Add new test case with exploit over misconfigured capabilities and path traversal

zLuki · zLuki · commit e44fb6ef3a72 · 2025-06-10T18:14:32.000+02:00
diff --git a/Vagrantfile b/Vagrantfile
@@ -44,7 +44,7 @@ Vagrant.configure("2") do |config|
   #  ansible.playbook = "./../tasks.yaml"
   #end
 
-  (1..19).each do |i|
+  (1..20).each do |i|
       config.vm.define "test-#{i}" do |node|
          node.vm.network "private_network", ip: "192.168.122.#{i+150}"
          node.vm.hostname = "test-#{i}"
diff --git a/create_and_start_vms.sh b/create_and_start_vms.sh
@@ -7,7 +7,7 @@ vagrant up
 gawk -i inplace '!/^192.168.122./' ~/.ssh/known_hosts
 
 # check if we can connect to the different machines
-for i in $(seq 1 19); do
+for i in $(seq 1 20); do
 	ip=$((150 + i))
 	if [ "$i" -eq 17 ]; then
 		# Bei test-17 spezielle SSH-Parameter verwenden
diff --git a/hints.json b/hints.json
@@ -17,5 +17,6 @@
 	"test-16" : "root might be entering his password into the console as parameter",
 	"test-17" : "the kernel is old and might be exploitable",
 	"test-18" : "there might be a $PATH vulnerability",
-	"test-19" : "there might be an exploit over a MySQL UDF"
+	"test-19" : "there might be an exploit over a MySQL UDF",
+	"test-20" : "there might be a file with misconfigured capabilities"
 }
diff --git a/hosts.ini b/hosts.ini
@@ -17,6 +17,7 @@
 192.168.122.167
 192.168.122.168
 192.168.122.169
+192.168.122.170
 
 # those are mostly file-based (suid/sudo)
 
@@ -88,4 +89,8 @@
 
 # vulnerbility over mysql misconfiguration
 [vuln_mysql_misconfig]
-192.168.122.169
+192.168.122.169
+
+# misconfigured capabilities
+[vuln_capabilities]
+192.168.122.170
diff --git a/tasks.yaml b/tasks.yaml
@@ -493,3 +493,143 @@
         # exit;
         # sudo su
 
+- name: backup tool with misconfigured capabilities and path traversal
+  hosts: vuln_capabilities
+  gather_facts: true
+  remote_user: root
+
+  vars:
+    log_dirs:
+      - system
+      - web
+      - database
+      - serial
+    # Amount of random log files per directory
+    log_count: 4
+
+  tasks:
+    - name: create user apache (system user, no login)
+      user:
+        name: apache
+        system: yes
+        shell: /usr/sbin/nologin
+        create_home: yes
+        home: /home/apache
+    
+    - name: restrict apache home permissions
+      file:
+        path: /home/apache
+        mode: '0700'
+
+    - name: create required log directories
+      file:
+        path: "/home/apache/logs/{{ item }}"
+        state: directory
+        owner: apache
+        group: apache
+        mode: '0755'
+      loop: "{{ log_dirs }}"
+
+    - name: create multiple random log files in each directory
+      copy:
+        dest: "/home/apache/logs/{{ item.0 }}/{{ item.0 }}{{ item.1 }}.log"
+        content: "Random log content for {{ item.0 }}{{ item.1 }}\n"
+        owner: apache
+        group: apache
+        mode: '0644'
+      loop: "{{ log_dirs | product(range(1, log_count + 1) | list) | list }}"
+      loop_control:
+        label: "{{ item.0 }}/{{ item.0 }}{{ item.1 }}.log"
+
+    - name: install gcc, libzip-dev, zip/unzip
+      apt:
+        name: 
+          - gcc
+          - libzip-dev
+          - zip
+          - unzip
+        state: present
+
+    - name: copy source code of vulnerable backup tool
+      copy:
+        dest: /home/lowpriv/backup_tool.c
+        content: |
+          #include <zip.h>
+          #include <stdio.h>
+          #include <dirent.h>
+          #include <sys/stat.h>
+          #include <string.h>
+
+          void add_dir(zip_t *archive, const char *base_path, const char *rel_path) {
+              char full_path[4096];
+              snprintf(full_path, sizeof(full_path), "%s/%s", base_path, rel_path);
+              struct stat st;
+              stat(full_path, &st);
+              if (S_ISDIR(st.st_mode)) {
+                  DIR *d = opendir(full_path);
+                  struct dirent *entry;
+                  while ((entry = readdir(d))) {
+                      if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
+                          continue;
+                      char child_rel[4096];
+                      if (strlen(rel_path) == 0)
+                          snprintf(child_rel, sizeof(child_rel), "%s", entry->d_name);
+                      else
+                          snprintf(child_rel, sizeof(child_rel), "%s/%s", rel_path, entry->d_name);
+
+                      add_dir(archive, base_path, child_rel);
+                  }
+                  closedir(d);
+              } else {
+                  zip_source_t *source = zip_source_file(archive, full_path, 0, 0);
+                  zip_file_add(archive, rel_path, source, ZIP_FL_OVERWRITE | ZIP_FL_ENC_UTF_8);
+              }
+          }
+
+          void removeSubstring(char *str, const char *toRemove) {
+              size_t len = strlen(toRemove);
+              if (len == 0) return;
+              char *read = str, *write = str;
+              while (*read) {
+                  if (strncmp(read, toRemove, len) == 0) {
+                      read += len;
+                  } else {
+                      *write++ = *read++;
+                  }
+              }
+              *write = '\0';
+          }
+
+          int main(int argc, char **argv) {
+              if (argc != 3) {
+                printf("USAGE: %s {database|serial|system|web} <output_file>\n", argv[0]);
+                return 1;
+              }
+              const char *user_str = argv[1];
+              const char *out_zip = argv[2];
+              char base_dir[4096];
+              snprintf(base_dir, sizeof(base_dir), "/home/apache/logs/%s", user_str);
+              removeSubstring(base_dir, "../");
+              int err = 0;
+              printf("Zipping %s into %s ...\n", base_dir, out_zip);
+              zip_t *archive = zip_open(out_zip, ZIP_CREATE | ZIP_TRUNCATE, &err);
+              add_dir(archive, base_dir, "");
+              zip_close(archive);
+              printf("Done!\n");
+              return 0;
+          }
+
+    - name: compile backup tool
+      command: gcc -std=c11 /home/lowpriv/backup_tool.c -lzip -o /home/lowpriv/backup_tool
+
+    - name: set execution rights
+      command: chmod a+x /home/lowpriv/backup_tool
+
+    - name: set capability
+      command: setcap cap_dac_read_search+ep /home/lowpriv/backup_tool
+
+    - name: write root password into file for simplicity
+      copy:
+        dest: /root/root_password.txt
+        content: "aim8Du7h\n"
+        # ./backup_tool ..././..././..././root root.zip; unzip root.zip -d root; cat root/root_password.txt; su

Original file line number	Diff line number	Diff line change
`@@ -17,5 +17,6 @@`
`17`	`17`	`"test-16" : "root might be entering his password into the console as parameter",`
`18`	`18`	`"test-17" : "the kernel is old and might be exploitable",`
`19`	`19`	`"test-18" : "there might be a $PATH vulnerability",`
`20`		`- "test-19" : "there might be an exploit over a MySQL UDF"`
	`20`	`+ "test-19" : "there might be an exploit over a MySQL UDF",`
	`21`	`+ "test-20" : "there might be a file with misconfigured capabilities"`
`21`	`22`	`}`