digital-forensics-labs/SecGen
1
0
Fork 0
mirror of https://github.com/cliffe/SecGen.git synced 2026-02-21 11:18:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #277 from JD2344/glpi-ctf

Browse Source 
CTF Scenarios
This commit is contained in:
Cliffe
2023-04-27 17:28:34 +01:00
committed by GitHub
parent ea03be1e5f 8f361d36f1
commit 49012a6969
5 changed files with 506 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

103
scenarios/ctf/administration_woes.xml Normal file
View File

@@ -0,0 +1,103 @@
<?xml version="1.0"?>
<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
<name>Automation Woes</name>
<author>James Davis</author>
<description>
There is a process hosted on a remote server that is vulnerable to exploit.
Find a way in then escalate to root.
</description>
<type>ctf</type>
<type>attack-ctf</type>
<difficulty>intermediate</difficulty>
<CyBOK KA="MAT" topic="Attacks and exploitation">
<keyword>EXPLOITATION</keyword>
<keyword>EXPLOITATION FRAMEWORKS</keyword>
</CyBOK>
<CyBOK KA="SS" topic="Categories of Vulnerabilities">
<keyword>CVEs and CWEs</keyword>
</CyBOK>
<CyBOK KA="SOIM" topic="PENETRATION TESTING">
<keyword>PENETRATION TESTING - SOFTWARE TOOLS</keyword>
<keyword>PENETRATION TESTING - ACTIVE PENETRATION</keyword>
</CyBOK>
<CyBOK KA="WAM" topic="Server-Side Vulnerabilities and Mitigations">
<keyword>server-side misconfiguration and vulnerable components</keyword>
<keyword>Serialized objects</keyword>
</CyBOK>
<CyBOK KA="AAA" topic="Authorisation">
<keyword>access control</keyword>
<keyword>Elevated privileges</keyword>
<keyword>Vulnerabilities and attacks on access control misconfigurations</keyword>
</CyBOK>
<CyBOK KA="OSV" topic="Primitives for Isolation and Mediation">
<keyword>Access controls and operating systems</keyword>
<keyword>Linux security model</keyword>
</CyBOK>
<system>
<system_name>server</system_name>
<base distro="Debian 10" type="desktop" name="KDE" />
<vulnerability module_path=".*/jenkins_cli">
<input into="strings_to_leak">
<generator type="flag_generator" />
</input>
<input into="strings_to_pre_leak">
<encoder type="^(ascii|alpha)_reversible$" difficulty="low">
<input into="strings_to_encode">
<generator type="flag_generator" />
</input>
</encoder>
</input>
</vulnerability>
<vulnerability module_path=".*/writable_groups"></vulnerability>
<network type="private_network">
<input into="IP_address">
<datastore access="1">IP_addresses</datastore>
</input>
</network>
</system>
<system>
<system_name>attack_vm</system_name>
<base distro="Kali" name="MSF" />
<input into_datastore="IP_addresses">
<!-- 0 attack_vm -->
<value>172.16.0.2</value>
<!-- 1 hackme_server -->
<value>172.16.0.3</value>
</input>
<utility module_path=".*/iceweasel">
<input into="accounts">
<value>
{"username":"root","password":"toor","super_user":"","strings_to_leak":[],"leaked_filenames":[]}</value>
</input>
<input into="autostart">
<value>false</value>
</input>
</utility>
<utility module_path=".*/kali_web" />
<utility module_path=".*/metasploit_framework" />
<utility module_path=".*/nmap" />
<utility module_path=".*/handy_cli_tools" />
<network type="private_network">
<input into="IP_address">
<datastore access="0">IP_addresses</datastore>
</input>
</network>
</system>
</scenario>

99
scenarios/ctf/catching_sparks.xml Normal file
View File

@@ -0,0 +1,99 @@
<?xml version="1.0"?>
<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
<name>Catching Sparks</name>
<author>James Davis</author>
<description>
A web vulnerability allows access to a server remotely. Find the website
and gain root privilege.
</description>
<type>ctf</type>
<type>attack-ctf</type>
<difficulty>intermediate</difficulty>
<CyBOK KA="WAM" topic="Server-Side Vulnerabilities and Mitigations">
<keyword>server-side misconfiguration and vulnerable components</keyword>
<keyword>Command injection</keyword>
</CyBOK>
<CyBOK KA="MAT" topic="Attacks and exploitation">
<keyword>EXPLOITATION</keyword>
<keyword>EXPLOITATION FRAMEWORKS</keyword>
</CyBOK>
<CyBOK KA="SS" topic="Categories of Vulnerabilities">
<keyword>CVEs and CWEs</keyword>
</CyBOK>
<CyBOK KA="SOIM" topic="PENETRATION TESTING">
<keyword>PENETRATION TESTING - SOFTWARE TOOLS</keyword>
<keyword>PENETRATION TESTING - ACTIVE PENETRATION</keyword>
</CyBOK>
<CyBOK KA="AB" topic="Models">
<keyword>kill chains</keyword>
</CyBOK>
<CyBOK KA="MAT" topic="Malicious Activities by Malware">
<keyword>cyber kill chain</keyword>
</CyBOK>
<system>
<system_name>server</system_name>
<base distro="Debian 10" type="desktop" name="KDE" />
<vulnerability module_path=".*/apache_spark_rce">
<input into="strings_to_leak">
<generator type="flag_generator" />
</input>
<input into="strings_to_pre_leak">
<encoder type="^(ascii|alpha)_reversible$" difficulty="low">
<input into="strings_to_encode">
<generator type="flag_generator" />
</input>
</encoder>
</input>
</vulnerability>
<vulnerability module_path="*./chkrootkit"></vulnerability>
<network type="private_network">
<input into="IP_address">
<datastore access="1">IP_addresses</datastore>
</input>
</network>
</system>
<system>
<system_name>attack_vm</system_name>
<base distro="Kali" name="MSF" />
<input into_datastore="IP_addresses">
<!-- 0 attack_vm -->
<value>172.16.0.2</value>
<!-- 1 hackme_server -->
<value>172.16.0.3</value>
</input>
<utility module_path=".*/iceweasel">
<input into="accounts">
<value>
{"username":"root","password":"toor","super_user":"","strings_to_leak":[],"leaked_filenames":[]}</value>
</input>
<input into="autostart">
<value>false</value>
</input>
</utility>
<utility module_path=".*/kali_web" />
<utility module_path=".*/metasploit_framework" />
<utility module_path=".*/nmap" />
<utility module_path=".*/handy_cli_tools" />
<network type="private_network">
<input into="IP_address">
<datastore access="0">IP_addresses</datastore>
</input>
</network>
</system>
</scenario>

105
scenarios/ctf/erlang_explosion.xml Normal file
View File

@@ -0,0 +1,105 @@
<?xml version="1.0"?>
<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
<name>Erlang Explosion</name>
<author>James Davis</author>
<description>
A vulnerable service utilises erlang that has a fatal flaw.
Exploit the server and get root access.
</description>
<type>ctf</type>
<type>attack-ctf</type>
<difficulty>intermediate</difficulty>
<CyBOK KA="WAM" topic="Server-Side Vulnerabilities and Mitigations">
<keyword>server-side misconfiguration and vulnerable components</keyword>
<keyword>Vulnerable defaults</keyword>
</CyBOK>
<CyBOK KA="MAT" topic="Attacks and exploitation">
<keyword>EXPLOITATION</keyword>
<keyword>EXPLOITATION FRAMEWORKS</keyword>
</CyBOK>
<CyBOK KA="SS" topic="Categories of Vulnerabilities">
<keyword>CVEs and CWEs</keyword>
</CyBOK>
<CyBOK KA="SOIM" topic="PENETRATION TESTING">
<keyword>PENETRATION TESTING - SOFTWARE TOOLS</keyword>
<keyword>PENETRATION TESTING - ACTIVE PENETRATION</keyword>
</CyBOK>
<CyBOK KA="AAA" topic="Authorisation">
<keyword>access control</keyword>
<keyword>Elevated privileges</keyword>
<keyword>Vulnerabilities and attacks on access control misconfigurations</keyword>
</CyBOK>
<CyBOK KA="OSV" topic="Primitives for Isolation and Mediation">
<keyword>Access controls and operating systems</keyword>
<keyword>Linux security model</keyword>
<keyword>Attacks against SUID</keyword>
</CyBOK>
<system>
<system_name>server</system_name>
<base distro="Debian 10" type="desktop" name="KDE" />
<vulnerability module_path=".*/apache_couchdb">
<input into="strings_to_leak">
<generator type="flag_generator" />
</input>
<input into="strings_to_pre_leak">
<encoder type="^(ascii|alpha)_reversible$" difficulty="low">
<input into="strings_to_encode">
<generator type="flag_generator" />
</input>
</encoder>
</input>
</vulnerability>
<vulnerability module_path=".*/sudo_root_vi"></vulnerability>
<network type="private_network">
<input into="IP_address">
<datastore access="1">IP_addresses</datastore>
</input>
</network>
</system>
<system>
<system_name>attack_vm</system_name>
<base distro="Kali" name="MSF" />
<input into_datastore="IP_addresses">
<!-- 0 attack_vm -->
<value>172.16.0.2</value>
<!-- 1 hackme_server -->
<value>172.16.0.3</value>
</input>
<utility module_path=".*/iceweasel">
<input into="accounts">
<value>
{"username":"root","password":"toor","super_user":"","strings_to_leak":[],"leaked_filenames":[]}</value>
</input>
<input into="autostart">
<value>false</value>
</input>
</utility>
<utility module_path=".*/kali_web" />
<utility module_path=".*/metasploit_framework" />
<utility module_path=".*/nmap" />
<utility module_path=".*/handy_cli_tools" />
<network type="private_network">
<input into="IP_address">
<datastore access="0">IP_addresses</datastore>
</input>
</network>
</system>
</scenario>

103
scenarios/ctf/eventful_data.xml Normal file
View File

@@ -0,0 +1,103 @@
<?xml version="1.0"?>
<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
<name>Eventful Data</name>
<author>James Davis</author>
<description>
There is a vulnerable webserver that can be exploited.
Find it and then get root.
</description>
<type>ctf</type>
<type>attack-ctf</type>
<difficulty>intermediate</difficulty>
<CyBOK KA="WAM" topic="Server-Side Vulnerabilities and Mitigations">
<keyword>server-side misconfiguration and vulnerable components</keyword>
</CyBOK>
<CyBOK KA="MAT" topic="Attacks and exploitation">
<keyword>EXPLOITATION</keyword>
<keyword>EXPLOITATION FRAMEWORKS</keyword>
</CyBOK>
<CyBOK KA="SS" topic="Categories of Vulnerabilities">
<keyword>CVEs and CWEs</keyword>
</CyBOK>
<CyBOK KA="SOIM" topic="PENETRATION TESTING">
<keyword>PENETRATION TESTING - SOFTWARE TOOLS</keyword>
<keyword>PENETRATION TESTING - ACTIVE PENETRATION</keyword>
</CyBOK>
<CyBOK KA="AAA" topic="Authorisation">
<keyword>access control</keyword>
<keyword>Elevated privileges</keyword>
<keyword>Vulnerabilities and attacks on access control misconfigurations</keyword>
</CyBOK>
<CyBOK KA="OSV" topic="Primitives for Isolation and Mediation">
<keyword>Access controls and operating systems</keyword>
<keyword>Linux security model</keyword>
<keyword>Attacks against SUDO</keyword>
</CyBOK>
<system>
<system_name>server</system_name>
<base distro="Debian 10" type="desktop" name="KDE" />
<vulnerability module_path=".*/apache_druid_rce">
<input into="strings_to_leak">
<generator type="flag_generator" />
</input>
<input into="strings_to_pre_leak">
<encoder type="^(ascii|alpha)_reversible$" difficulty="low">
<input into="strings_to_encode">
<generator type="flag_generator" />
</input>
</encoder>
</input>
</vulnerability>
<vulnerability module_path=".*/sudo_root_more"></vulnerability>
<network type="private_network">
<input into="IP_address">
<datastore access="1">IP_addresses</datastore>
</input>
</network>
</system>
<system>
<system_name>attack_vm</system_name>
<base distro="Kali" name="MSF" />
<input into_datastore="IP_addresses">
<!-- 0 attack_vm -->
<value>172.16.0.2</value>
<!-- 1 hackme_server -->
<value>172.16.0.3</value>
</input>
<utility module_path=".*/iceweasel">
<input into="accounts">
<value>
{"username":"root","password":"toor","super_user":"","strings_to_leak":[],"leaked_filenames":[]}</value>
</input>
<input into="autostart">
<value>false</value>
</input>
</utility>
<utility module_path=".*/kali_web" />
<utility module_path=".*/metasploit_framework" />
<utility module_path=".*/nmap" />
<utility module_path=".*/handy_cli_tools" />
<network type="private_network">
<input into="IP_address">
<datastore access="0">IP_addresses</datastore>
</input>
</network>
</system>
</scenario>

96
scenarios/ctf/manage_this.xml Normal file
View File

@@ -0,0 +1,96 @@
<?xml version="1.0"?>
<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
<name>Manage this!</name>
<author>James Davis</author>
<description>
A vulnerable website is active on a server. Find a way in and obtain root.
</description>
<type>ctf</type>
<type>attack-ctf</type>
<difficulty>intermediate</difficulty>
<CyBOK KA="WAM" topic="Server-Side Vulnerabilities and Mitigations">
<keyword>server-side misconfiguration and vulnerable components</keyword>
<keyword>Command injection</keyword>
</CyBOK>
<CyBOK KA="MAT" topic="Attacks and exploitation">
<keyword>EXPLOITATION</keyword>
<keyword>EXPLOITATION FRAMEWORKS</keyword>
<keyword>BACKDOOR TROJANS</keyword>
</CyBOK>
<CyBOK KA="SS" topic="Categories of Vulnerabilities">
<keyword>CVEs and CWEs</keyword>
</CyBOK>
<CyBOK KA="SOIM" topic="PENETRATION TESTING">
<keyword>PENETRATION TESTING - SOFTWARE TOOLS</keyword>
<keyword>PENETRATION TESTING - ACTIVE PENETRATION</keyword>
</CyBOK>
<CyBOK KA="NS" topic="PENETRATION TESTING">
<keyword>FILE - TRANSFER PROTOCOL (FTP)</keyword>
</CyBOK>
<system>
<system_name>server</system_name>
<base distro="Debian 10" type="desktop" name="KDE" />
<vulnerability module_path=".*/glpi_php_injection">
<input into="strings_to_leak">
<generator type="flag_generator" />
</input>
<input into="strings_to_pre_leak">
<encoder type="^(ascii|alpha)_reversible$" difficulty="low">
<input into="strings_to_encode">
<generator type="flag_generator" />
</input>
</encoder>
</input>
</vulnerability>
<vulnerability module_path=".*/vsftpd_234_backdoor" />
<network type="private_network">
<input into="IP_address">
<datastore access="1">IP_addresses</datastore>
</input>
</network>
</system>
<system>
<system_name>attack_vm</system_name>
<base distro="Kali" name="MSF" />
<input into_datastore="IP_addresses">
<!-- 0 attack_vm -->
<value>172.16.0.2</value>
<!-- 1 hackme_server -->
<value>172.16.0.3</value>
</input>
<utility module_path=".*/iceweasel">
<input into="accounts">
<value>
{"username":"root","password":"toor","super_user":"","strings_to_leak":[],"leaked_filenames":[]}</value>
</input>
<input into="autostart">
<value>false</value>
</input>
</utility>
<utility module_path=".*/kali_web" />
<utility module_path=".*/metasploit_framework" />
<utility module_path=".*/nmap" />
<utility module_path=".*/handy_cli_tools" />
<network type="private_network">
<input into="IP_address">
<datastore access="0">IP_addresses</datastore>
</input>
</network>
</system>
</scenario>