#!/usr/bin/env bashecho "============================================"echo "

1. #!/usr/bin/env bash
2. echo "============================================"
3. echo "Initial setup..."
4. echo "============================================"
5. set -e
6. set -o pipefail
7. export DEBIAN_FRONTEND=noninteractive
8.  
9. apt-get -y update
10. apt-get -y upgrade
11. apt-get install -y -q vsftpd ftp sudo wordpress curl default-mysql-server apache2
12. echo "root:6n4nC-j_@Txb6k*A" | /usr/sbin/chpasswd
13. echo "baldur:mjolnir" | /usr/sbin/chpasswd
14.  
15. # FTP
16. echo "============================================"
17. echo "Setting up FTP..."
18. echo "============================================"
19. mkdir -p /home/baldur/Uploads
20. touch /home/baldur/Uploads/todo.txt
21. echo "list of things i need to do for the new blog:" > /home/baldur/Uploads/todo.txt
22. echo "- laura told me there was a vulnerability and i might get hacked? haha as if anyone is going to hack a blog about nordic mythology" >> /home/baldur/Uploads/todo.txt
23. echo "- get snorri sturluson biography from library, write review" >> /home/baldur/Uploads/todo.txt
24. echo "- find some cool nordic mythology fan theories to write about" >> /home/baldur/Uploads/todo.txt
25. echo "- the nordic name for the world tree might not have been the most creative name for the blog. might try and think of a new one" >> /home/baldur/Uploads/todo.txt
26. sed -i "s/anonymous_enable=NO/anonymous_enable=YES/g" /etc/vsftpd.conf
27. sed -i "s/local_enable=YES/local_enable=NO/g" /etc/vsftpd.conf
28. sed -i "/^local_root=/d" /etc/vsftpd.conf
29. # make sure that this does not add any trailing spaces
30. echo "chroot_local_user=YES" >> /etc/vsftpd.conf
31. echo "anon_root=/home/baldur/Uploads" >> /etc/vsftpd.conf
32. systemctl restart vsftpd
33. echo "FTP successfully set up!"
34.  
35. # WORDPRESS
36. echo "============================================"
37. echo "Setting up Wordpress..."
38. echo "============================================"
39. curl https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar -o /tmp/wp-cli.phar
40. chmod +x /tmp/wp-cli.phar
41. mv /tmp/wp-cli.phar /usr/local/bin/wp
42. /usr/local/bin/wp cli update
43. mkdir -p /var/www/yggdrasil
44. chmod 777 /var/www/yggdrasil
45. su baldur -c 'wp core download --path=/var/www/yggdrasil'
46. mysql -u root -p6n4nC-j_@Txb6k*A -e "CREATE USER wordpress@localhost;"
47. mysql -u root -p6n4nC-j_@Txb6k*A -e "SET PASSWORD FOR wordpress@localhost= PASSWORD('JXakuf5DzA3q7nnj');"
48. mysql -u root -p6n4nC-j_@Txb6k*A -e "CREATE DATABASE wordpress character set utf8 collate utf8_bin;"
49. mysql -u root -p6n4nC-j_@Txb6k*A -e "GRANT ALL PRIVILEGES ON wordpress.* TO wordpress@localhost IDENTIFIED BY 'JXakuf5DzA3q7nnj';"
50. mysql -u root -p6n4nC-j_@Txb6k*A -e "FLUSH PRIVILEGES;"
51. sed -i 's/DocumentRoot \/var\/www\/html/DocumentRoot \/var\/www/g' /etc/apache2/sites-enabled/000-default.conf
52. sed -i "s/Options Indexes FollowSymLinks/Options FollowSymLinks/g" /etc/apache2/apache2.conf
53. sudo -u baldur -i -- wp config create --dbname=wordpress --dbuser=wordpress --dbpass=JXakuf5DzA3q7nnj --path=/var/www/yggdrasil
54. sudo -u baldur -i -- wp core install --title=Yggdrasil --admin_user=wordpress --admin_password=JXakuf5DzA3q7nnj --admin_email=wordpress@freya.com --url='http://10.250.4.125/yggdrasil' --path=/var/www/yggdrasil
55. sudo -u baldur -i -- wp option update home 'http://10.250.4.125/yggdrasil' --path=/var/www/yggdrasil
56. sudo -u baldur -i -- wp theme activate twentyseventeen --path=/var/www/yggdrasil
57.  
58. # irgendwie 'norse ipsum' mit einbinden(oder nicht, nicht so wichtig)
59. # wp post create --post_type=post --post_title="Norse Ipsum" --post_status=publish
60.  
61. # VULNERABLE PLUGIN
62. wp plugin install social-warfare --version=3.5.1 --activate --path=/var/www/yggdrasil --allow-root
63.  
64. # diesen teil am ende des wp setups lassen
65. chown -R www-data:www-data /var/www/yggdrasil
66. chmod 774 /var/www/yggdrasil
67. mysql_secure_installation <<EOF
68. n
69. y
70. y
71. y
72. y
73. EOF
74. /etc/init.d/apache2 restart
75.  
76. # WWW-DATA TO BALDUR
77. echo "============================================"
78. echo "Set up PrivEsc from www-data to baldur..."
79. echo "============================================"
80. chmod 644 /etc/shadow
81.  
82. # POST EXPLOIT
83. echo "============================================"
84. echo "Set up cronjob for Post-Exploit..."
85. echo "============================================"
86. mkdir -p /opt/freya
87. touch /opt/freya/log.py
88. touch /opt/freya/script.sh
89. echo "echo \"Do something...\"" > /opt/freya/script.sh
90. printf '#!/usr/bin/python\n\n' > /opt/freya/log.py
91. printf 'import os\nimport socket\n\n' >> /opt/freya/log.py
92. printf '# TODO actually add in socket functionality\n' >> /opt/freya/log.py
93. printf 's = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n\n' >> /opt/freya/log.py
94. printf 'os.system("./script.sh")\n' >> /opt/freya/log.py
95. chmod +x /opt/freya/log.py
96. chmod +x /opt/freya/script.sh
97. chmod 666 /usr/lib/python2.7/socket.py
98. # some false flags
99. chmod 666 /usr/lib/python2.7/abc.py
100. chmod 666 /usr/lib/python2.7/ast.py
101. chmod 666 /usr/lib/python2.7/base64.py
102. chmod 666 /usr/lib/python2.7/bdb.py
103. chmod 666 /usr/lib/python2.7/code.py
104. chmod 666 /usr/lib/python2.7/dis.py
105. chmod 666 /usr/lib/python2.7/fileinput.py
106. chmod 666 /usr/lib/python2.7/glob.py
107. chmod 666 /usr/lib/python2.7/hmac.py
108. chmod 666 /usr/lib/python2.7/htmllib.py
109. chmod 666 /usr/lib/python2.7/io.py
110. chmod 666 /usr/lib/python2.7/mimify.py
111. chmod 666 /usr/lib/python2.7/pipes.py
112. chmod 666 /usr/lib/python2.7/popen2.py
113. chmod 666 /usr/lib/python2.7/random.py
114. TEMPFILE=$(mktemp)
115. echo "*/1 * * * * /opt/freya/log.py" >> ${TEMPFILE}
116. crontab ${TEMPFILE}
117. rm ${TEMPFILE}
118.  
119. echo "Freya has successfully been set up!"