└── README.md /README.md: -------------------------------------------------------------------------------- 1 | Hello everyone I hope you are doing well , I am going to show how you can make your own CTF or if you have an idea to introduce a vulnerability that you want to teach people that shows how severe that vulnerability is and how you can exploit it so you can do it by making a box and then configure it according to the vulnerability. So I am going to show a basic example of how you can make it. Its' a basic idea that I come up with when I was creating my first vulnerable box. 2 | 3 | Now the one which I am creating there won't be anything new because I will be using an old version of ubuntu which is vulnerable to dirty cow exploit but the important thing is that how you may configure the box , opening FTP,SSH and HTTP services on it or maybe changing the port number. 4 | 5 | ## 1.Research 6 | 7 | First of all research what vulnerability you want someone to exploit. Look up on exploit-db if you want to find any vulnerability. 8 | 9 |

10 | 11 | So there is an exploit for an older version of Linux kernel , we might have to install an older version ubuntu for this to work. 12 | 13 | Visit `http://old-releases.ubuntu.com/releases/` if you want to download old releases of ubuntu. 14 | 15 |

16 | 17 |

18 | 19 | Now we want the server image because it will give us an option to use GUI or CLI and we only want to be working with CLI. 20 | 21 | ## 2.Installation 22 | 23 | To install this image you can use VMware or Virtual box but I recommend you to use virtual box because it is easy to export the OVA file that you later will upload on some CTF platforms. 24 | 25 |

26 | 27 |

28 | 29 | Now let it go through the installation process. 30 | 31 |

32 | 33 | Select `No automatic updates` 34 | 35 |

36 | 37 | Now here you can install some services if you want to save time, you can however install them later. 38 | 39 | I am selecting OpenSSH server as we can ssh into the box, LAMP server which is Linux, Apache, MySQL and PHP server and Samba is for file sharing. 40 | 41 |

42 | 43 | Now that you have the OS installed, enable the root login through this command `sudo -i passwd root` 44 | 45 |

46 | 47 | ## 3.Configuration 48 | 49 | Now you want to have some tools to be installed on the box first of all update the repository through which it will fetch the packages 50 | 51 | `apt update` 52 | 53 | Since we will exploit this box through dirty cow and it's written in C language so we need a compiler for this which is `gcc` and we want to install it `apt install gcc`. 54 | 55 |

56 | 57 |

58 | 59 | We have all the tools we need to exploit this box. In order to place flags just type any text and pipe into md5sum to get a md5 hash and store it in files but make sure to give it permissions that only specific user can read those flags. 60 | 61 |

62 | 63 |

64 | 65 | Remember to take a snapshot of your box so if you screw up at any point you may revert it back so you won't have to install everything from the beginning. 66 | 67 | Before we setup other services or the way to get a foothold let's test privilege escalation exploit that is it working or not .Visit the same site where you find the exploit have it on your machine 68 | 69 |

70 | 71 |

72 | 73 | We escalated our privileges to root through this exploit so it worked as expected. 74 | 75 | #### 3.1 Configure FTP 76 | If you want an ftp server on your box you can do it by installing `vsftpd` 77 | 78 |

79 | 80 | Make a backup of the configuration file of vsftpd 81 | 82 | `cp /etc/vsftpd.conf /etc/vsftpd.conf.orig` (use sudo before the command if not root) 83 | 84 |

85 | 86 | Make sure to enable this option if you want anonymous user to login into ftp also add two more commands 87 | 88 |

89 | 90 | The first one will tell that where the root directory of ftp is and other is for not prompting password for `anonymous` user. 91 | 92 | Make the folder for ftp in the same directory as we have setup in the configuration file of vsftpd and change it's owner to `nobody:nogroup`. 93 | 94 |

95 | 96 | Now you can add a file to the `ftp` folder you want the anonymous user to read also if you want to change the default ftp port this can be done by adding this `listen_port=XX` to configuration where "XX" is just the number you can give. 97 | 98 |

99 | 100 | Here I added a file to check if we login as `anonymous` we should be in the `/var/ftp` directory. 101 | 102 | We also want to allow FTP traffic because it is blocked by default so we can easily do that 103 | 104 |

105 | 106 | Now to enable ftp service just type 107 | ``` 108 | sudo service vsftp start 109 | ``` 110 | 111 | or your running as root then 112 | 113 | ``` 114 | service vsftpd start 115 | ``` 116 | 117 |

118 | 119 | Now let's try connecting to ftp service 120 | 121 |

122 | 123 | As you can see we get the file that is `/var/ftp` directory. We can do a lot play around but this is the basic idea of how we can setup a ftp server. 124 | 125 | That's pretty much all the configuration I'll do with ftp now let's move on to configuring the http server. 126 | 127 | ### 3.2 Configure Apache HTTP server 128 | 129 | Since we already have installed apache when we were given an option of istalling LAMP server so all we have to do is allow ufw (Uncomplicated Firewall) to enable traffic for http or port 80 130 | 131 | ``` 132 | ufw allow http 133 | ``` 134 | 135 | Or 136 | 137 | ``` 138 | ufw allow 80/tcp 139 | ``` 140 | 141 |

142 | 143 | By default we will have an `index.html` page in directory `var/www/html` 144 | 145 |

146 | 147 |

148 | 149 | Now let's see if we can run php on web pages or make sure that we have php installed which we would have. 150 | 151 |

152 | 153 |

154 | 155 | Important thing to take care of is that those webserver files must belong to user and group `www-data`:`www-data`not the `root`:`root` user to ensure that 156 | 157 |

158 | 159 | Now let's change the permissons 160 | 161 |

162 | 163 | Here `-R` will recursively change ownership of files with in directory. 164 | 165 | Inorder to create page vulnerable to RCE we need to do something like this 166 | 167 |

168 | 169 | The first line is just a simple HTML heading which tells that we have paramter named `cmd` and the next line is the *bad code* which will give us command execution because parameter is inside a `system` function which will execute system commands. 170 | 171 |

172 | 173 | ### 3.3 Configure SSH 174 | 175 | For ssh we must have installed OpenSSH but it was done at the beginning so we don't need to do that again. We can check it's version 176 | 177 |

178 | 179 | And like we did with FTP and HTTP just need to allow traffic for SSH as well 180 | 181 |

182 | 183 |

184 | 185 | Make sure to test it with your host system if your running windows then test it with `PuTTY` or your on linux then you could type `ssh username@ip` if it does not work you will need to allow the traffic for ssh as shown above. 186 | 187 | This uses password base authenticattion you could just disable it and allow to login with `public key-based authentication` but for now let's keep it as password based. 188 | 189 | Now one last thing it's optional not really necessary but when you will boot this machine in an OVA format it's better to modify the `motd` and replace it with machine IP that it will get. To do that first go to `/etc/update-motd.d` directory and remove all executable permissions from the scripts and make your own custom script 190 | 191 |

192 | 193 |

194 | 195 |

196 | 197 | And in order to turn off `.bash_history` just create a sylink to `/dev/null` 198 | 199 | ``` 200 | symlink -sf /dev/null ~/.bash_history 201 | ``` 202 | 203 | ## 4. Exporting the VM to an OVA format 204 | 205 | Now when you have tested the machine if it's working as intended and when you ran scripts for enumeration gives what you want them to do (although I haven't showed running them) you then have to export it to an OVA format so you could then upload to submit and then user can download and import that machine to thier virtualbox or VMware. 206 | 207 | Go to `File > Export Appliance` 208 |

209 | 210 | Then select your vulnerable machine in this case mine is `Ubuntu 14.04 Server` 211 | 212 |

213 | 214 |

215 | 216 | There were many things we could have done like web application with flas,django or maybe setting up node js server , setting up nfs maybe rabbit holes but those all depends upon your thinking your idea for the vulnerable machine this was just a very basic machine that I made maybe you learned something from. 217 | 218 | ## References 219 | https://linuxconfig.org/how-to-change-welcome-message-motd-on-ubuntu-18-04-server 220 | 221 | https://websiteforstudents.com/setup-apahce2-with-php-support-on-ubuntu-servers/ 222 | 223 | https://phoenixnap.com/kb/install-ftp-server-on-ubuntu-vsftpd 224 | 225 | https://www.exploit-db.com/exploits/37292 226 | 227 | https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-14-04#:~:text=Check%20UFW%20Status%20and%20Rules,sudo%20ufw%20status%20verbose 228 | --------------------------------------------------------------------------------