From 2540aa1a7301b8c769b50f599429b8d724f9c8b0 Mon Sep 17 00:00:00 2001 From: alixxhiscock Date: Sat, 6 Dec 2025 16:53:30 +0000 Subject: [PATCH 1/4] Update Apache Druid installation process and scenario configuration for Debian 12 --- .../apache_druid_rce/manifests/install.pp | 39 +++++++++++++------ .../templates/druid.service.erb | 3 ++ scenarios/ctf/eventful_data.xml | 2 +- 3 files changed, 31 insertions(+), 13 deletions(-) diff --git a/modules/vulnerabilities/unix/http/apache_druid_rce/manifests/install.pp b/modules/vulnerabilities/unix/http/apache_druid_rce/manifests/install.pp index 87b4ff67f..e0da3a8cb 100644 --- a/modules/vulnerabilities/unix/http/apache_druid_rce/manifests/install.pp +++ b/modules/vulnerabilities/unix/http/apache_druid_rce/manifests/install.pp @@ -16,21 +16,36 @@ home => $user_home, managehome => true, } - - # This generates a repo file so we can get packages from debian stretch - file { '/etc/apt/sources.list.d/stretch.list': - ensure => file, - source => "puppet:///modules/${modulename}/stretch.list" + # Force APT to use IPv4 only + file { '/etc/apt/apt.conf.d/99force-ipv4': + ensure => file, + content => "Acquire::ForceIPv4 \"true\";\n", + } + -> exec { 'download-jdk8': + cwd => '/tmp', + command => 'wget -O jdk8.tar.gz https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u432-b06/OpenJDK8U-jdk_x64_linux_hotspot_8u432b06.tar.gz', + creates => '/tmp/jdk8.tar.gz', + timeout => 300, + } + -> exec { 'extract-jdk8': + cwd => '/tmp', + command => 'tar -xzf jdk8.tar.gz', + creates => '/tmp/jdk8u432-b06', + } + -> exec { 'mkdir-jvm': + cwd => '/tmp', + command => 'sudo mkdir /usr/lib/jvm;', } - -> exec { 'update-packages': - command => 'apt update' + -> exec { 'install-jdk8': + cwd => '/tmp', + command => 'mv jdk8u432-b06 /usr/lib/jvm/java-8-openjdk', + creates => '/usr/lib/jvm/java-8-openjdk', } - -> package { 'install-jdk8': - ensure => 'installed', - name => 'openjdk-8-jdk', + -> file { '/etc/profile.d/java8.sh': + ensure => file, + content => "export JAVA_HOME=/usr/lib/jvm/java-8-openjdk\nexport PATH=\$JAVA_HOME/bin:\$PATH\n", + mode => '0644', } - # openjdk8 is required. Since we are buster, we need the repos within stretch for this - #ensure_packages(['openjdk-8-jdk'], { ensure => 'installed'}) $releasename = "${modulename}.tar.gz" $currentsource = ["${releasename}.partaa", diff --git a/modules/vulnerabilities/unix/http/apache_druid_rce/templates/druid.service.erb b/modules/vulnerabilities/unix/http/apache_druid_rce/templates/druid.service.erb index 63b067cd5..c605c43d0 100644 --- a/modules/vulnerabilities/unix/http/apache_druid_rce/templates/druid.service.erb +++ b/modules/vulnerabilities/unix/http/apache_druid_rce/templates/druid.service.erb @@ -9,6 +9,9 @@ WorkingDirectory=/usr/local/apache-druid/ ExecStart=/usr/local/apache-druid/bin/start-nano-quickstart Restart=always RestartSec=1 +Environment="JAVA_HOME=/usr/lib/jvm/java-8-openjdk" +Environment="PATH=/usr/lib/jvm/java-8-openjdk/bin:/usr/bin:/bin" +Environment="DRUID_SKIP_JAVA_CHECK=1" [Install] WantedBy=multi-user.target \ No newline at end of file diff --git a/scenarios/ctf/eventful_data.xml b/scenarios/ctf/eventful_data.xml index 0b7fe5f21..b01b6e116 100644 --- a/scenarios/ctf/eventful_data.xml +++ b/scenarios/ctf/eventful_data.xml @@ -91,7 +91,7 @@ server - + From a6df9ae1903d4ab8a76d7a3ae9720038e5f06421 Mon Sep 17 00:00:00 2001 From: alixxhiscock Date: Tue, 9 Dec 2025 16:09:40 +0000 Subject: [PATCH 2/4] changed to leak both flags without pre leak --- scenarios/ctf/eventful_data.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scenarios/ctf/eventful_data.xml b/scenarios/ctf/eventful_data.xml index b01b6e116..97a92799c 100644 --- a/scenarios/ctf/eventful_data.xml +++ b/scenarios/ctf/eventful_data.xml @@ -97,7 +97,7 @@ - + From 0932606ef839b8561fb7267b520aebff2f87f2d0 Mon Sep 17 00:00:00 2001 From: alixxhiscock Date: Tue, 9 Dec 2025 17:01:29 +0000 Subject: [PATCH 3/4] changed to leak encoded flag through privesc --- scenarios/ctf/eventful_data.xml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/scenarios/ctf/eventful_data.xml b/scenarios/ctf/eventful_data.xml index 97a92799c..237707586 100644 --- a/scenarios/ctf/eventful_data.xml +++ b/scenarios/ctf/eventful_data.xml @@ -97,7 +97,10 @@ - + + + + @@ -106,8 +109,6 @@ - - IP_addresses From 9dff91facaeb97a1093174ff73f56d166f774394 Mon Sep 17 00:00:00 2001 From: alixthegreat Date: Wed, 10 Dec 2025 14:28:31 +0000 Subject: [PATCH 4/4] removed redundant lines --- .../unix/http/apache_druid_rce/manifests/install.pp | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/modules/vulnerabilities/unix/http/apache_druid_rce/manifests/install.pp b/modules/vulnerabilities/unix/http/apache_druid_rce/manifests/install.pp index e0da3a8cb..8a6fc7571 100644 --- a/modules/vulnerabilities/unix/http/apache_druid_rce/manifests/install.pp +++ b/modules/vulnerabilities/unix/http/apache_druid_rce/manifests/install.pp @@ -16,12 +16,7 @@ home => $user_home, managehome => true, } - # Force APT to use IPv4 only - file { '/etc/apt/apt.conf.d/99force-ipv4': - ensure => file, - content => "Acquire::ForceIPv4 \"true\";\n", - } - -> exec { 'download-jdk8': + exec { 'download-jdk8': cwd => '/tmp', command => 'wget -O jdk8.tar.gz https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u432-b06/OpenJDK8U-jdk_x64_linux_hotspot_8u432b06.tar.gz', creates => '/tmp/jdk8.tar.gz',