All files

Helguera · Jul 17, 2023 · 2267763 · 2267763
1 parent 2614963
commit 2267763
Show file tree

Hide file tree

Showing 18 changed files with 989 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -1 +1,72 @@
-# TFM-UNIR-2023
+Linux machine with modern vulnerabilities
+===========================================
+
+Master's thesis in Computer Security
+---------------------------------------------------------------
+
+International University of la Rioja, Julio 2023
+-------------------------------------------------
+
+* * *
+
+Author: Javier Helguera López    
+Director: Tomás Miguel Sureda Riera
+
+* * *
+
+Several modern vulnerabilities have been included in this virtual machine that can be exploited to access its contents.
+
+Objective:  
+A secret code has been hidden somewhere in the machine.
+
+Important:  
+The machine is designed to be installed in a controlled environment and never on a server in production!
+
+* * *
+
+Links:  
+[GitHub Repo](https://github.com/Helguera/TFM-UNIR-2023)  
+[[email protected]](mailto:[email protected])   
+[Download OVF](https://drive.google.com/drive/folders/1liYZuvP7PbvPD16lFcSXC7A9DyhTBKm8?usp=sharing)    
+[Thesis](https://drive.google.com/file/d/1OUHQN3V8YniVpPoH9R4LVw5j6of-bDDy/view?usp=drive_link)
+
+* * *
+
+<br>
+
+
+Sistema Linux con vulnerabilidades modernas
+===========================================
+
+Trabajo de fin de Máster Universitario en Seguridad Informática
+---------------------------------------------------------------
+
+Universidad Internacional de la Rioja, Julio 2023
+-------------------------------------------------
+
+* * *
+
+Autor: Javier Helguera López    
+Director: Tomás Miguel Sureda Riera
+
+* * *
+
+En esta máquina virtual se han incluido varias vulnerabilidades modernas que pueden ser explotadas para acceder a su contenido.
+
+Objetivo:  
+Se ha escondido un código secreto en algún lugar de la máquina.
+
+Importante:  
+La máquina está diseñada para ser instalada en un entorno controlado y nunca en un servidor en producción!
+
+* * *
+
+Enlaces:  
+[Repositorio en GitHub](https://github.com/Helguera/TFM-UNIR-2023)  
+[[email protected]](mailto:[email protected])   
+[Decargar OVF](https://drive.google.com/drive/folders/1liYZuvP7PbvPD16lFcSXC7A9DyhTBKm8?usp=sharing)    
+[Memoria](https://drive.google.com/file/d/1OUHQN3V8YniVpPoH9R4LVw5j6of-bDDy/view?usp=drive_link)
+
+* * *
+
+
diff --git a/SSTI/ssti3.py b/SSTI/ssti3.py
@@ -0,0 +1,78 @@
+from flask import Flask, request, render_template, redirect, render_template_string, session
+
+app = Flask(__name__)
+app.secret_key = 'mysecretkey'
+
+@app.route("/", methods=["GET"])
+def home():
+    global logged_in
+    if request.method == "GET":
+        username = request.args.get('username')
+        password = request.args.get('password')
+
+        if not username:
+            return render_template("login.html", error_message=None)
+        if username == "admin" and password == "admin123*":
+            session['logged_in'] = True
+            return render_template("change_username.html")
+        else:
+            error_message = "Credenciales inválidas. Por favor, intente nuevamente."
+            return render_template("login.html", error_message=error_message)
+
+    return render_template("login.html")
+
+@app.route("/main")
+def main():
+    return "Bienvenido! Has iniciado sesión correctamente."
+
+@app.route("/update_username", methods=["GET"])
+def update_username():
+    if not session.get('logged_in'):
+        return redirect("/")
+    new_username = request.args.get('new_username')
+    message = "Nombre de usuario actualizado exitosamente a: " + new_username
+
+    return_code = """
+    <!-- change_username.html -->
+    <!DOCTYPE html>
+    <html>
+    <head>
+        <title>Cambiar nombre de usuario</title>
+        <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css">
+        <style>
+            body {
+                margin-top: 50px;
+            }
+        </style>
+    </head>
+    <body>
+        <div class="container">
+            <div class="row justify-content-center">
+                <div class="col-md-6">
+                    <h1 class="text-center mb-4">Cambiar nombre de usuario</h1>
+
+                        <div class="alert alert-success">""" + message + """</div>
+
+                    <form method="GET" action="/update_username">
+                        <div class="form-group">
+                            <label for="new_username">Nuevo nombre de usuario:</label>
+                            <input type="text" class="form-control" id="new_username" name="new_username">
+                        </div>
+
+                        <button type="submit" class="btn btn-primary">Actualizar nombre de usuario</button>
+                    </form>
+                </div>
+            </div>
+        </div>
+
+        <script src="https://code.jquery.com/jquery-3.3.1.slim.min.js"></script>
+        <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js"></script>
+        <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js"></script>
+    </body>
+    </html>
+    """
+
+    return render_template_string(return_code)
+
+if __name__ == "__main__":
+    app.run(host='0.0.0.0', port=5000)
diff --git a/SSTI/templates/change_username.html b/SSTI/templates/change_username.html
@@ -0,0 +1,39 @@
+<!-- change_username.html -->
+<!DOCTYPE html>
+<html>
+<head>
+    <title>Cambiar nombre de usuario</title>
+    <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css">
+    <style>
+        body {
+            margin-top: 50px;
+        }
+    </style>
+</head>
+<body>
+    <div class="container">
+        <div class="row justify-content-center">
+            <div class="col-md-6">
+                <h1 class="text-center mb-4">Cambiar nombre de usuario</h1>
+
+                {% if message %}
+                    <div class="alert alert-success">{{ message }}</div>
+                {% endif %}
+
+                <form method="GET" action="/update_username">
+                    <div class="form-group">
+                        <label for="new_username">Nuevo nombre de usuario:</label>
+                        <input type="text" class="form-control" id="new_username" name="new_username">
+                    </div>
+
+                    <button type="submit" class="btn btn-primary">Actualizar nombre de usuario</button>
+                </form>
+            </div>
+        </div>
+    </div>
+
+    <script src="https://code.jquery.com/jquery-3.3.1.slim.min.js"></script>
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js"></script>
+    <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js"></script>
+</body>
+</html>
diff --git a/SSTI/templates/login.html b/SSTI/templates/login.html
@@ -0,0 +1,40 @@
+<!-- login.html -->
+<!DOCTYPE html>
+<html>
+<head>
+    <title>Iniciar sesión</title>
+    <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css">
+    <style>
+        body {
+            margin-top: 50px;
+        }
+    </style>
+</head>
+<body>
+    <div class="container">
+        <div class="row justify-content-center">
+            <div class="col-md-6">
+                <h1 class="text-center mb-4">Iniciar sesión</h1>
+
+                {% if error_message %}
+                    <div class="alert alert-danger">{{ error_message }}</div>
+                {% endif %}
+
+                <form method="GET" action="/">
+                    <div class="form-group">
+                        <label for="username">Usuario:</label>
+                        <input type="text" class="form-control" id="username" name="username">
+                    </div>
+
+                    <div class="form-group">
+                        <label for="password">Contraseña:</label>
+                        <input type="password" class="form-control" id="password" name="password">
+                    </div>
+
+                    <button type="submit" class="btn btn-primary">Conectarse</button>
+                </form>
+            </div>
+        </div>
+    </div>
+
+    <script src="https://code.jquery.com/jquery-3.3.1.slim.min.js"></script
diff --git a/log4j-vuln-app/build.gradle b/log4j-vuln-app/build.gradle
@@ -0,0 +1,42 @@
+plugins {
+  id "war"
+  id "org.gretty" version "3.0.5"
+  id "com.github.johnrengelman.shadow" version "7.1.2"
+  id "java"
+}
+
+sourceCompatibility = "1.8"
+targetCompatibility = "1.8"
+
+repositories {
+  mavenCentral()
+}
+
+dependencies {
+  implementation 'org.apache.logging.log4j:log4j-core:2.14.1'
+  if (project.gradle.startParameter.taskNames.first().contains("shadow")) {
+    implementation 'org.apache.tomcat.embed:tomcat-embed-jasper:8.5.75'
+  }
+}
+
+gretty {
+  contextPath = ''
+  servletContainer = 'tomcat85'
+}
+
+sourceSets {
+  main {
+    java {
+      srcDir 'src'
+      if (!project.gradle.startParameter.taskNames.first().contains("shadow")) {
+        exclude '**/launch/**'
+      }
+    }
+  }
+}
+
+jar {
+  manifest {
+    attributes('Main-Class': 'launch.Main')
+  }
+}
diff --git a/log4j-vuln-app/gradle/wrapper/gradle-wrapper.jar b/log4j-vuln-app/gradle/wrapper/gradle-wrapper.jar
diff --git a/log4j-vuln-app/gradle/wrapper/gradle-wrapper.properties b/log4j-vuln-app/gradle/wrapper/gradle-wrapper.properties
@@ -0,0 +1,5 @@
+distributionBase=GRADLE_USER_HOME
+distributionPath=wrapper/dists
+distributionUrl=https\://services.gradle.org/distributions/gradle-7.3.1-bin.zip
+zipStoreBase=GRADLE_USER_HOME
+zipStorePath=wrapper/dists