#!/usr/bin/env bashecho "============================================"echo "

1. #!/usr/bin/env bash
2. echo "============================================"
3. echo "Initial setup..."
4. echo "============================================"
5. set -e
6. set -o pipefail
7. export DEBIAN_FRONTEND=noninteractive
8.  
9. apt-get -y update
10. apt-get -y upgrade
11. apt-get install -y -q vsftpd ftp sudo wordpress curl default-mysql-server apache2
12. echo "root:6n4nC-j_@Txb6k*A" | /usr/sbin/chpasswd
13. echo "baldur:mjolnir" | /usr/sbin/chpasswd
14.  
15. echo "============================================"
16. echo "Setting up FTP..."
17. echo "============================================"
18. mkdir -p /home/baldur/Uploads
19. touch /home/baldur/Uploads/todo.txt
20. echo "list of things i need to do for the new blog:" > /home/baldur/Uploads/todo.txt
21. echo "- laura told me there was a vulnerability and i might get hacked? haha as if anyone is going to hack a blog about nordic mythology" >> /home/baldur/Uploads/todo.txt
22. echo "- get snorri sturluson biography from library, write review" >> /home/baldur/Uploads/todo.txt
23. echo "- find some cool nordic mythology fan theories to write about" >> /home/baldur/Uploads/todo.txt
24. echo "- the nordic name for the world tree might not have been the most creative name for the blog. might try and think of a new one" >> /home/baldur/Uploads/todo.txt
25. sed -i "s/anonymous_enable=NO/anonymous_enable=YES/g" /etc/vsftpd.conf
26. sed -i "s/local_enable=YES/local_enable=NO/g" /etc/vsftpd.conf
27. sed -i "/^local_root=/d" /etc/vsftpd.conf
28. # make sure that this does not add any trailing spaces
29. echo "chroot_local_user=YES" >> /etc/vsftpd.conf
30. echo "anon_root=/home/baldur/Uploads" >> /etc/vsftpd.conf
31. systemctl restart vsftpd
32. echo "FTP successfully set up!"
33.  
34. echo "============================================"
35. echo "Setting up Wordpress..."
36. echo "============================================"
37. curl https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar -o /tmp/wp-cli.phar
38. chmod +x /tmp/wp-cli.phar
39. mv /tmp/wp-cli.phar /usr/local/bin/wp
40. /usr/local/bin/wp cli update
41. mkdir -p /var/www/yggdrasil
42. chmod 777 /var/www/yggdrasil
43. su baldur -c 'wp core download --path=/var/www/yggdrasil'
44. mysql -u root -p6n4nC-j_@Txb6k*A -e "CREATE USER wordpress@localhost;"
45. mysql -u root -p6n4nC-j_@Txb6k*A -e "SET PASSWORD FOR wordpress@localhost= PASSWORD('JXakuf5DzA3q7nnj');"
46. mysql -u root -p6n4nC-j_@Txb6k*A -e "CREATE DATABASE wordpress character set utf8 collate utf8_bin;"
47. mysql -u root -p6n4nC-j_@Txb6k*A -e "GRANT ALL PRIVILEGES ON wordpress.* TO wordpress@localhost IDENTIFIED BY 'JXakuf5DzA3q7nnj';"
48. mysql -u root -p6n4nC-j_@Txb6k*A -e "FLUSH PRIVILEGES;"
49. sed -i 's/DocumentRoot \/var\/www\/html/DocumentRoot \/var\/www/g' /etc/apache2/sites-enabled/000-default.conf
50. sed -i "s/Options Indexes FollowSymLinks/Options FollowSymLinks/g" /etc/apache2/apache2.conf
51. sudo -u baldur -i -- wp config create --dbname=wordpress --dbuser=wordpress --dbpass=JXakuf5DzA3q7nnj --path=/var/www/yggdrasil
52. IP=$(ip a|grep 'inet'|grep -v '127.0.0.1'|cut -d: -f2|awk '{print $2}'|cut -d/ -f1|tr -d '[:space:]')
53. sudo -u baldur -i -- wp core install --title=Yggdrasil --admin_user=wordpress --admin_password=JXakuf5DzA3q7nnj --admin_email=wordpress@freya.com --url="http://${IP}/yggdrasil" --path=/var/www/yggdrasil
54. sudo -u baldur -i -- wp option update home "http://${IP}/yggdrasil" --path=/var/www/yggdrasil
55. sudo -u baldur -i -- wp theme activate twentyseventeen --path=/var/www/yggdrasil
56.  
57. # irgendwie 'norse ipsum' mit einbinden(oder nicht, nicht so wichtig)
58. # wp post create --post_type=post --post_title="Norse Ipsum" --post_status=publish
59.  
60. # VULNERABLE PLUGIN
61. wp plugin install social-warfare --version=3.5.1 --activate --path=/var/www/yggdrasil --allow-root
62.  
63. # diesen teil am ende des wp setups lassen
64. chown -R www-data:www-data /var/www/yggdrasil
65. chmod 774 /var/www/yggdrasil
66. mysql_secure_installation <<EOF
67. n
68. y
69. y
70. y
71. y
72. EOF
73. /etc/init.d/apache2 restart
74.  
75. # WWW-DATA TO BALDUR
76. echo "============================================"
77. echo "Set up PrivEsc from www-data to baldur..."
78. echo "============================================"
79. chmod 644 /etc/shadow
80.  
81. # POST EXPLOIT
82. echo "============================================"
83. echo "Set up cronjob for Post-Exploit..."
84. echo "============================================"
85. mkdir -p /opt/freya
86. touch /opt/freya/log.py
87. touch /opt/freya/script.sh
88. echo "echo \"Do something...\"" > /opt/freya/script.sh
89. printf '#!/usr/bin/python\n\n' > /opt/freya/log.py
90. printf 'import os\nimport socket\n\n' >> /opt/freya/log.py
91. printf '# TODO actually add in socket functionality\n' >> /opt/freya/log.py
92. printf 's = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n\n' >> /opt/freya/log.py
93. printf 'os.system("./script.sh")\n' >> /opt/freya/log.py
94. chmod +x /opt/freya/log.py
95. chmod +x /opt/freya/script.sh
96. chmod 666 /usr/lib/python2.7/socket.py
97. # some false flags
98. chmod 666 /usr/lib/python2.7/abc.py
99. chmod 666 /usr/lib/python2.7/ast.py
100. chmod 666 /usr/lib/python2.7/base64.py
101. chmod 666 /usr/lib/python2.7/bdb.py
102. chmod 666 /usr/lib/python2.7/code.py
103. chmod 666 /usr/lib/python2.7/dis.py
104. chmod 666 /usr/lib/python2.7/fileinput.py
105. chmod 666 /usr/lib/python2.7/glob.py
106. chmod 666 /usr/lib/python2.7/hmac.py
107. chmod 666 /usr/lib/python2.7/htmllib.py
108. chmod 666 /usr/lib/python2.7/io.py
109. chmod 666 /usr/lib/python2.7/mimify.py
110. chmod 666 /usr/lib/python2.7/pipes.py
111. chmod 666 /usr/lib/python2.7/popen2.py
112. chmod 666 /usr/lib/python2.7/random.py
113. TEMPFILE=$(mktemp)
114. echo "*/1 * * * * /opt/freya/log.py" >> ${TEMPFILE}
115. crontab ${TEMPFILE}
116. rm ${TEMPFILE}
117.  
118. echo "Freya has successfully been set up!"