sudoedit updates

2026-02-21 11:18:06 +00:00 · 2024-02-27 16:35:56 +00:00
parent 2294c039c9
commit 73808f3b53
4 changed files with 7 additions and 27 deletions
--- a/modules/vulnerabilities/unix/local/sudoedit/manifests/install.pp
+++ b/modules/vulnerabilities/unix/local/sudoedit/manifests/install.pp
@@ -4,27 +4,9 @@ class sudoedit::install {
  $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
  $leaked_filenames = $secgen_parameters['leaked_filenames']
  $strings_to_leak = $secgen_parameters['strings_to_leak']
-  $username = $secgen_parameters['unix_username'][0]
-  $password = $secgen_parameters['used_password'][0]

-  # Magic touch
-  # EDITOR='nano -- /etc/sudoers' sudoedit /etc/hosts
-
-  # This exploit relies on a user being in sudo group but we dont want access to everything! :) 
-  exec { 'goodbye-sudo':
-    command => "sed -i 's/%sudo/%root/' /etc/sudoers"
-  }
-  -> user { $username:
-    ensure   => present,
-    managehome => true,
-    # Make sure we are in the sudo group
-    groups => 'sudo',
-    shell    => '/bin/bash',
-    password => pw_hash($password, 'SHA-512', 'mysalt'),
-  }
-  # Let access to the hosts file via sudoedit
-  -> exec { 'i-can-edit-now':
-    command => "echo '${username} ALL=(ALL:ALL) sudoedit /etc/hosts' >> /etc/sudoers"
+  exec { 'i-can-sudoedit-now':
+    command => "echo 'ALL ALL = (root) NOPASSWD: sudoedit /etc/hosts' >> /etc/sudoers"
  }
  -> file { '/tmp/sudo_1.8.26-2_amd64.deb':
    ensure => file,
@@ -41,7 +23,7 @@ class sudoedit::install {
    storage_directory => '/root',
    leaked_filenames => $leaked_filenames,
    strings_to_leak => $strings_to_leak,
-    leaked_from => "",
+    leaked_from => "sudoedit",
    mode => '0600'
  }
 }
--- a/scenarios/examples/vulnerability_examples/sudoedit.xml
+++ b/scenarios/examples/vulnerability_examples/sudoedit.xml
@@ -9,7 +9,6 @@
        <base distro="Debian 10" type="desktop" name="KDE" />

        <input into_datastore="IP_addresses">
-            <!-- 0 web_server -->
            <value>172.16.0.2</value>
        </input>

@@ -30,4 +29,4 @@
            </input>
        </network>
    </system>
-</scenario>
+</scenario>
--- a/scenarios/labs/introducing_attacks/7_post-exploitation.xml
+++ b/scenarios/labs/introducing_attacks/7_post-exploitation.xml
@@ -148,8 +148,7 @@ You will learn the skills used by an attacker or security tester, to take action
    </utility>


-    <!-- DirtyCOW vulnerability module leaves the debian 7 bases unpatched by default. -->
-    <vulnerability module_path=".*/policykit.*">
+    <vulnerability module_path=".*/sudoedit">
      <input into="strings_to_leak">
        <generator type="flag_generator" />
      </input>
--- a/scenarios/labs/introducing_attacks/8_vulnerability_analysis.xml
+++ b/scenarios/labs/introducing_attacks/8_vulnerability_analysis.xml
@@ -41,8 +41,8 @@ Throughout this lab, you will learn how to use Nmap and its Nmap scripting engin
      <value>172.16.0.3</value>
    </input>

-    <!-- DirtyCOW vulnerability module leaves the debian 7 bases unpatched by default. -->
-    <vulnerability module_path=".*/dirtycow.*">
+    <!-- priv escalation. -->
+    <vulnerability module_path=".*/sudoedit">
      <input into="strings_to_leak">
        <generator type="flag_generator" />
      </input>