Implement setuid_root_script, update examples + fix octal modes

2026-02-22 03:38:01 +00:00 · 2018-08-03 10:57:11 +01:00
parent 73d9702122
commit cd17e5dfd4
7 changed files with 65 additions and 60 deletions
--- a/modules/build/puppet/secgen_functions/manifests/install_setgid_binary.pp
+++ b/modules/build/puppet/secgen_functions/manifests/install_setgid_binary.pp
@@ -66,7 +66,7 @@ define secgen_functions::install_setgid_binary (
    ensure  => present,
    owner   => 'root',
    group   => $group,
-    mode    => '4771',
+    mode    => '2771',
    source  => "$compile_directory/$challenge_name",
    require => Exec["gcc_$challenge_name-$compile_directory"],
  }
--- a/modules/build/puppet/secgen_functions/manifests/install_setgid_script.pp
+++ b/modules/build/puppet/secgen_functions/manifests/install_setgid_script.pp
@@ -53,7 +53,7 @@ define secgen_functions::install_setgid_script (
    ensure  => present,
    owner   => 'root',
    group   => $group,
-    mode    => '4775',
+    mode    => '2775',
    content => $script_data,
    require => Group[$group],
  }
@@ -66,7 +66,7 @@ define secgen_functions::install_setgid_script (
    owner             => 'root',
    group             => $group,
    mode              => '0440',
-    leaked_from       => "accounts_$username",
+    leaked_from       => "$source_module_name-$module_name",
    require           => Group[$group],
  }

--- a/modules/build/puppet/secgen_functions/manifests/install_setuid_root_script.pp
+++ b/modules/build/puppet/secgen_functions/manifests/install_setuid_root_script.pp
@@ -1,14 +1,16 @@
-# Install function for setuid_root binaries
+# Install function for setgid binaries
 # -- Modules calling this function must provide a Makefile and any .c files within it's <module_name>/files directory

-define secgen_functions::install_setuid_root_binary (
-  $challenge_name,           # Challenge name, used for the wrapper-directory
-  $source_module_name,      # Name of the module that calls this function
-  $account,                 # User account (leak here if $storage_directory is not supplied)
-  $flag,                    # ctf flag string
+define secgen_functions::install_setuid_root_script (
+  $challenge_name, # Challenge name, used for the wrapper-directory
+  $script_name, # Script filename
+  $script_data, # Script data
+  $source_module_name, # Name of the module that calls this function
+  $account, # User account
+  $flag, # ctf flag string
  $flag_name, # ctf flag name
-  $storage_dir = '',      # Optional: Storage directory (takes precedent if supplied, e.g. nfs / smb share dir)
-  $strings_to_leak = [''],  # Optional: strings to leak (could contain instructions or a message)
+  $storage_dir     = '', # Optional: Storage directory (takes precedent if supplied, e.g. nfs / smb share dir)
+  $strings_to_leak = [''], # Optional: strings to leak (could contain instructions or a message)
 ) {

  if $account {
@@ -37,33 +39,16 @@ define secgen_functions::install_setuid_root_binary (

  # Create challenge directory
  ::secgen_functions::create_directory { "create_$challenge_directory":
-    path => $challenge_directory,
-    notify => File["create_$compile_directory"],
-  }
-
-  # Move contents of the module's files directory into compile directory
-  file { "create_$compile_directory":
-    path => $compile_directory,
-    ensure  => directory,
-    recurse => true,
-    source  => $modules_source,
-  }
-
-  # Build the binary with gcc
-  exec { "gcc_$challenge_name-$compile_directory":
-    cwd     => $compile_directory,
-    command => "/usr/bin/make",
-    require => File["create_$compile_directory"]
+    path   => $challenge_directory,
+    notify => File["$challenge_directory/$script_name"],
  }

  # Move the compiled binary into the challenge directory
-  file { "$challenge_directory/$challenge_name":
+  file { "$challenge_directory/$script_name":
    ensure  => present,
    owner   => 'root',
-    group   => 'root',
-    mode    => '4755',
-    source  => "$compile_directory/$challenge_name",
-    require => Exec["gcc_$challenge_name-$compile_directory"],
+    mode    => '4775',
+    content => $script_data,
  }

  # Drop the flag file on the box and set permissions
@@ -73,14 +58,7 @@ define secgen_functions::install_setuid_root_binary (
    strings_to_leak   => [$flag],
    owner             => 'root',
    mode              => '0400',
-    leaked_from       => "accounts_$username",
-    require           => Exec["gcc_$challenge_name-$compile_directory"],
-    notify            => Exec["remove_$compile_directory"],
+    leaked_from       => "$source_module_name-$module_name",
  }

-  # Remove compile directory
-  exec { "remove_$compile_directory":
-    command => "/bin/rm -rf $compile_directory",
-    require => [File["$challenge_directory/$challenge_name"]]
-  }
 }
--- a/modules/vulnerabilities/unix/ctf/ruby_challenge_example/manifests/install.pp
+++ b/modules/vulnerabilities/unix/ctf/ruby_challenge_example/manifests/install.pp
@@ -28,16 +28,18 @@ class ruby_challenge_example::install {
      storage_dir        => $storage_dir,
      strings_to_leak    => $secgen_params['strings_to_leak'],
    }
-  # } else {
-    # ::secgen_functions::install_setuid_root_binary { 'ruby_challenge_example':
-    #   source_module_name     => $module_name,
-    #   challenge_name         => $secgen_params['challenge_name'][0],
-    #   account                => $account,
-    #   flag                   => $secgen_params['flag'][0],
-    #   flag_name              => 'flag',
-    #   storage_dir            => $storage_dir,
-    #   strings_to_leak        => $secgen_params['strings_to_leak'],
-    # }
+  } else {
+    ::secgen_functions::install_setuid_root_script { 'ruby_challenge_example':
+      source_module_name => $module_name,
+      challenge_name     => $secgen_params['challenge_name'][0],
+      script_name        => 'test.rb',
+      script_data        => $script_data[0],
+      account            => $account,
+      flag               => $secgen_params['flag'][0],
+      flag_name          => 'flag',
+      storage_dir        => $storage_dir,
+      strings_to_leak    => $secgen_params['strings_to_leak'],
+    }
  }

 }
--- a/modules/vulnerabilities/unix/ctf/ruby_challenge_example/secgen_metadata.xml
+++ b/modules/vulnerabilities/unix/ctf/ruby_challenge_example/secgen_metadata.xml
@@ -14,24 +14,21 @@
  <access>local</access>
  <platform>linux</platform>

-  <!-- binary dropped in account's home directory by default. -->
+  <!-- script dropped in account's home directory by default with setuid configuration. -->
  <read_fact>challenge_name</read_fact>
  <read_fact>script_data</read_fact>
-  <read_fact>group</read_fact>
  <read_fact>account</read_fact>
  <read_fact>flag</read_fact>
  <!-- storage_directory: Blank by default. If supplied, store the files here. e.g. NFS or SMB storage location -->
  <read_fact>storage_directory</read_fact>
-
+  <!--  group: Blank by default. If supplied install script challenge as setgid  -->
+  <read_fact>group</read_fact>
  <default_input into="challenge_name">
    <value>ruby_script_example</value>
  </default_input>
  <default_input into="script_data">
    <generator module_path=".*ruby_example"/>
  </default_input>
-  <default_input into="group">
-    <value>test1</value>
-  </default_input>
  <default_input into="account">
    <generator type="account">
      <input into="username">
--- a/scenarios/examples/ctf_challenge_examples/setgid_script_example.xml
+++ b/scenarios/examples/ctf_challenge_examples/setgid_script_example.xml
@@ -4,12 +4,12 @@
 	   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	   xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">

-	<!-- an example system with a setgid binary. -->
+	<!-- an example system with a setgid script challenge. -->
 	<system>
 		<system_name>group_challenges</system_name>
 		<base platform="linux" type="server"/>

-		<!-- 1) Default uses an account and drops the binary in the users home directory -->
+		<!-- 1) Default uses an account and drops the challenge in the users home directory -->
 		<vulnerability type="script_challenge">
          <input into="group">
            <value>task1</value>
@@ -17,7 +17,7 @@
        </vulnerability>

 		<!-- 2) Using a custom storage directory -->
-		<!--<vulnerability type="pwnable_binary">-->
+		<!--<vulnerability type="script_challenge">-->
          <!--<input into="group">-->
            <!--<value>task2</value>-->
          <!--</input>-->
--- a/scenarios/examples/ctf_challenge_examples/setuid_script_example.xml
+++ b/scenarios/examples/ctf_challenge_examples/setuid_script_example.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+	   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	   xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+	<!-- an example system with a setuid script challenge. -->
+	<system>
+		<system_name>setuid_challenges</system_name>
+		<base platform="linux" type="server"/>
+
+		<!-- 1) Default uses an account and drops the challenge in the users home directory -->
+		<vulnerability type="script_challenge"/>
+
+		<!-- 2) Using a custom storage directory -->
+		<!--<vulnerability type="script_challenge">-->
+          <!--<input into="account">-->
+            <!--<value/>-->
+          <!--</input>-->
+          <!--<input into="storage_directory">-->
+            <!--<value>/test/hidden/challenges</value>-->
+          <!--</input>-->
+        <!--</vulnerability>-->
+
+		<network type="private_network" range="dhcp"/>
+	</system>
+
+</scenario>