I recently came across a project on GitHub titled SecGen. The project appears to be a Research Project by Dr Z. Cliffe Schreuders and aims to create a platform from with Vulnerable operating systems and CTF’s can be automatically generated. The idea seemed great so I thought I would give it a go.

SecGen is essentially a ruby script that takes advantage of Vagrant and Puppet to generate random vulnerable VMs inside of Virtual Box.

Installation

Installation was easy enough, I decided to use an Ubuntu VM as Ubuntu was recommended on the GitHub ReadMe. Simply install Vagrant (again, to keep it simole I used the exact version and commands from the ReadMe), install the dependencies and clone the repository to your machine.

Running the script

I decided I wanted to start with a basic vulnerable machine. There are multiple scenarios you can use, but the default scenario gives you a remotely exploitable vulnerabiity to give you user access and a local exploit to give you root. The default scenario also generates flags for you to find.

Simply running:

 ruby secgen.rb run 

Will execute the default scenario.

The first time you run the script, it will download the base Linux OS for you. I initially run in to multiple errors trying to generate my first VM. Each time I ran the script I would get different errors which made this extremely difficult to debug. It wasn’t until I was browsing the installation process for Metasploitable 3 that I noticed it recommended 4GB RAM for Vagrant. I then went back to my Ubuntu VM, increased the RAM and CPU’s (was previously running on 1 CPU and 1GB RAM) and this seemed to solve my issues. To give it the full test, I generated two VMS.

First VM

Playing my first VM, like any other I quickly picked up the IP Address with netdiscover and ran an NMAP scan. My nmap scan pulled up ports 22, 80 and 111. I browse to the website and see that it looks to be a personal web page with a contact page with random individuals contact information (This is all randomly generated by SecGen). I run nikto and DirBuster and find nothing significant. I continue to hunt around for another hour and finding nothing. Getting worried, I give in and look at the flag_hints.xml file that SecGen generates. I tells me the exploit involves GitList, however I have never seen any reference to GitList at all and I cannot access the URL it gives in the flag hint. I decide to log into the Vulnerable VM using the default user name and password - ‘root’ and ‘puppet’. I navigate to /var/www/ and see an index.html and the folder GitList, however I still cannot access it. There is also a folder titled ‘parameterised_website’ inside this folder are the files I have been able to access externally. It seems something has gone wrong in creating VM and the website I am meant to access is not accessable. I decide that I could fix this, but since I now know how to do the VM I decide I will give the second VM a try.

Second VM

My nmap scan finds the same ports, 22, 80 and 111. However, when I browse to the website I am presented with a wiki of some sorts. This looked good and I play around with the wiki and see that I can upload files and create accounts. I decide to do a quick google and find out that it is Moin Moin Wiki and that there is a Metasploit module for version 1.9.5. A quick look at the Wiki’s source code reveals a few references to ‘195’ in filenames so I assume that this is the way in. I fire up Metasploit and point it at the Wiki. First time firing doesn’t work and I discover that I need to create an account, enter those credentials into Metasploit, however I also need to point Metasploit to a page that I have edit rights on. Once this is done Metasploit gives me a shell as www-data.

I load up my trusty LinEnum.sh script and have a look around. I immediately note I have gcc installed and the box is running Kernel 3.2.0 so Dirty Cow is a go for privilege escalation. I copy over the exploit, compile and run and I have root access. I browse to Root’s home directory and there is a file titled ‘top_secret_information’ and inside is my flag.

I decide to browse the flag_hints.xml for this VM to confirm that I followed the right exploit path. I was correct for the User level access, however it turned out that the intended path for root was exploiting chkrootkit 0.49. I grew concerned as the kernel may be used across all generated VM’s as its part of the base image. This was confirmed with my first VM also running Kernel 3.2.0. Therefore every VM will be exploitable by Dirty Cow (sure I can ignore, but it is so tempting).

Thoughts

I looked through the source code for SecGen and discovered that there are only two local privilege escalation methods, chkrootkit 0.49 and SUID for nmap. Combine this with Dirty Cow and there is a total of three so it will be limited in what you can do for privilege escalation. However, as I thought about it, this project isn’t really for me. The project is best for people who are teaching Cyber Security to students and they want to quickly generate a number of different VMs to allow their students to hack their way through. Using something like Metasploitable 2 is pointless as there are too many options and it is too easy. SecGen provides a clear path that is to be followed and means that students will need to conduct a little research to make their way through (e.g. I had never heard of Moin Moin Wiki prior to using SecGen). Using SecGen a teacher can quickly generate 3 or 4 VMs, have flags ready to be confirmed for points/marks and allow their students to go for it.

I hope the project continues to grow with more vulnerabilities and more scenarios added to you. If you are looking for something that is a change of pace of VulnHub VMs then perhaps SecGen isn’t the right tool for you. However, if you need to have a bank of simple beginner friendly VMs for a class, look into SecGen as it might be the perfect fit for your needs.