SecGen/scenarios/ctf/hackme.xml

<?xml version="1.0"?>

<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">

  <name>Hackme</name>
  <author>Z. Cliffe Schreuders</author>
  <description>A bunch of servers for you to hack.

Login to the attack VM with user: root, password: toor. There are three servers for you to attack (same IP address range, ending in .3,.4,.5), and flags are often found in home directories (/home/, /root/). Beware of red herrings.

Happy hacking!
  </description>

  <type>ctf</type>
  <type>hack-ctf</type>
  <difficulty>easy</difficulty>

  <system>
    <system_name>attack_vm</system_name>
    <base distro="Kali" name="MSF"/>


    <input into_datastore="IP_addresses">
      <!-- 0 attack_vm -->
      <value>172.16.0.2</value>
      <!-- 1 hackme_server -->
      <value>172.16.0.3</value>
      <!-- 2 hackmetoo_server -->
      <value>172.16.0.4</value>
      <!-- 3 hackmethree_server -->
      <value>172.16.0.5</value>
    </input>

    <utility module_path=".*iceweasel">
      <input into="accounts">
        <value>{"username":"root","password":"toor","super_user":"","strings_to_leak":[],"leaked_filenames":[]}</value>
      </input>
      <input into="autostart">
        <value>false</value>
      </input>
    </utility>

    <utility module_path=".*kali_top10"/>
    <network type="private_network">
      <input into="IP_address">
        <datastore access="0">IP_addresses</datastore>
      </input>
    </network>
  </system>

  <!-- a vulnerability that is remotely exploitable for user level access, then can be escalated to root -->
  <system>
    <system_name>hackme_server</system_name>
    <base distro="Debian" type="server"/>

    <utility module_path=".*after_login_message">
      <input into="strings_to_leak">
        <encoder type="string_format_encoder">
          <input into="strings_to_encode">
            <value>Hackme</value>
          </input>
        </encoder>
        <value>Well done! You hacked this server. It's possible for you to get root from here.</value>
      </input>
    </utility>

    <vulnerability read_fact="strings_to_leak" privilege="user_rwx" access="remote">
      <input into="strings_to_leak">
        <generator type="flag_generator" />
      </input>
    </vulnerability>

    <vulnerability read_fact="strings_to_leak" privilege="root_rwx" access="local">
      <input into="strings_to_leak">
        <generator type="flag_generator" />
      </input>
    </vulnerability>

    <service/>

    <network type="private_network">
      <input into="IP_address">
        <datastore access="1">IP_addresses</datastore>
      </input>
    </network>
  </system>

  <!-- any random vulnerability that is remotely exploitable and can leak a flag, they might not actually end up with shell but they will get the leaked strings, including some extra flags that will need decoding -->
  <system>
    <system_name>hackmetoo_server</system_name>
    <base distro="Debian" type="server"/>

    <utility module_path=".*after_login_message">
      <input into="strings_to_leak">
        <encoder type="string_format_encoder">
          <input into="strings_to_encode">
            <value>Hackme</value>
          </input>
        </encoder>
        <generator type="ascii_art_generator"/>
        <value>Well done! You hacked this server. There's some extra flags for you to decode.</value>
      </input>
    </utility>

    <vulnerability read_fact="strings_to_leak" access="remote">
      <input into="strings_to_leak">
        <generator type="flag_generator" />
        <!-- 1: random easy encoder -->
        <encoder type="^(ascii|alpha)_reversible$" difficulty="low">
          <input into="strings_to_encode">
            <generator type="flag_generator"/>
          </input>
        </encoder>

        <!-- 2: random medium encoder -->
        <encoder type="^(ascii|alpha)_reversible$" difficulty="medium">
          <input into="strings_to_encode">
            <generator type="flag_generator"/>
          </input>
        </encoder>
      </input>
    </vulnerability>

    <service/>

    <network type="private_network">
      <input into="IP_address">
        <datastore access="2">IP_addresses</datastore>
      </input>
    </network>
  </system>

  <!-- user level access, then a medium difficulty ctf style challenge -->
  <system>
    <system_name>hackmethree_server</system_name>
    <base distro="Debian" type="server"/>

    <utility module_path=".*after_login_message">
      <input into="strings_to_leak">
        <encoder type="string_format_encoder">
          <input into="strings_to_encode">
            <value>Hackme</value>
          </input>
        </encoder>
        <value>Well done! You hacked this server. There is a CTF-style challenge on the server, if you can find it.</value>
      </input>
    </utility>

    <vulnerability read_fact="strings_to_leak" privilege="user_rwx" access="remote">
      <input into="strings_to_leak">
        <generator type="flag_generator" />
      </input>
    </vulnerability>

    <!-- CTF challenge generates it's own flag -->
    <vulnerability privilege="none" access="local" type="ctf_challenge" challenge_type="pwn" difficulty="medium"/>

    <service/>

    <network type="private_network">
      <input into="IP_address">
        <datastore access="3">IP_addresses</datastore>
      </input>
    </network>
  </system>

</scenario>