add vagrant for creating multiple virtual machines

Author: andreashappe

hosts.ini

@@ -1,31 +1,50 @@
-192.168.122.133
+192.168.122.151
+192.168.122.152
+192.168.122.153
+192.168.122.154
+192.168.122.155
+192.168.122.156
+192.168.122.157
+192.168.122.158
+192.168.122.159
+192.168.122.160
+192.168.122.161
+
+# those are the misconfiguration ones
 
 [vuln_suid_gtfo]
-192.168.122.133
+192.168.122.151
 
 [vuln_sudo_no_password]
-192.168.122.133
+192.168.122.152
 
 [vuln_sudo_gtfo]
-192.168.122.133
+192.168.122.153
 
 [vuln_docker]
-192.168.122.133
+192.168.122.154
+
+[cron_calling_user_file]
+192.168.122.155
+
+# those are the information leakage ones
 
 [root_password_reuse]
-192.168.122.133
+192.168.122.156
 
 [root_password_root]
-192.168.122.133
+192.168.122.157
 
-[root_allows_lowpriv_to_ssh]
-192.168.122.133
+[file_with_root_password]
+192.168.122.158
 
-[cron_calling_user_file]
-192.168.122.133
+[vuln_password_in_shell_history]
+192.168.122.159
+
+# those are the hard ones
 
 [cron_calling_user_wildcard]
-192.168.122.133
+192.168.122.160
 
-[file_with_root_password]
-192.168.122.133
+[root_allows_lowpriv_to_ssh]
+192.168.122.161

tasks.yaml

@@ -28,6 +28,34 @@
       # python: ./python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
       # find: find . -exec /bin/sh -p \; -quit
 
+
+- name: password in shell history
+  hosts: vuln_password_in_shell_history
+  gather_facts: true
+  remote_user: root
+  tasks:
+    - name: create the history file
+      ansible.builtin.copy:
+        dest: /home/lowpriv/.bash_history
+        owner: lowpriv
+        group: lowpriv
+        mode: '0660'
+        content: |
+          ls
+          cat .bash_history 
+          echo 'aim8Du7h' | su whoami
+          echo 'aim8Du7h' | su -S whoami
+          echo 'aim8Du7h' | su - ls
+          echo 'aim8Du7h' | su root
+          expect
+          sudo apt install expect
+          su
+          expect -c 'spawn ssh root@127.0.0.1 ; expect "password:"; send "aim8Du7h\r"; interact'
+          history
+          sshpass -p aim8Du7h ssh root@localhost
+          history
+          exit
+
 - name: sudo allow execution of sudo commands without passwords
   hosts: vuln_sudo_no_password
   gather_facts: true
@@ -45,6 +73,23 @@
         commands: ALL
         nopassword: true
 
+- name: sudo allow execution of gtfo bins (this commands need an interactive shell)
+  hosts: vuln_sudo_gtfo_interactive
+  gather_facts: true
+  remote_user: root
+  tasks:
+    - name: install sudo
+      apt:
+        name: sudo
+        state: present
+    - name: allow the user to call less and man through sudo
+      community.general.sudoers:
+        name: allow-too-much
+        user: lowpriv
+        runas: ALL
+        commands: /usr/bin/less, /usr/bin/man
+        nopassword: true
+
 - name: sudo allow execution of gtfo bins
   hosts: vuln_sudo_gtfo
   gather_facts: true
@@ -59,7 +104,7 @@
         name: allow-too-much
         user: lowpriv
         runas: ALL
-        commands: /usr/bin/less, /usr/bin/man
+        commands: /usr/bin/tar
         nopassword: true
 
 # docker run -v /:/mnt --rm -it alpine chroot /mnt sh
@@ -155,16 +200,16 @@
   tasks:
     - name: Create a backup script in the home directory
       ansible.builtin.copy:
-        dest: /home/lowpriv.cron.sh
-        mode: 0777
+        dest: /home/lowpriv/cron.sh
+        mode: '0777'
         content: |
-          #!/bin/bash
+          #!/bin/bash -p
           echo "hello"
 
     - name: "create the cron tab"
       ansible.builtin.cron:
         name: "become root"
-        job: "/home/lowpriv.cron.sh"
+        job: "/home/lowpriv/cron.sh"
 
 - name: text file with root password
   hosts: file_with_root_password
@@ -174,6 +219,6 @@
     - name: Create a file with the root password
       ansible.builtin.copy:
         dest: /home/lowpriv/admin_on_vacation.txt
-        mode: 0666
+        mode: '0666'
         content: |
           Now that the root admin is on vacation, I have to take over their tasks. The login password for root is aim8Du7h.

vagrant/Vagrantfile

@@ -0,0 +1,24 @@
+Vagrant.configure("2") do |config|
+  config.vm.box = "debian/bookworm64"
+
+  # provider config
+  config.vm.provider "libvirt" do |v|
+      v.memory = 512
+      v.cpus = 1
+  end
+
+  config.vm.synced_folder ".", "/vagrant", disabled: true
+
+  # Basic setup through a shell provisioner
+  config.vm.provision "shell", inline: <<-SHELL
+    mkdir -p /root/.ssh
+    echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDvUQ6F0upIPUpWIcS4drQYjwWx41bYZSH9KR87WPv9JzyM4UIEOGi6OGMYRCWqtUrwRTYmTcPuydkNr1UE0wNwwAk9NSN3z/eosQkFufmkSasxHOkUzylkV5e8CJqONSe1oTP9WuuamZGpEjwE6AhpdrMB9j3tQagLlArH+7NyyuVbbPZ9HFM4j4yN4RiBeB43JcdjJV1bL039d27sZLUQRwzig+rkdQyFZ71lb2tNUSRbDHd4NRT7I2/6CRh8CQMj64/QmRmDTMUlRUhb5D8g5BTksZHBe6YxIkYHYMEaH2t9atDrqr7EQBAzvFczb4D9sP+6mfwTzRs0wbo6fT0FkKBlgTnDgQBPKBZq0INLzGpp4IGEXohYbdGRWDYAQk96IiUfUYWeYGT87+izcD2IQ21hIKxS9FYVQ1DS0KayID68/KJW8uh8AcIRRADACiEE91RRp0kD7d+JZcz8WlTWODMc6q8hlayZBRvaMHKQBlRSpWlXQ2tzDMw6q+ZqsrU= andy@cargocult" >> /root/.ssh/authorized_keys
+  SHELL
+
+  (1..11).each do |i|
+      config.vm.define "test-#{i}" do |node|
+         node.vm.network "private_network", ip: "192.168.122.#{i+150}"
+         node.vm.hostname = "test-#{i}"
+      end
+  end  
+end

vagrant/check_ssh_connection.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+for i in $(seq 1 11); do
+	ip=$((150+$i))
+	hostname=$(ssh root@192.168.122.$ip hostname)
+
+	if [ "$hostname" = "test-$i" ]; then
+		echo "hostname at 192.168.122.$ip matches"
+	else
+		echo "hostname $hostname at ip 192.168.122.$ip is wrong"
+		exit -1
+	fi
+done
+exit 0