mirror of
https://github.com/cliffe/SecGen.git
synced 2026-02-20 13:50:45 +00:00
428 lines
14 KiB
XML
428 lines
14 KiB
XML
<?xml version="1.0"?>
|
|
|
|
<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
|
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
|
xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
|
|
|
|
<name>Access Control Lists (ACLs) lab</name>
|
|
<author>Z. Cliffe Schreuders</author>
|
|
<description>
|
|
# Introduction
|
|
Access Control Lists (ACLs) are sets of rules attached to resources, specifying which subjects (users or entities) are authorized to access the resource and the type of permissions granted to each subject. ACLs allow for a granular and flexible approach to managing who can access a file, what kind of access they have, and how these permissions are inherited and checked.
|
|
|
|
You will learn about the fundamental concepts of Full ACLs, their syntax and usage on Linux systems, and how they differ from traditional Unix file permissions. Through hands-on tasks, you will set ACLs on files, manipulate permissions for specific users, explore the mask entry's role in determining maximum permissions, and understand the behavior of access checks in ACLs. Additionally, you will discover the concept of default ACLs and their impact on newly created files within a directory. By comparing Linux ACLs to Windows ACLs, you'll gain insights into the unique features and nuances of each system, such as inheritance logic and the use of global security identifiers. This lab will equip you with practical skills and knowledge to manage access control effectively in a diverse range of computing environments.
|
|
|
|
# Hackerbot and CTF challenges
|
|
This is a Hackerbot lab. The labsheet is available once you claim a set of VMs. Work through the labsheet, then when prompted interact with Hackerbot.
|
|
|
|
The Hackerbot tasks involve creating and managing files and directories using Linux ACLs to control access, allowing specific users to read and write while denying access to others. There is also a file permissions challenge on a server where you take what you've learned over the last few topics to find and exploit a permissions weakness.
|
|
|
|
# Lecture
|
|
[Slides continued here](http://z.cliffe.schreuders.org/presentations/slides/1718/ADS_slides_out_week_7/ADS_PDS_Lectures_7_Access_Control.html)
|
|
|
|
# Reading
|
|
[Grunbacher, Andreas. "POSIX Access Control Lists on Linux." *USENIX Annual Technical Conference*, FREENIX Track. 2003.](https://www.usenix.org/legacy/events/usenix03/tech/freenix03/full_papers/gruenbacher/gruenbacher.pdf)
|
|
</description>
|
|
|
|
<type>ctf-lab</type>
|
|
<type>hackerbot-lab</type>
|
|
<type>lab-sheet</type>
|
|
<difficulty>intermediate</difficulty>
|
|
|
|
<CyBOK KA="AAA" topic="Authorisation">
|
|
<keyword>access control</keyword>
|
|
<keyword>ACCESS CONTROL LIST (ACL)</keyword>
|
|
<keyword>Vulnerabilities and attacks on access control misconfigurations</keyword>
|
|
</CyBOK>
|
|
<CyBOK KA="OSV" topic="Primitives for Isolation and Mediation">
|
|
<keyword>Access controls and operating systems</keyword>
|
|
<keyword>Linux security model</keyword>
|
|
<keyword>Linux Extended Access Control Lists (facl)</keyword>
|
|
</CyBOK>
|
|
|
|
|
|
<video>
|
|
<title>ACLs and Capabilities</title>
|
|
<by>Z. Cliffe Schreuders</by>
|
|
<url>https://youtu.be/Bn3NJhgmdLk</url>
|
|
<type>lecture-prerecorded</type>
|
|
<CyBOK KA="AAA" topic="Authorisation">
|
|
<keyword>access control</keyword>
|
|
<keyword>ACCESS CONTROL - MATRIX</keyword>
|
|
<keyword>ACCESS CONTROL LIST (ACL)</keyword>
|
|
<keyword>Vulnerabilities and attacks on access control misconfigurations</keyword>
|
|
</CyBOK>
|
|
<CyBOK KA="OSV" topic="Primitives for Isolation and Mediation">
|
|
<keyword>capabilities</keyword>
|
|
</CyBOK>
|
|
</video>
|
|
<video>
|
|
<title>Linux Extended ACLs</title>
|
|
<by>Z. Cliffe Schreuders</by>
|
|
<url>https://youtu.be/OT7ifs8PkHI</url>
|
|
<type>lecture-prerecorded</type>
|
|
<CyBOK KA="AAA" topic="Authorisation">
|
|
<keyword>access control</keyword>
|
|
<keyword>ACCESS CONTROL LIST (ACL)</keyword>
|
|
<keyword>Vulnerabilities and attacks on access control misconfigurations</keyword>
|
|
</CyBOK>
|
|
<CyBOK KA="OSV" topic="Primitives for Isolation and Mediation">
|
|
<keyword>Access controls and operating systems</keyword>
|
|
<keyword>Linux security model</keyword>
|
|
<keyword>Linux Extended Access Control Lists (facl)</keyword>
|
|
</CyBOK>
|
|
</video>
|
|
|
|
<system>
|
|
<system_name>shared_desktop</system_name>
|
|
<base distro="Debian 10" type="desktop" name="KDE"/>
|
|
|
|
<input into_datastore="IP_addresses">
|
|
<!-- 0 desktop -->
|
|
<value>172.16.0.2</value>
|
|
<!-- 1 server -->
|
|
<value>172.16.0.3</value>
|
|
<!-- 2 hackerbot_server -->
|
|
<value>172.16.0.4</value>
|
|
</input>
|
|
|
|
<!-- generate some usernames to use -->
|
|
<input into_datastore="usernames">
|
|
<!-- main user -->
|
|
<generator type="random_sanitised_word">
|
|
<input into="wordlist">
|
|
<value>mythical_creatures</value>
|
|
</input>
|
|
</generator>
|
|
<!-- 4 other users -->
|
|
<generator type="random_sanitised_word">
|
|
<input into="wordlist">
|
|
<value>mythical_creatures</value>
|
|
</input>
|
|
</generator>
|
|
<generator type="random_sanitised_word">
|
|
<input into="wordlist">
|
|
<value>mythical_creatures</value>
|
|
</input>
|
|
</generator>
|
|
<generator type="random_sanitised_word">
|
|
<input into="wordlist">
|
|
<value>mythical_creatures</value>
|
|
</input>
|
|
</generator>
|
|
<generator type="random_sanitised_word">
|
|
<input into="wordlist">
|
|
<value>mythical_creatures</value>
|
|
</input>
|
|
</generator>
|
|
</input>
|
|
|
|
<!-- generate some passwords to be cracked -->
|
|
<input into_datastore="passwords">
|
|
<generator type="medium_password_generator"/>
|
|
<generator type="strong_password_generator"/>
|
|
<generator type="strong_password_generator"/>
|
|
<generator type="strong_password_generator"/>
|
|
</input>
|
|
|
|
<input into_datastore="groups">
|
|
<value>staff</value>
|
|
<value>team_one</value>
|
|
<value>team_two</value>
|
|
</input>
|
|
|
|
|
|
<!-- accounts on the desktop, with the main user as a sudoer -->
|
|
<input into_datastore="user_accounts_desktop">
|
|
<!-- main user, sudoer -->
|
|
<generator type="account">
|
|
<input into="username">
|
|
<datastore access="0">usernames</datastore>
|
|
</input>
|
|
<input into="password">
|
|
<value>tiaspbiqe2r</value>
|
|
</input>
|
|
|
|
<input into="leaked_filenames">
|
|
<value>mysecret</value>
|
|
</input>
|
|
<input into="strings_to_leak">
|
|
<generator type="random_line_generator">
|
|
<input into="linelist">
|
|
<value>secrets</value>
|
|
</input>
|
|
</generator>
|
|
</input>
|
|
|
|
<input into="super_user">
|
|
<value>true</value>
|
|
</input>
|
|
</generator>
|
|
<!-- other users, with weak passwords, no flags -->
|
|
<generator type="account">
|
|
<input into="username">
|
|
<datastore access="next">usernames</datastore>
|
|
</input>
|
|
<input into="password">
|
|
<datastore access="0">passwords</datastore>
|
|
</input>
|
|
</generator>
|
|
<generator type="account">
|
|
<input into="username">
|
|
<datastore access="next">usernames</datastore>
|
|
</input>
|
|
<input into="password">
|
|
<datastore access="next">passwords</datastore>
|
|
</input>
|
|
</generator>
|
|
<generator type="account">
|
|
<input into="username">
|
|
<datastore access="next">usernames</datastore>
|
|
</input>
|
|
<input into="password">
|
|
<datastore access="next">passwords</datastore>
|
|
</input>
|
|
</generator>
|
|
<generator type="account">
|
|
<input into="username">
|
|
<datastore access="next">usernames</datastore>
|
|
</input>
|
|
<input into="password">
|
|
<datastore access="next">passwords</datastore>
|
|
</input>
|
|
</generator>
|
|
</input>
|
|
|
|
<!-- an admin account used for hackerbot access to the desktop and also spoilers/administration of the challenge -->
|
|
<input into_datastore="spoiler_admin_pass">
|
|
<generator type="strong_password_generator"/>
|
|
</input>
|
|
|
|
<!--Create the groups-->
|
|
<utility module_path=".*/groups">
|
|
<input into="groups">
|
|
<datastore>groups</datastore>
|
|
</input>
|
|
</utility>
|
|
<!--Create the users-->
|
|
<utility module_path=".*/parameterised_accounts">
|
|
<input into="accounts">
|
|
<datastore>user_accounts_desktop</datastore>
|
|
</input>
|
|
</utility>
|
|
|
|
<utility module_path=".*/kde_minimal">
|
|
<input into="autologin_user">
|
|
<datastore access="0">usernames</datastore>
|
|
</input>
|
|
<input into="accounts">
|
|
<datastore>user_accounts_desktop</datastore>
|
|
</input>
|
|
<input into="autostart_konsole">
|
|
<value>true</value>
|
|
</input>
|
|
</utility>
|
|
<utility module_path=".*/handy_cli_tools"/>
|
|
<utility module_path=".*/hash_tools"/>
|
|
<utility module_path=".*/pam_modules"/>
|
|
|
|
<utility module_path=".*/iceweasel">
|
|
<input into="accounts">
|
|
<datastore>user_accounts_desktop</datastore>
|
|
</input>
|
|
<input into="autostart">
|
|
<value>true</value>
|
|
</input>
|
|
<input into="start_page">
|
|
<datastore access="2">IP_addresses</datastore>
|
|
</input>
|
|
</utility>
|
|
|
|
<utility module_path=".*/pidgin">
|
|
<input into="server_ip">
|
|
<datastore access="2">IP_addresses</datastore>
|
|
</input>
|
|
<input into="accounts">
|
|
<datastore access="0">user_accounts_desktop</datastore>
|
|
</input>
|
|
</utility>
|
|
|
|
<vulnerability module_path=".*/ssh_root_login">
|
|
<input into="root_password">
|
|
<datastore>spoiler_admin_pass</datastore>
|
|
</input>
|
|
</vulnerability>
|
|
|
|
<network type="private_network">
|
|
<input into="IP_address">
|
|
<datastore access="0">IP_addresses</datastore>
|
|
</input>
|
|
</network>
|
|
<build type="cleanup">
|
|
<input into="root_password">
|
|
<datastore>spoiler_admin_pass</datastore>
|
|
</input>
|
|
</build>
|
|
</system>
|
|
|
|
<system>
|
|
<system_name>server</system_name>
|
|
<base distro="Debian 10" type="desktop"/>
|
|
|
|
<!-- user accounts on the server, with matching usernames and passwords, but with flags to find -->
|
|
<input into_datastore="user_accounts_server">
|
|
<!-- main user, NOT sudoer -->
|
|
<generator type="account">
|
|
<input into="username">
|
|
<datastore access="0">usernames</datastore>
|
|
</input>
|
|
<input into="password">
|
|
<value>tiaspbiqe2r</value>
|
|
</input>
|
|
<input into="super_user">
|
|
<value>false</value>
|
|
</input>
|
|
<input into="groups">
|
|
<value>staff</value>
|
|
<value>team_one</value>
|
|
</input>
|
|
</generator>
|
|
<!-- other users, with the SAME passwords -->
|
|
<generator type="account">
|
|
<input into="username">
|
|
<datastore access="next">usernames</datastore>
|
|
</input>
|
|
<input into="password">
|
|
<datastore access="0">passwords</datastore>
|
|
</input>
|
|
<input into="groups">
|
|
<value>staff</value>
|
|
<value>team_one</value>
|
|
<value>team_two</value>
|
|
</input>
|
|
</generator>
|
|
<generator type="account">
|
|
<input into="username">
|
|
<datastore access="next">usernames</datastore>
|
|
</input>
|
|
<input into="password">
|
|
<datastore access="next">passwords</datastore>
|
|
</input>
|
|
<input into="groups">
|
|
<value>staff</value>
|
|
<value>team_two</value>
|
|
</input>
|
|
</generator>
|
|
<generator type="account">
|
|
<input into="username">
|
|
<datastore access="next">usernames</datastore>
|
|
</input>
|
|
<input into="password">
|
|
<datastore access="next">passwords</datastore>
|
|
</input>
|
|
<input into="groups">
|
|
<value>staff</value>
|
|
</input>
|
|
</generator>
|
|
<generator type="account">
|
|
<input into="username">
|
|
<datastore access="next">usernames</datastore>
|
|
</input>
|
|
<input into="password">
|
|
<datastore access="next">passwords</datastore>
|
|
</input>
|
|
<input into="leaked_filenames">
|
|
<value>flags</value>
|
|
</input>
|
|
<input into="strings_to_leak">
|
|
<generator type="flag_generator" />
|
|
<generator type="flag_generator" />
|
|
</input>
|
|
|
|
</generator>
|
|
</input>
|
|
|
|
<!--Create the groups-->
|
|
<utility module_path=".*/groups">
|
|
<input into="groups">
|
|
<datastore>groups</datastore>
|
|
</input>
|
|
</utility>
|
|
<!--Create the users-->
|
|
<utility module_path=".*/parameterised_accounts">
|
|
<input into="accounts">
|
|
<datastore>user_accounts_server</datastore>
|
|
</input>
|
|
</utility>
|
|
|
|
<utility module_path=".*/handy_cli_tools"/>
|
|
|
|
<vulnerability module_path=".*/ssh_root_login">
|
|
<input into="root_password">
|
|
<datastore>spoiler_admin_pass</datastore>
|
|
</input>
|
|
</vulnerability>
|
|
|
|
<!-- exposes the flags -->
|
|
<vulnerability type="suid_root_editor"/>
|
|
|
|
<network type="private_network">
|
|
<input into="IP_address">
|
|
<datastore access="1">IP_addresses</datastore>
|
|
</input>
|
|
</network>
|
|
<build type="cleanup">
|
|
<input into="root_password">
|
|
<datastore>spoiler_admin_pass</datastore>
|
|
</input>
|
|
</build>
|
|
</system>
|
|
|
|
<system>
|
|
<system_name>hackerbot_server</system_name>
|
|
<base distro="Kali" name="MSF"/>
|
|
|
|
<service type="ircd"/>
|
|
|
|
<utility module_path=".*/metasploit_framework"/>
|
|
<utility module_path=".*/nmap"/>
|
|
<utility module_path=".*/handy_cli_tools"/>
|
|
|
|
<service type="httpd"/>
|
|
|
|
<utility module_path=".*/hackerbot">
|
|
<input into="hackerbot_configs" into_datastore="hackerbot_instructions">
|
|
<generator module_path=".*/hb_facls">
|
|
<input into="accounts">
|
|
<datastore>user_accounts_desktop</datastore>
|
|
</input>
|
|
<input into="root_password">
|
|
<datastore>spoiler_admin_pass</datastore>
|
|
</input>
|
|
<input into="server_ip">
|
|
<datastore access="1">IP_addresses</datastore>
|
|
</input>
|
|
</generator>
|
|
</input>
|
|
</utility>
|
|
|
|
<network type="private_network" >
|
|
<input into="IP_address">
|
|
<datastore access="2">IP_addresses</datastore>
|
|
</input>
|
|
</network>
|
|
|
|
<build type="cleanup">
|
|
<input into="root_password">
|
|
<generator type="strong_password_generator"/>
|
|
</input>
|
|
</build>
|
|
<build type="cleanup">
|
|
<input into="root_password">
|
|
<datastore>spoiler_admin_pass</datastore>
|
|
</input>
|
|
</build>
|
|
</system>
|
|
|
|
</scenario>
|