mirror of
https://github.com/cliffe/SecGen.git
synced 2026-02-20 13:50:45 +00:00
188 lines
5.8 KiB
XML
188 lines
5.8 KiB
XML
<?xml version="1.0"?>
|
|
|
|
<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
|
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
|
xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
|
|
|
|
<name>Smash Crack Grab and Run</name>
|
|
<author>Z. Cliffe Schreuders</author>
|
|
<description>Hack the server from kali. Involves a vulnerable service, and encrypted files.
|
|
</description>
|
|
|
|
<type>ctf</type>
|
|
<type>attack-ctf</type>
|
|
<type>pwn-ctf</type>
|
|
<difficulty>medium</difficulty>
|
|
|
|
<CyBOK KA="MAT" topic="Attacks and exploitation">
|
|
<keyword>EXPLOITATION</keyword>
|
|
<keyword>EXPLOITATION FRAMEWORKS</keyword>
|
|
</CyBOK>
|
|
<CyBOK KA="SS" topic="Categories of Vulnerabilities">
|
|
<keyword>CVEs and CWEs</keyword>
|
|
</CyBOK>
|
|
<CyBOK KA="SOIM" topic="PENETRATION TESTING">
|
|
<keyword>PENETRATION TESTING - SOFTWARE TOOLS</keyword>
|
|
<keyword>PENETRATION TESTING - ACTIVE PENETRATION</keyword>
|
|
</CyBOK>
|
|
|
|
<CyBOK KA="AB" topic="Models">
|
|
<keyword>kill chains</keyword>
|
|
</CyBOK>
|
|
<CyBOK KA="MAT" topic="Malicious Activities by Malware">
|
|
<keyword>cyber kill chain</keyword>
|
|
</CyBOK>
|
|
|
|
|
|
<system>
|
|
<system_name>attack_vm</system_name>
|
|
<base distro="Kali" name="MSF"/>
|
|
|
|
|
|
<input into_datastore="IP_addresses">
|
|
<!-- 0 attack_vm -->
|
|
<value>172.16.0.2</value>
|
|
<!-- 1 hackme_server -->
|
|
<value>172.16.0.3</value>
|
|
</input>
|
|
|
|
<utility module_path=".*/parameterised_accounts">
|
|
<input into="accounts">
|
|
<value>{"username":"kali","password":"kali","super_user":"true","strings_to_leak":[],"leaked_filenames":[]}</value>
|
|
</input>
|
|
</utility>
|
|
|
|
<utility module_path=".*/iceweasel">
|
|
<input into="accounts">
|
|
<value>{"username":"kali","password":"kali","super_user":"true","strings_to_leak":[],"leaked_filenames":[]}</value>
|
|
</input>
|
|
<input into="autostart">
|
|
<value>false</value>
|
|
</input>
|
|
</utility>
|
|
|
|
<utility module_path=".*/kali_pwtools"/>
|
|
<utility module_path=".*/armitage"/>
|
|
<utility module_path=".*/johntheripper"/>
|
|
|
|
<network type="private_network">
|
|
<input into="IP_address">
|
|
<datastore access="0">IP_addresses</datastore>
|
|
</input>
|
|
</network>
|
|
<input into_datastore="spoiler_admin_pass">
|
|
<generator type="strong_password_generator"/>
|
|
</input>
|
|
<build type="cleanup">
|
|
<input into="root_password">
|
|
<datastore>spoiler_admin_pass</datastore>
|
|
</input>
|
|
</build>
|
|
</system>
|
|
|
|
<system>
|
|
<system_name>server</system_name>
|
|
<base distro="Debian 12" type="desktop" name="KDE"/>
|
|
|
|
<!-- generate a password to be cracked -->
|
|
<input into_datastore="weak_password">
|
|
<generator type="custom_list_password">
|
|
<input into="list_name">
|
|
<value>jtrpassword.lst</value>
|
|
</input>
|
|
</generator>
|
|
</input>
|
|
<!-- generate a password to be leaked -->
|
|
<input into_datastore="strong_password">
|
|
<generator type="strong_password_generator"/>
|
|
</input>
|
|
<!-- generate a username to be leaked -->
|
|
<input into_datastore="username">
|
|
<generator type="random_sanitised_word">
|
|
<input into="wordlist">
|
|
<value>mythical_creatures</value>
|
|
</input>
|
|
</generator>
|
|
</input>
|
|
|
|
<!--Create the user-->
|
|
<utility module_path=".*/parameterised_accounts">
|
|
<input into="accounts">
|
|
<generator type="account">
|
|
<input into="username">
|
|
<datastore>username</datastore>
|
|
</input>
|
|
<input into="password">
|
|
<datastore>strong_password</datastore>
|
|
</input>
|
|
<!-- this flag is available to root -->
|
|
<input into="leaked_filenames">
|
|
<value>flag</value>
|
|
</input>
|
|
<input into="strings_to_leak">
|
|
<value>Well done. One of these needs decoding ;)</value>
|
|
<generator type="flag_generator" />
|
|
<encoder module_path=".*/rot13">
|
|
<input into="strings_to_encode">
|
|
<generator type="flag_generator"/>
|
|
</input>
|
|
</encoder>
|
|
</input>
|
|
</generator>
|
|
</input>
|
|
</utility>
|
|
|
|
<vulnerability module_path=".*/nostromo_code_exec">
|
|
<input into="strings_to_leak">
|
|
<generator type="flag_generator"/>
|
|
<value>Hint: There is an encrypted zip file in /home/nostromousr/</value>
|
|
</input>
|
|
<input into="strings_to_pre_leak">
|
|
<generator type="flag_generator"/>
|
|
<value>Hint: This is a service you can exploit</value>
|
|
</input>
|
|
</vulnerability>
|
|
|
|
<!-- this is password protected by the same password as the crackme user -->
|
|
<vulnerability type="zip_file">
|
|
<input into="base64_file">
|
|
<generator type="zip_file_generator">
|
|
<input into="password">
|
|
<datastore>weak_password</datastore>
|
|
</input>
|
|
<input into="strings_to_leak">
|
|
<value>
|
|
Congratulations you have cracked our protected zip file. Here is a flag for your troubles.
|
|
Also here is a username and password for another account on this system...
|
|
</value>
|
|
<datastore>username</datastore>
|
|
<datastore>strong_password</datastore>
|
|
<generator type="flag_generator"/>
|
|
</input>
|
|
</generator>
|
|
</input>
|
|
<input into="leaked_filename">
|
|
<value>protected.zip</value>
|
|
</input>
|
|
<input into="storage_directory">
|
|
<value>/</value>
|
|
</input>
|
|
<input into="account">
|
|
<value>{"username":"nostromousr"}</value>
|
|
</input>
|
|
</vulnerability>
|
|
|
|
<network type="private_network">
|
|
<input into="IP_address">
|
|
<datastore access="1">IP_addresses</datastore>
|
|
</input>
|
|
</network>
|
|
<build type="cleanup">
|
|
<input into="root_password">
|
|
<datastore>spoiler_admin_pass</datastore>
|
|
</input>
|
|
</build>
|
|
</system>
|
|
|
|
</scenario>
|