forked from SecGen/SecGen
-
Notifications
You must be signed in to change notification settings - Fork 318
/
Copy pathff_in_the_wild.xml
156 lines (137 loc) · 5.2 KB
/
ff_in_the_wild.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
<?xml version="1.0"?>
<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
<name>Flawed Fortress</name>
<author>Z. Cliffe Schreuders</author>
<author>Thomas Shaw</author>
<description>Hack the server. Find / decode the flags.
</description>
<type>ctf</type>
<type>attack-ctf</type>
<type>pwn-ctf</type>
<difficulty>intermediate</difficulty>
<CyBOK KA="AC" topic="Symmetric Cryptography">
<keyword>symmetric encryption and authentication</keyword>
</CyBOK>
<CyBOK KA="F" topic="Artifact Analysis">
<keyword>cryptographic hashing</keyword>
<keyword>Encoding and alternative data formats</keyword>
</CyBOK>
<CyBOK KA="MAT" topic="Attacks and exploitation">
<keyword>EXPLOITATION</keyword>
<keyword>EXPLOITATION FRAMEWORKS</keyword>
</CyBOK>
<CyBOK KA="SOIM" topic="PENETRATION TESTING">
<keyword>PENETRATION TESTING - SOFTWARE TOOLS</keyword>
<keyword>PENETRATION TESTING - ACTIVE PENETRATION</keyword>
<keyword>PENETRATION TESTING - NETWORK MAPPING - RECONNAISSANCE</keyword>
</CyBOK>
<CyBOK KA="NS" topic="PENETRATION TESTING">
<keyword>PENETRATION TESTING - NETWORK MAPPING - FINGERPRINTING</keyword>
<keyword>PENETRATION TESTING - NETWORK MAPPING - NMAP</keyword>
</CyBOK>
<system>
<system_name>attack_vm</system_name>
<base distro="Kali" name="MSF"/>
<input into_datastore="IP_addresses">
<value>172.16.0.2</value>
<value>172.16.0.3</value>
</input>
<utility module_path=".*/parameterised_accounts">
<input into="accounts">
<value>{"username":"kali","password":"kali","super_user":"true","strings_to_leak":[],"leaked_filenames":[]}</value>
</input>
</utility>
<utility module_path=".*/iceweasel">
<input into="accounts">
<value>{"username":"kali","password":"kali","super_user":"true","strings_to_leak":[],"leaked_filenames":[]}</value>
</input>
<input into="autostart">
<value>false</value>
</input>
</utility>
<utility module_path=".*/kali_top10"/>
<utility module_path=".*/kali_web"/>
<network type="private_network">
<input into="IP_address">
<datastore access="0">IP_addresses</datastore>
</input>
</network>
<input into_datastore="spoiler_admin_pass">
<generator type="strong_password_generator"/>
</input>
<build type="cleanup">
<input into="root_password">
<datastore>spoiler_admin_pass</datastore>
</input>
</build>
</system>
<!--a few vulnerabilities that are in the wild, with some flags that need decoding, some red herring services to keep things interesting-->
<system>
<system_name>in_the_wild</system_name>
<base distro="Debian 10" type="desktop" name="KDE"/>
<utility module_path=".*/after_login_message">
<input into="strings_to_leak">
<encoder type="string_format_encoder">
<input into="strings_to_encode">
<value>Hackme</value>
</input>
</encoder>
<generator type="ascii_art_generator"/>
<value>Well done! You hacked this server. There's a few ways of hacking this server and some extra flags for you to decode.</value>
</input>
</utility>
<vulnerability read_fact="strings_to_leak" access="remote" privilege="user_rw.*">
<input into="strings_to_leak">
<generator type="flag_generator" />
<encoder type="ascii_reversible">
<input into="strings_to_encode">
<generator type="flag_generator" />
</input>
</encoder>
</input>
</vulnerability>
<!--double encoded-->
<vulnerability read_fact="strings_to_leak" access="remote" privilege="user_rw.*">
<input into="strings_to_leak">
<generator type="flag_generator" />
<encoder type="ascii_reversible">
<input into="strings_to_encode">
<encoder type="ascii_reversible">
<input into="strings_to_encode">
<generator type="flag_generator" />
</input>
</encoder>
</input>
</encoder>
</input>
</vulnerability>
<!-- vulnerability which can leak images, leak 2 image challenges and a random red-herring image -->
<vulnerability read_fact="images_to_leak" access="remote" privilege="user_rw.*">
<input into="images_to_leak">
<generator read_fact="strings_to_leak" type="image_generator" >
<input into="strings_to_leak">
<generator type="flag_generator" />
</input>
</generator>
<generator type="image_generator"/>
<generator read_fact="strings_to_leak" type="image_generator" >
<input into="strings_to_leak">
<generator type="flag_generator" />
</input>
</generator>
</input>
</vulnerability>
<network type="private_network">
<input into="IP_address">
<datastore access="1">IP_addresses</datastore>
</input>
</network>
<build type="cleanup">
<input into="root_password">
<datastore>spoiler_admin_pass</datastore>
</input>
</build>
</system>
</scenario>