 ALTER TABLE `token` ENABLE KEYS */; +UNLOCK TABLES; + +-- +-- Table structure for table `users` +-- + +DROP TABLE IF EXISTS `users`; +/*!40101 SET @saved_cs_client = @@character_set_client */; +/*!40101 SET character_set_client = utf8 */; +CREATE TABLE `users` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `name` varchar(128) DEFAULT NULL, + `full` varchar(128) DEFAULT NULL, + `password` varchar(128) DEFAULT NULL, + `is_dealer` tinyint(1) DEFAULT '0', + `email` varchar(128) DEFAULT NULL, + `killed_on` timestamp NULL DEFAULT NULL, + `killed_by` int(11) DEFAULT NULL, + PRIMARY KEY (`id`), + UNIQUE KEY `name` (`name`), + KEY `fk_killed` (`killed_by`), + CONSTRAINT `fk_killed` FOREIGN KEY (`killed_by`) REFERENCES `users` (`id`) +) ENGINE=InnoDB AUTO_INCREMENT=7 DEFAULT CHARSET=latin1; +/*!40101 SET character_set_client = @saved_cs_client */; + +-- +-- Dumping data for table `users` +-- + +LOCK TABLES `users` WRITE; +/*!40000 ALTER TABLE `users` DISABLE KEYS */; +INSERT INTO `users` VALUES (1,'jts','John Saxon','*DC917E8329C06E9E7735775F8E8F5CF2F2AE1505',0,'j.t.saxon@cs.bham.ac.uk',NULL,NULL),(2,'tpc','Tom Chothia','*D13C4744CA50C108313F76D56E7C1C23F8844026',1,'t.chothia@cs.bham.ac.uk',NULL,NULL),(3,'csn','Chris Novakovic','*9C5B7560B497DFA8B05F1ED9E0D163FF1809DF7A',0,'c.novakovic@cs.bham.ac.uk','2015-01-02 16:39:01',2),(4,'igb','Ian Batten','*4A0F50F04E783107E072358BEB80DFD2CE206ABC',0,'i.batten@cs.bham.ac.uk','2015-01-02 16:39:01',2),(5,'air','Andreea Radu','*D03F2141E072304885CF0BB96B8E93B2F2F079E5',0,'a.i.radu@cs.bham.ac.uk',NULL,NULL),(6,'tom','tom','tom',0,'tom@bham.ac.uk',NULL,NULL); +/*!40000 ALTER TABLE `users` ENABLE KEYS */; +UNLOCK TABLES; +/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */; + +/*!40101 SET SQL_MODE=@OLD_SQL_MODE */; +/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */; +/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */; +/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */; +/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */; +/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */; +/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */; + +-- Dump completed on 2017-03-30 15:50:25 diff --git a/modules/vulnerabilities/unix/webapp/onlinestore/files/mysql_setup.sh b/modules/vulnerabilities/unix/webapp/onlinestore/files/mysql_setup.sh new file mode 100644 index 000000000..8e158345f --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/onlinestore/files/mysql_setup.sh @@ -0,0 +1,12 @@ +#!/bin/sh + +USERNAME=${1} +PASSWORD=${2} +token=${3} + +echo "CREATE USER '${USERNAME}'@'localhost' IDENTIFIED BY '${PASSWORD}';"| mysql --force +echo "GRANT ALL PRIVILEGES ON * . * TO '${USERNAME}'@'localhost';"| mysql --force +echo "CREATE DATABASE csecvm;"| mysql --user=${USERNAME} --password=${PASSWORD} --force +mysql --force --user=${USERNAME} --password=${PASSWORD} csecvm < ./csecvm.sql + +echo "USE csecvm; INSERT INTO token VALUES ('${token}');" | mysql --force --user=${USERNAME} --password=${PASSWORD} \ No newline at end of file diff --git a/modules/vulnerabilities/unix/webapp/onlinestore/files/www-data.tar.gz b/modules/vulnerabilities/unix/webapp/onlinestore/files/www-data.tar.gz new file mode 100644 index 000000000..daa7fade7 Binary files /dev/null and b/modules/vulnerabilities/unix/webapp/onlinestore/files/www-data.tar.gz differ diff --git a/modules/vulnerabilities/unix/webapp/onlinestore/manifests/install.pp b/modules/vulnerabilities/unix/webapp/onlinestore/manifests/install.pp new file mode 100644 index 000000000..ccd34d5b8 --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/onlinestore/manifests/install.pp @@ -0,0 +1,89 @@ +class onlinestore::install { + $json_inputs = base64('decode', $::base64_inputs) + $secgen_parameters = parsejson($json_inputs) + + # Parse out parameters + $db_flag = $secgen_parameters['strings_to_leak'][0] + $admin_flag = $secgen_parameters['strings_to_leak'][1] + $root_file_flag = $secgen_parameters['strings_to_leak'][2] + $black_market_flag = $secgen_parameters['strings_to_leak'][3] + + $docroot = '/var/www' + $db_username = 'csecvm' + $db_password = $secgen_parameters['db_password'][0] + + package { ['mysql-client','php5-mysql']: + ensure => 'installed', + } + + file { "/var/www/index.html": + ensure => absent, + } + + file { "/tmp/www-data.tar.gz": + owner => root, + group => root, + mode => '0600', + ensure => file, + source => 'puppet:///modules/onlinestore/www-data.tar.gz', + notify => Exec['unpack'], + } + + exec { 'unpack': + cwd => "$docroot", + command => "tar -xzf /tmp/www-data.tar.gz && chown -R www-data:www-data $docroot && chmod 0600 $docroot/mysql.php", + path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ], + notify => Exec['add_generated_password_to_mysql_php'], + } + + # Change the default database password to our randomly generated one + exec { 'add_generated_password_to_mysql_php': + cwd => $docroot, + command => "/bin/sed -ie 's/H93AtG6akq/$db_password/g' mysql.php", + notify => Exec['setup_mysql'], + } + + file { "/tmp/csecvm.sql": + owner => root, + group => root, + mode => '0600', + ensure => file, + source => 'puppet:///modules/onlinestore/csecvm.sql', + } + + file { "/tmp/mysql_setup.sh": + owner => root, + group => root, + mode => '0700', + ensure => file, + source => 'puppet:///modules/onlinestore/mysql_setup.sh', + notify => Exec['setup_mysql'], + } + + exec { 'setup_mysql': + cwd => "/tmp", + command => "sudo ./mysql_setup.sh $db_username $db_password $db_flag", + path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ], + notify => Exec['create_root_flag'], + } + + exec { 'create_root_flag': + cwd => "/home/vagrant", + command => "echo '$root_file_flag' > /webroot && chown -f root:root /webroot && chmod -f 0600 /webroot", + path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ], + notify => Exec['create_admin_flag'], + } + + exec { 'create_admin_flag': + cwd => "$docroot", + command => "echo '$admin_flag' > ./.admin && chown -f www-data:www-data ./.admin && chmod -f 0600 ./.admin", + path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ], + notify => Exec['create_black_market_flag'], + } + + exec { 'create_black_market_flag': + cwd => "$docroot", + command => "echo '$black_market_flag' > ./.marketToken && chown -f www-data:www-data ./.marketToken && chmod -f 0600 ./.marketToken", + path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ], + } +} \ No newline at end of file diff --git a/modules/vulnerabilities/unix/webapp/onlinestore/onlinestore.pp b/modules/vulnerabilities/unix/webapp/onlinestore/onlinestore.pp new file mode 100644 index 000000000..09c493165 --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/onlinestore/onlinestore.pp @@ -0,0 +1 @@ +include onlinestore::install \ No newline at end of file diff --git a/modules/vulnerabilities/unix/webapp/onlinestore/secgen_metadata.xml b/modules/vulnerabilities/unix/webapp/onlinestore/secgen_metadata.xml new file mode 100644 index 000000000..075b25d76 --- /dev/null +++ b/modules/vulnerabilities/unix/webapp/onlinestore/secgen_metadata.xml @@ -0,0 +1,39 @@ + + + + Online store website + Mihai Ordean + MIT + Online store website + + webapp + info_leak + remote + linux + + strings_to_leak + db_password + + + + + + + + + + + + + + + webapp + + + + modules/services/unix/http/lamp + + + \ No newline at end of file diff --git a/scenarios/examples/vulnerability_examples/online_store.xml b/scenarios/examples/vulnerability_examples/online_store.xml new file mode 100644 index 000000000..30f6ec33f --- /dev/null +++ b/scenarios/examples/vulnerability_examples/online_store.xml @@ -0,0 +1,16 @@ + + + + + + symlinks + + + + + + + + diff --git a/scenarios/examples/vulnerability_examples/symlinks.xml b/scenarios/examples/vulnerability_examples/symlinks.xml new file mode 100644 index 000000000..506372c22 --- /dev/null +++ b/scenarios/examples/vulnerability_examples/symlinks.xml @@ -0,0 +1,16 @@ + + + + + + symlinks + + + + + + + + diff --git a/scenarios/examples/vulnerability_examples/two_shell_calls.xml b/scenarios/examples/vulnerability_examples/two_shell_calls.xml new file mode 100644 index 000000000..23034e300 --- /dev/null +++ b/scenarios/examples/vulnerability_examples/two_shell_calls.xml @@ -0,0 +1,16 @@ + + + + + + ssh_leaked_keys + + + + + + + + diff --git a/scenarios/seccourse.xml b/scenarios/seccourse.xml index 96b045ea4..8d8a8ea43 100644 --- a/scenarios/seccourse.xml +++ b/scenarios/seccourse.xml @@ -9,7 +9,9 @@ - + + + @@ -36,20 +38,57 @@ - - flag.txt + + davebakon + + flag.txt + + + + + + + jakkinkade + + + + + + flag.txt + + + + + + + + nickadler + + + + + + none + + + + + + + - + +