lab updates

2026-02-20 13:50:45 +00:00 · 2019-02-22 14:00:01 +00:00
parent ef8c89848d
commit a556ba7d8a
4 changed files with 21 additions and 30 deletions
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -19,7 +19,7 @@ GIT
 GEM
  remote: https://rubygems.org/
  specs:
-    CFPropertyList (2.3.6)
+    CFPropertyList (3.0.0)
    PriorityQueue (0.1.2)
    activesupport (5.2.2)
      concurrent-ruby (~> 1.0, >= 1.0.2)
@@ -39,7 +39,6 @@ GEM
    digest-whirlpool (1.0.3)
    duplicate (1.1.1)
    facter (2.5.1)
-      CFPropertyList (~> 2.2)
    faker (1.9.3)
      i18n (>= 0.7)
    faraday (0.13.1)
@@ -96,8 +95,7 @@ GEM
      json (>= 1, < 3)
    pg (1.1.4)
    process_helper (0.1.2)
-    puppet (6.2.0)
-      CFPropertyList (~> 2.2)
+    puppet (6.3.0)
      facter (> 2.0.1, < 4)
      fast_gettext (~> 1.1.2)
      hiera (>= 3.2.1, < 4)
@@ -188,4 +186,4 @@ DEPENDENCIES
  zipruby

 BUNDLED WITH
-   1.11.2
+   1.16.6
--- a/modules/generators/structured_content/hackerbot_config/hb_facls/templates/lab.xml.erb
+++ b/modules/generators/structured_content/hackerbot_config/hb_facls/templates/lab.xml.erb
@@ -142,11 +142,11 @@ Randomised instance generated by [SecGen](http://github.com/cliffe/SecGen) (<%=
 		</condition>
    <condition>
 			<output_matches>s-0-</output_matches>
-      <message>:( Looks like <%= $second_user %> can access the file... Almost there...</message>
+      <message>:( Looks like <%= $second_user %> can access the file... But not <%= $main_user %>. Almost there...</message>
 		</condition>
    <condition>
 			<output_matches>s-2-</output_matches>
-      <message>:( Looks like <%= $second_user %> can't access the file... Use ACLs to make sure they can...</message>
+      <message>:( Looks like <%= $second_user %> can't access the file... Use ACLs to make sure they can... (Hint: Consider the directory and file permissions)</message>
 		</condition>
    <condition>
 			<output_matches>m-0-</output_matches>
@@ -165,17 +165,16 @@ Randomised instance generated by [SecGen](http://github.com/cliffe/SecGen) (<%=

  <attack>
    <% $rand_shared_dir = "/home/#{$main_user}/shared#{SecureRandom.hex(3)}/" %>
-		<prompt>On your desktop system, create a directory, <%= $rand_shared_dir %>. Make sure the directory is owned by <%= $main_user %>. Use Linux ACLs (and Unix special permissions, but not groups) to enable <%= $second_user %> and <%= $third_user %> to also create shared files in the directory (read and write for all three users), but not delete files owned by each other.</prompt>
+		<prompt>On your desktop system, create a directory, <%= $rand_shared_dir %>. Make sure the directory is owned by <%= $main_user %>. Use Linux ACLs (but not groups) to enable <%= $second_user %> and <%= $third_user %> to also create shared files in the directory (read and write for all three users), but not available to other users.</prompt>

-<!-- TODO!!!!!! -->
-    <post_command>sudo -u <%= $main_user %> bash -c 'echo "<%= $main_user %> was here!" > <%= $rand_shared_dir %>/shared_file' >/dev/null; echo m-$?-; sudo -u <%= $second_user %> bash -c 'echo "<%= $second_user %> was here!" >> <%= $rand_shared_dir %>/shared_file' >/dev/null; echo s-$?-; sudo -u <%= $third_user %> bash -c 'echo "<%= $third_user %> was here!" >> <%= $rand_shared_dir %>/shared_file' >/dev/null; echo t-$?-; ls -l <%= $rand_shared_dir %>/shared_file | grep +; echo f-$?- ; getfacl <%= $rand_shared_dir %>/shared_file | grep '^group:[^:]'; echo g-$?-; sudo -u <%= $second_user %> rm <%= $rand_shared_dir %>/shared_file >/dev/null; echo del-$?-;  </post_command>
+    <post_command>sudo -u <%= $main_user %> bash -c 'echo "<%= $main_user %> was here!" > <%= $rand_shared_dir %>shared_file' >/dev/null; echo m-$?-; sudo -u <%= $second_user %> bash -c 'echo "<%= $second_user %> was here!" >> <%= $rand_shared_dir %>shared_file' >/dev/null; echo s-$?-; sudo -u <%= $third_user %> bash -c 'echo "<%= $third_user %> was here!" >> <%= $rand_shared_dir %>shared_file' >/dev/null; echo t-$?-; ls -l <%= $rand_shared_dir %>shared_file | grep +; echo f-$?- ; getfacl <%= $rand_shared_dir %>shared_file | grep '^group:[^:]'; echo g-$?-; getfacl <%= $rand_shared_dir %>shared_file | grep '^other::---'; echo o-$?-; rm <%= $rand_shared_dir %>shared_file </post_command>

    <condition>
 			<output_matches>No such file or directory</output_matches>
      <message>:( It looks like the directory might not exist (or perhaps a permissions issue).</message>
 		</condition>
    <condition>
-			<output_matches>m-0-.*s-0-.*t-0-.*f-0-.*g-1-.*del-1-</output_matches>
+			<output_matches>m-0-.*s-0-.*t-0-.*f-0-.*g-1-.*o-0-</output_matches>
      <message>:) Well done! <%= $flags.pop %></message>
      <trigger_next_attack />
 		</condition>
@@ -184,11 +183,11 @@ Randomised instance generated by [SecGen](http://github.com/cliffe/SecGen) (<%=
      <message>:P Looks like you got all the file access working, but you are supposed to use facls for this task! Hint: Make sure you have set a default ACL.</message>
 		</condition>
    <condition>
-			<output_matches>del-0-</output_matches>
-      <message>:( A file created by <%= $main_user %> wasn't protected from being deleted by <%= $second_user %>! Hint: consider using the sticky bit.</message>
+			<output_matches>o-[1-9]+-</output_matches>
+      <message>:( Other users can access files in your shared directory. Hint: consider using default ACLs.</message>
 		</condition>
    <else_condition>
-      <message>:( Something was not right. Make sure all three users can access the file. </message>
+      <message>:( Something was not right. Make sure all three users can access the directory to create and share files. </message>
 		</else_condition>

 	</attack>
@@ -201,7 +200,7 @@ Randomised instance generated by [SecGen](http://github.com/cliffe/SecGen) (<%=

 		<condition>
 			<output_matches>.*</output_matches>
-			<message>:)</message>
+			<message>8-)</message>
 			<trigger_next_attack />
 		</condition>
    <condition>
@@ -215,6 +214,5 @@ Randomised instance generated by [SecGen](http://github.com/cliffe/SecGen) (<%=

 	</attack>

-<!-- TODO: add another attack where HB uses a hardlink attack against the SUID program - they have to fix the problem  -->

 </hackerbot>
--- a/modules/vulnerabilities/unix/access_control_misconfigurations/suid_root_nano/manifests/change_uid_permissions.pp
+++ b/modules/vulnerabilities/unix/access_control_misconfigurations/suid_root_nano/manifests/change_uid_permissions.pp
@@ -1,10 +0,0 @@
-class suid_root_nano::change_uid_permissions ($file_input = [],$user = 'root') {
-  $file_input.each |String $file, String $permission_code| {
-    file { $file:
-      # ensure => 'file',
-      mode => "$permission_code",
-      owner => $user,
-    }
-    notice("File {$file} permissions have been checked.")
-  }
-}
--- a/modules/vulnerabilities/unix/access_control_misconfigurations/suid_root_nano/manifests/config.pp
+++ b/modules/vulnerabilities/unix/access_control_misconfigurations/suid_root_nano/manifests/config.pp
@@ -1,5 +1,10 @@
-'suid_root_nano::change_uid_permissions':
-  file_input => {
-    '/bin/nano' => '4755',
-    '/usr/bin/nano' => '4755',
+class suid_root_nano::config {
+  file { '/bin/nano':
+    mode => "4755",
+    owner => "root",
  }
+  file { '/usr/bin/nano':
+    mode => "4755",
+    owner => "root",
+  }
+}