-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathscenario.xml
53 lines (53 loc) · 5.26 KB
/
scenario.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
<?xml version="1.0"?>
<scenario xmlns="http://www.github/cliffe/SecGen/scenario" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
<!--This file was generated by SecGen-->
<!--2018-04-15 12:45:35 +0200-->
<!--Based on a fulfilment of scenario: scenarios/default_scenario.xml-->
<!--You can replay the generation of these VM(s) using SecGen -s <this file> r-->
<system>
<system_name>escalation</system_name>
<base module_path="modules/bases/debian_puppet_32" name="Debian 7 Wheezy Server" author="Z\. Cliffe Schreuders" module_license="GPLv3" description="Based on the Official Puppet Vagrant box\. Debian 7\.8 \(wheezy\) 32\-bit \(i386\), Puppet 4\.3\.2 / Puppet Enterprise 2015\.3\.2 \(agent\)\.\n This is the primary base box used during development\. For testing purposes, the default root password is puppet\." cpu_word_size="32\-bit" type="server|cli" platform="linux|unix" distro="Debian 7\.8 \(wheezy\) 32\-bit \(i386\)" url="https://app\.vagrantup\.com/secgen/boxes/debian_wheezy_puppet/versions/1\.0\.0/providers/virtualbox\.box" ovirt_template="debian_server" reference="https://atlas\.hashicorp\.com/puppetlabs" software_license="various"/>
<utility module_path="modules/utilities/unix/update/unix_update" name="Unix update repository" author="Jason Keighley" module_license="Apache v2" description="An update module for unix" type="update" platform="linux">
<input into=""/>
</utility>
<service module_path="modules/services/unix/http/apache_wheezy_compatible/apache" name="Apache HTTP Server \- Wheezy Compatible" author="Connor Wilson|Thomas Shaw|Puppet Labs" module_license="Apache v2" description="An installation of Apache" type="httpd" platform="linux" reference="https://httpd\.apache\.org/|https://forge\.puppet\.com/puppetlabs/apache" software_name="apache" software_license="Apache v2"/>
<!--Used to calculate values: modules/generators/messages/welcome_message-->
<!-- (inputs: {}, outputs: ["Greetings! Welcome to the server."])-->
<!--Used to calculate values: modules/generators/flag/flag_base64-->
<!-- (inputs: {}, outputs: ["flag{45jYFFqOQecixgIVx8m5w}"])-->
<!--Used to calculate values: modules/generators/filenames/random_filename-->
<!-- (inputs: {}, outputs: ["quae.jpg"])-->
<!--Used to calculate values: modules/generators/filenames/random_filename-->
<!-- (inputs: {}, outputs: ["voluptatibus.odp"])-->
<vulnerability module_path="modules/vulnerabilities/unix/webapp/gitlist_040" name="Gitlist 0\.4\.0 RCE" author="Thomas Shaw" module_license="MIT" description="\n Gitlist before 0\.5\.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the file\n name in the URI of a request for a \(1\) blame, \(2\) file, or \(3\) stats page, as demonstrated by requests to\n blame/master/, master/, and stats/master/\.\n " type="webapp" privilege="user_rwx" access="remote" platform="linux" read_fact="port|strings_to_leak|images_to_leak|leaked_filenames" difficulty="low" cve="CVE\-2014\-4511" cvss_base_score="7\.5" cvss_vector="AV:N/AC:L/Au:N/C:P/I:P/A:P" msf_module="exploit/linux/http/gitlist_exec" hint="Visit the webapp in a browser at: ip:80/gitlist ">
<input into="port">
<value>80</value>
</input>
<input into="strings_to_leak">
<value>Greetings! Welcome to the server.</value>
<value>flag{45jYFFqOQecixgIVx8m5w}</value>
</input>
<input into="leaked_filenames">
<value>quae.jpg</value>
<value>voluptatibus.odp</value>
</input>
</vulnerability>
<utility module_path="modules/utilities/unix/audit_tools/scanners/nmap" name="Nmap Security Scanner" author="Thomas Shaw" module_license="Apache v2" description="Nmap network host, service and security scanner\." type="utility" platform="linux" reference="https://nmap\.org/">
<input into=""/>
</utility>
<!--Used to calculate values: modules/generators/flag/flag_hex-->
<!-- (inputs: {}, outputs: ["flag{a0a4624bfb14134fd561f30b54fda6dd}"])-->
<!--Used to calculate values: modules/generators/filenames/random_filename-->
<!-- (inputs: {}, outputs: ["quia.numbers"])-->
<vulnerability module_path="modules/vulnerabilities/unix/local/setuid_nmap" name="Nmap Setuid" author="Thomas Shaw" module_license="MIT" description="Nmap setuid local privilege escalation" type="access_controls" privilege="root_rwx" access="local" platform="linux" read_fact="strings_to_leak|leaked_filenames" difficulty="medium">
<input into="strings_to_leak">
<value>flag{a0a4624bfb14134fd561f30b54fda6dd}</value>
</input>
<input into="leaked_filenames">
<value>quia.numbers</value>
</input>
</vulnerability>
<service module_path="modules/services/unix/smb/samba" name="Samba file share Server" author="example42|Jason Keighley" module_license="Apache v2" description="An installation of Samba" type="smb" platform="linux" reference="https://forge\.puppet\.com/example42/samba" software_name="samba" software_license="Apache v2"/>
<network module_path="modules/networks/host_only/private_network_3" name="Private Network \#3" author="Z\. Cliffe Schreuders" module_license="GPLv3" description="A network using DHCP" type="private_network" range="dhcp"/>
</system>
</scenario>