Merge branch 'master' of https://github.com/cliffe/SecGen

scenarios/ctf/feeling_blu.xml

@@ -174,8 +174,9 @@
         <datastore>password</datastore>
       </input>
       <input into="strings_to_pre_leak">
-        <value>Username</value>
+        <value>Creds:</value>
         <datastore access_json="['manager']['username']">organisation</datastore>
+        <datastore>password</datastore>
         <generator type="flag_generator"/>
       </input>
     </vulnerability>

scenarios/ctf/feeling_blu_brute.xml

@@ -0,0 +1,227 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+  <name>Feeling Blu</name>
+  <author>Z. Cliffe Schreuders</author>
+  <description>Hack the web_server from kali.
+  </description>
+
+  <type>ctf</type>
+  <type>attack-ctf</type>
+  <type>pwn-ctf</type>
+  <difficulty>medium</difficulty>
+
+  <!-- bludit -->
+  <CyBOK KA="WAM" topic="Fundamental Concepts and Approaches">
+    <keyword>authentication</keyword>
+    <keyword>passwords and alternatives</keyword>
+  </CyBOK>
+  <CyBOK KA="AAA" topic="Authentication">
+    <keyword>user authentication</keyword>
+    <keyword>BRUTEFORCE</keyword>
+  </CyBOK>
+  <CyBOK KA="WAM" topic="Server-Side Vulnerabilities and Mitigations">
+    <keyword>server-side misconfiguration and vulnerable components</keyword>
+    <keyword>FILE UPLOAD VULNERABILITY</keyword>
+  </CyBOK>
+  <CyBOK KA="MAT" topic="Attacks and exploitation">
+    <keyword>EXPLOITATION</keyword>
+    <keyword>EXPLOITATION FRAMEWORKS</keyword>
+  </CyBOK>
+  <CyBOK KA="SS" topic="Categories of Vulnerabilities">
+    <keyword>CVEs and CWEs</keyword>
+  </CyBOK>
+  <CyBOK KA="SOIM" topic="PENETRATION TESTING">
+    <keyword>PENETRATION TESTING - SOFTWARE TOOLS</keyword>
+    <keyword>PENETRATION TESTING - ACTIVE PENETRATION</keyword>
+  </CyBOK>
+
+  <!-- escalate to user and to root via sudo -->
+  <CyBOK KA="AAA" topic="Authorisation">
+    <keyword>access control</keyword>
+    <keyword>Elevated privileges</keyword>
+    <keyword>Vulnerabilities and attacks on access control misconfigurations</keyword>
+  </CyBOK>
+  <CyBOK KA="OSV" topic="Primitives for Isolation and Mediation">
+    <keyword>Access controls and operating systems</keyword>
+    <keyword>Linux security model</keyword>
+    <keyword>Attacks against SUDO</keyword>
+  </CyBOK>
+
+  <CyBOK KA="AB" topic="Models">
+    <keyword>kill chains</keyword>
+  </CyBOK>
+  <CyBOK KA="MAT" topic="Malicious Activities by Malware">
+    <keyword>cyber kill chain</keyword>
+  </CyBOK>
+
+  <!-- decrypt zip file -->
+  <CyBOK KA="C" topic="Symmetric Cryptography">
+    <keyword>symmetric encryption and authentication</keyword>
+  </CyBOK>
+  <CyBOK KA="AAA" topic="Authentication">
+    <keyword>BRUTEFORCE</keyword>
+  </CyBOK>
+
+
+  <system>
+    <system_name>attack_vm</system_name>
+    <base distro="Kali" name="MSF"/>
+
+
+    <input into_datastore="IP_addresses">
+      <!-- 0 attack_vm -->
+      <value>172.16.0.2</value>
+      <!-- 1 hackme_server -->
+      <value>172.16.0.3</value>
+    </input>
+
+    <utility module_path=".*/parameterised_accounts">
+      <input into="accounts">
+        <value>{"username":"kali","password":"kali","super_user":"true","strings_to_leak":[],"leaked_filenames":[]}</value>
+      </input>
+    </utility>
+
+    <utility module_path=".*/iceweasel">
+      <input into="accounts">
+        <value>{"username":"kali","password":"kali","super_user":"true","strings_to_leak":[],"leaked_filenames":[]}</value>
+      </input>
+      <input into="autostart">
+        <value>false</value>
+      </input>
+    </utility>
+
+    <utility module_path=".*/kali_top10"/>
+    <utility module_path=".*/kali_web"/>
+
+    <network type="private_network">
+      <input into="IP_address">
+        <datastore access="0">IP_addresses</datastore>
+      </input>
+    </network>
+    <input into_datastore="spoiler_admin_pass">
+      <generator type="strong_password_generator"/>
+    </input>
+    <build type="cleanup">
+      <input into="root_password">
+        <datastore>spoiler_admin_pass</datastore>
+      </input>
+    </build>
+  </system>
+
+  <system>
+    <system_name>web_server</system_name>
+    <base distro="Debian 10" type="desktop" name="KDE"/>
+
+    <input into_datastore="organisation">
+      <encoder type="line_selector">
+        <input into="file_path">
+          <value>lib/resources/structured_content/organisations/json_organisations</value>
+        </input>
+      </encoder>
+    </input>
+
+    <!-- bludit requires a password >= 6 characters long -->
+    <input into_datastore="password">
+        <generator type="random_sanitised_word">
+        <input into="wordlist">
+          <value>wordlist</value>
+        </input>
+        <input into="min_length">
+          <value>6</value>
+        </input>
+      </generator>
+    </input>
+
+
+    <!--Create the user-->
+    <utility module_path=".*/parameterised_accounts">
+      <input into="accounts">
+        <generator type="account">
+          <input into="username">
+            <datastore access_json="['manager']['username']">organisation</datastore>
+          </input>
+          <input into="password">
+            <datastore>password</datastore>
+          </input>
+          <input into="super_user">
+            <value>false</value>
+          </input>
+          <input into="leaked_filenames">
+            <value>flag</value>
+          </input>
+          <input into="strings_to_leak">
+            <generator type="flag_generator"/>
+          </input>
+        </generator>
+      </input>
+    </utility>
+
+    <vulnerability module_path=".*/bludit_upload_images_exec">
+      <input into="strings_to_leak">
+        <generator type="flag_generator"/>
+      </input>
+      <input into="organisation">
+        <datastore>organisation</datastore>
+      </input>
+      <input into="known_username">
+        <datastore access_json="['manager']['username']">organisation</datastore>
+      </input>
+      <input into="known_password">
+        <datastore>password</datastore>
+      </input>
+      <input into="strings_to_pre_leak">
+        <value>Username</value>
+        <datastore access_json="['manager']['username']">organisation</datastore>
+        <generator type="flag_generator"/>
+      </input>
+    </vulnerability>
+
+    <vulnerability module_path=".*/sudo_root_less">
+      <input into="strings_to_leak">
+        <generator type="flag_generator"/>
+      </input>
+      <input into="strings_to_pre_leak">
+        <generator type="flag_generator"/>
+      </input>
+    </vulnerability>
+
+    <vulnerability type="zip_file">
+      <input into="base64_file">
+        <generator type="zip_file_generator">
+          <input into="password">
+            <datastore access_json="['manager']['name']">organisation</datastore>
+          </input>
+          <input into="strings_to_leak">
+            <generator type="flag_generator"/>
+            <value>
+              Congratulations you have cracked our protected zip file. Here is a flag for your troubles.
+            </value>
+          </input>
+        </generator>
+      </input>
+      <input into="leaked_filename">
+        <value>whatsmyname.zip</value>
+      </input>
+      <input into="storage_directory">
+        <value>/root</value>
+      </input>
+    </vulnerability>
+
+
+    <network type="private_network">
+      <input into="IP_address">
+        <datastore access="1">IP_addresses</datastore>
+      </input>
+    </network>
+    <build type="cleanup">
+      <input into="root_password">
+        <datastore>spoiler_admin_pass</datastore>
+      </input>
+    </build>
+  </system>
+
+</scenario>

scenarios/labs/introducing_attacks/8_vulnerability_analysis.xml

@@ -41,15 +41,6 @@ Throughout this lab, you will learn how to use Nmap and its Nmap scripting engin
       <value>172.16.0.3</value>
     </input>
 
-    <!-- priv escalation. -->
-    <vulnerability module_path=".*/sudo_baron">
-      <input into="strings_to_leak">
-        <generator type="flag_generator" />
-      </input>
-      <input into="leaked_filenames">
-        <value>flag</value>
-      </input>
-    </vulnerability>
     <!-- vulnerable distcc server -->
     <vulnerability cve="CVE-2004-2687">
       <input into="strings_to_leak">
@@ -60,7 +51,7 @@ Throughout this lab, you will learn how to use Nmap and its Nmap scripting engin
       </input>
     </vulnerability>
     <!-- vulnerable wordpress -->
-    <vulnerability module_path=".*/wordpress.*">
+    <vulnerability module_path=".*/(wordpress_4x|wordpress_3x)">
       <input into="IP_address">
         <datastore access="0">IP_addresses</datastore>
       </input>
@@ -68,6 +59,15 @@ Throughout this lab, you will learn how to use Nmap and its Nmap scripting engin
     <!-- vulnerable IRC server -->
     <vulnerability module_path=".*/unrealirc_3281_backdoor"/>
 
+    <!-- sudo priv escalation. -->
+    <vulnerability module_path=".*/sudo_baron">
+      <input into="strings_to_leak">
+        <generator type="flag_generator" />
+      </input>
+      <input into="leaked_filenames">
+        <value>flag</value>
+      </input>
+    </vulnerability>
 
     <network type="private_network">
       <input into="IP_address">