echo "============================================"echo "Initial setup..."ec

1. echo "============================================"
2. echo "Initial setup..."
3. echo "============================================"
4. set -e
5. set -o pipefail
6. export DEBIAN_FRONTEND=noninteractive
7. echo "root:6n4nC-j_@Txb6k*A" | /usr/sbin/chpasswd
8. echo "baldur:mjolnir" | /usr/sbin/chpasswd
9.  
10. # FTP
11. echo "============================================"
12. echo "Setting up FTP..."
13. echo "============================================"
14. apt install vsftpd ftp -y
15. mkdir -p /home/baldur/Uploads
16. touch /home/baldur/Uploads/todo.txt
17. echo "list of things i need to do for the new blog:" > /home/baldur/Uploads/todo.txt
18. echo "- laura told me there was a vulnerability and i might get hacked? haha as if anyone is going to hack a blog about nordic mythology" >> /home/baldur/Uploads/todo.txt
19. echo "- get snorri sturluson biography from library, write review" >> /home/baldur/Uploads/todo.txt
20. echo "- find some cool nordic mythology fan theories to write about" >> /home/baldur/Uploads/todo.txt
21. echo "- the nordic name for the world tree might not have been the most creative name for the blog. might try and think of a new one" >> /home/baldur/Uploads/todo.txt
22. sed -i "s/anonymous_enable=NO/anonymous_enable=YES/g" /etc/vsftpd.conf
23. sed -i "s/local_enable=YES/local_enable=NO/g" /etc/vsftpd.conf
24. sed -i "/^local_root=/d" /etc/vsftpd.conf
25. echo "chroot_local_user=YES" >> /etc/vsftpd.conf
26. echo "anon_root=/home/baldur/Uploads" >> /etc/vsftpd.conf
27. systemctl restart vsftpd
28. echo "FTP successfully set up!"
29.  
30. # WORDPRESS
31. echo "============================================"
32. echo "Setting up Wordpress..."
33. echo "============================================"
34. apt install wordpress curl default-mysql-server apache2 -y
35. curl https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar -o /tmp/wp-cli.phar
36. chmod +x /tmp/wp-cli.phar
37. mv /tmp/wp-cli.phar /usr/local/bin/wp
38. /usr/local/bin/wp cli update
39. mkdir -p /var/www/yggdrasil
40. chmod 777 /var/www/yggdrasil
41. su baldur -c 'wp core download --path=/var/www/yggdrasil'
42. mysql -u root - proot-e "CREATE USER wordpress@localhost;"
43. mysql -u root - proot -e "SET PASSWORD FOR wordpress@localhost= PASSWORD('JXakuf5DzA3q7nnj');"
44. mysql -u root - proot -e "CREATE DATABASE wordpress character set utf8 collate utf8_bin;"
45. mysql -u root - proot -e "GRANT ALL PRIVILEGES ON wordpress.* TO wordpress@localhost IDENTIFIED BY 'JXakuf5DzA3q7nnj';"
46. mysql -u root - proot -e "FLUSH PRIVILEGES;"
47. sed -i 's/DocumentRoot \/var\/www\/html/DocumentRoot \/var\/www/g' /etc/apache2/sites-enabled/000-default.conf
48. sed -i "s/Options Indexes FollowSymLinks/Options FollowSymLinks/g" /etc/apache2/apache2.conf
49. sudo -u baldur -i -- wp config create --dbname=wordpress --dbuser=wordpress --dbpass=JXakuf5DzA3q7nnj --path=/var/www/yggdrasil
50. sudo -u baldur -i -- wp core install --title=Yggdrasil --admin_user=wordpress --admin_password=JXakuf5DzA3q7nnj --admin_email=wordpress@freya.com --url='http://10.250.4.125/yggdrasil' --path=/var/www/yggdrasil
51. sudo -u baldur -i -- wp option update home 'http://10.250.4.125/yggdrasil' --path=/var/www/yggdrasil
52. sudo -u baldur -i -- wp theme activate twentyseventeen --path=/var/www/yggdrasil
53.  
54. # VULNERABLE PLUGIN
55. wp plugin install social-warfare --version=3.5.1 --activate --path=/var/www/yggdrasil --allow-root
56.  
57. # diesen teil am ende des wp setups lassen
58. chown -R www-data:www-data /var/www/yggdrasil
59. chmod 774 /var/www/yggdrasil
60. mysql_secure_installation <<EOF
61. n
62. y
63. y
64. y
65. y
66. EOF
67. /etc/init.d/apache2 restart
68.  
69. # WWW-DATA TO BALDUR
70. echo "============================================"
71. echo "Set up PrivEsc from www-data to baldur..."
72. echo "============================================"
73. chmod 644 /etc/shadow
74.  
75. # POST EXPLOIT
76. echo "============================================"
77. echo "Set up cronjob for Post-Exploit..."
78. echo "============================================"
79. mkdir -p /opt/freya
80. touch /opt/freya/log.py
81. touch /opt/freya/script.sh
82. echo "echo \"Do something...\"" > /opt/freya/script.sh
83. printf '#!/usr/bin/python\n\n' > /opt/freya/log.py
84. printf 'import os\nimport socket\n\n' >> /opt/freya/log.py
85. printf '# TODO actually add in socket functionality\n' >> /opt/freya/log.py
86. printf 's = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n\n' >> /opt/freya/log.py
87. printf 'os.system("./script.sh")\n' >> /opt/freya/log.py
88. chmod +x /opt/freya/log.py
89. chmod +x /opt/freya/script.sh
90. chmod 666 /usr/lib/python2.7/socket.py
91. # some false flags
92. chmod 666 /usr/lib/python2.7/abc.py
93. chmod 666 /usr/lib/python2.7/ast.py
94. chmod 666 /usr/lib/python2.7/base64.py
95. chmod 666 /usr/lib/python2.7/bdb.py
96. chmod 666 /usr/lib/python2.7/code.py
97. chmod 666 /usr/lib/python2.7/dis.py
98. chmod 666 /usr/lib/python2.7/fileinput.py
99. chmod 666 /usr/lib/python2.7/glob.py
100. chmod 666 /usr/lib/python2.7/hmac.py
101. chmod 666 /usr/lib/python2.7/htmllib.py
102. chmod 666 /usr/lib/python2.7/io.py
103. chmod 666 /usr/lib/python2.7/mimify.py
104. chmod 666 /usr/lib/python2.7/pipes.py
105. chmod 666 /usr/lib/python2.7/popen2.py
106. chmod 666 /usr/lib/python2.7/random.py
107. TEMPFILE=$(mktemp)
108. echo "*/1 * * * * /opt/freya/log.py" >> ${TEMPFILE}
109. crontab ${TEMPFILE}
110. rm ${TEMPFILE}