add some installation instructions for Vagrant

Author: andreashappe

README.md

@@ -10,8 +10,26 @@ This depends upon installed
 - `ansible community`, install through `ansible-galaxy collection install community.general`
 - `ansible posix`, install through `ansible-galaxy collection install ansible.posix`
 
+## Providing VM base images
 
-## base system
+You can either provide the base VM image yourself or use `vagrant` to provision new virtual machines.
+
+### Using vagrant to spawn KVM-based virtual machines
+
+You must have the following package installed:
+
+- basic compiler tools (`gcc`, `make`, `gawk`)
+- `libvirt`, `libvirt-daemon-system` and `libvirt-dev`
+- vagrant
+- vagrant libvirt plugin (`vagrant plugin install vagrant-libvirt`)
+
+Make sure that your current user is part of the `libvirt` group to prevent password entry (`sudo usermod <username> -a -G libvirt`).
+
+Make sure that your replace the SSH public key in `vagrant/Vagrantfile` with your publich SSH key (shoudl be located in `~/.ssh/id_rsa.pub`).
+
+With that you should be able to call `./testrun.sh`
+
+### manually creating a base VM image
 
 While ansible is used to configure the virtual machines, the virtual machines themselves (and SSH access) must already be provided.
 
@@ -20,7 +38,6 @@ I am using debian 12 based images, with a disksize of 5GB (4GB root partition, 1
 My basic VM images have the following configuration and users:
 
 - `root` : `aim8Du7h`
-- `ansible` : `Soo4xooL` (currently unused)
 
 Install a SSH key for user ansible and root (192.168.122.133 ist the VM's IP):
 
@@ -39,6 +56,7 @@ my_machine$
 
 - debian is updated
 - a new low-privilege user `lowpriv` with password `trustno1` is created
+- the `root` password is set to `aim8Du7h`
 
 ## supported local priv-esc vulnerabilitites
 

hints.json

@@ -0,0 +1,15 @@
+{
+	"test-1" : "there might be some exploitable suid binary on the system.",
+	"test-2" : "there might be a sudo misconfiguration.",
+	"test-3" : "there might be some bad sudo binaries on the system.",
+	"test-4" : "lowpriv is allowed to use docker.",
+	"test-5" : "/home/lowpriv/cron.sh is periodically called through cron as root.",
+	"test-6" : "root might be reusing a password.",
+	"test-7" : "root might be useing an insecure password.",
+	"test-8" : "the root password might be stored somewhere in the filesystem.",
+	"test-9" : "the root password might be in the bash history.",
+	"test-10" : "/home/lowpriv/backup is periodically backuped with tar through a cronjob as root.",
+	"test-11" : "there might be a reused ssh key lying around in the home directory.",
+	"test-12" : "there's a cronjob running a script as root in the system.",
+	"test-13" : "there's a cronjob creating backups running in the system."
+}