echo "============================================"

1. echo "============================================"
2. echo "Initial setup..."
3. echo "============================================"
4. set -e
5. set -o pipefail
6. export DEBIAN_FRONTEND=noninteractive
7.  
8. echo "============================================"
9. echo "Adding user 'baldur'..."
10. echo "============================================"
11. adduser --gecos "" 'baldur' <<END
12. mjolnir
13. mjolnir
14. END
15.  
16. # FTP
17. echo "============================================"
18. echo "Setting up FTP..."
19. echo "============================================"
20. apt install vsftpd ftp -y
21. mkdir /home/baldur/Uploads
22. touch /home/baldur/Uploads/todo.txt
23. echo "list of things i need to do for the new blog:" > /home/baldur/Uploads/todo.txt
24. echo "- laura told me there was a vulnerability and i might get hacked? haha as if anyone is going to hack a blog about nordic mythology" >> /home/baldur/Uploads/todo.txt
25. echo "- get snorri sturluson biography from library, write review" >> /home/baldur/Uploads/todo.txt
26. echo "- find some cool nordic mythology fan theories to write about" >> /home/baldur/Uploads/todo.txt
27. echo "- the nordic name for the world tree might not have been the most creative name for the blog. might try and think of a new one" >> /home/baldur/Uploads/todo.txt
28. sed -i "s/anonymous_enable=NO/anonymous_enable=YES/g" /etc/vsftpd.conf
29. sed -i "s/local_enable=YES/local_enable=NO/g" /etc/vsftpd.conf
30. sed -i "/^local_root=/d" /etc/vsftpd.conf
31. echo "chroot_local_user=YES" >> /etc/vsftpd.conf
32. echo "anon_root=/home/baldur/Uploads" >> /etc/vsftpd.conf
33. systemctl restart vsftpd
34. echo "FTP successfully set up!"
35.  
36. # WORDPRESS
37. # TODO: passwrter updaten
38. echo "============================================"
39. echo "Setting up Wordpress..."
40. echo "============================================"
41. apt install wordpress curl default-mysql-server apache2 -y
42. curl https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar -o /tmp/wp-cli.phar
43. chmod +x /tmp/wp-cli.phar
44. mv /tmp/wp-cli.phar /usr/local/bin/wp
45. wp cli update
46. mkdir /var/www/yggdrasil
47. chmod 777 /var/www/yggdrasil
48. su baldur -c 'wp core download --path=/var/www/yggdrasil'
49. mysql -u root - proot-e "CREATE USER wordpress@localhost;"
50. mysql -u root - proot -e "SET PASSWORD FOR wordpress@localhost= PASSWORD('L$yk*uV$=a#CH^3*');"
51. mysql -u root - proot -e "CREATE DATABASE wordpress character set utf8 collate utf8_bin;"
52. mysql -u root - proot -e "GRANT ALL PRIVILEGES ON wordpress.* TO wordpress@localhost IDENTIFIED BY 'wordpress';"
53. mysql -u root - proot -e "FLUSH PRIVILEGES;"
54. sed -i 's/DocumentRoot \/var\/www\/html/DocumentRoot \/var\/www/g' /etc/apache2/sites-enabled/000-default.conf
55. sed -i "s/Options Indexes FollowSymLinks/Options FollowSymLinks/g" /etc/apache2/apache2.conf
56. sudo -u baldur -i -- wp config create --dbname= wordpress --dbuser= wordpress --dbpass= wordpress --path=/var/www/yggdrasil
57. sudo -u baldur -i -- wp core install --title=Yggdrasil --admin_user=wordpress --admin_password=wordpress --admin_email=wordpress@freya.com --url='http://10.250.4.125/yggdrasil' --path=/var/www/yggdrasil
58. sudo -u baldur -i -- wp option update home 'http://10.250.4.125/yggdrasil'
59. sudo -u baldur -i -- wp theme activate twentyseventeen
60.  
61. # irgendwie 'norse ipsum' mit einbinden(oder nicht, nicht so wichtig)
62. # wp post create --post_type=post --post_title="Norse Ipsum" --post_status=publish
63.  
64. # VULNERABLE PLUGIN
65. wp plugin install social-warfare --version=3.5.1 --activate --allow-root
66.  
67. # diesen teil am ende des wp setups lassen
68. chown -R www-data:www-data /var/www/yggdrasil
69. chmod 774 /var/www/yggdrasil
70. mysql_secure_installation <<-EOF
71. n
72. y
73. yls -
74. y
75. y
76. EOF
77. /etc/init.d/apache2 restart
78.  
79. # WWW-DATA TO BALDUR
80. echo "============================================"
81. echo "Set up PrivEsc from www-data to baldur..."
82. echo "============================================"
83. chmod 644 /etc/shadow
84. echo "root:6n4nC-j_@Txb6k*A" | /usr/sbin/chpasswd
85. echo "admin:CYv$!8tVU-6Y=%qH" | /usr/sbin/chpasswd
86. echo "user:Y%AMQgL2-#E4fxQW" | /usr/sbin/chpasswd
87.  
88. # POST EXPLOIT
89. echo "============================================"
90. echo "Set up cronjob for Post-Exploit..."
91. echo "============================================"
92. mkdir /opt/freya
93. touch /opt/freya/log.py
94. touch /opt/freya/script.sh
95. echo "echo \"Do something...\"" > /opt/freya/script.sh
96. printf '#!/usr/bin/python\n\n' > /opt/freya/log.py
97. printf 'import os\nimport socket\n\n' >> /opt/freya/log.py
98. printf '# TODO actually add in socket functionality\n' >> /opt/freya/log.py
99. printf 's = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n\n' >> /opt/freya/log.py
100. printf 'os.system("./script.sh")\n' >> /opt/freya/log.py
101. chmod +x /opt/freya/log.py
102. chmod +x /opt/freya/script.sh
103. chmod 666 /usr/lib/python2.7/socket.py
104. TEMPFILE=$(mktemp)
105. echo "*/1 * * * * /opt/freya/log.py" >> ${TEMPFILE}
106. crontab ${TEMPFILE}
107. rm ${TEMPFILE}