关联漏洞
标题:
Ubuntu overlayfs组件提权漏洞
(CVE-2015-1328)
描述:Ubuntu是英国科能(Canonical)公司和Ubuntu基金会共同开发的一套以桌面应用为主的GNU/Linux操作系统。 Ubuntu 15.04及之前版本中的linux数据包3.19.0至21.21版本的overlayfs组件存在本地提权漏洞,该漏洞源于该文件系统没有正确检查文件权限。本地攻击者可利用该漏洞获取系统的管理员权限,完全控制受影响计算机。
描述
Custom vulnerable VM (Ubuntu 14.04) designed for teaching multi-stage penetration testing. Features 10 interconnected challenges across Forensics, Web Exploitation (SQLi, XSS), Cryptography, and Kernel Exploitation (OverlayFS/CVE-2015-1328) to achieve full root compromise.
介绍
# RootQuest CTF Box — Multi-Stage Exploitation VM 💀
**Kalaichelvan Thieveshkar (CB013248)** · Staffordshire University · **COMP50003 - Cyber Security II**
---
## Overview
**RootQuest** is a purpose-built CTF virtual machine that contains a *10-stage*, sequential attack path spanning **5 security domains**. Each challenge produces output required for the next step — players must chain together web, crypto, network, and local exploits to reach full root compromise.
> **Warning / Intended use:** This VM is for educational, defensive, and authorized CTF use only. Do **not** deploy on production networks. Use inside an isolated lab.
---
## Project Links
| Resource | URL / Filename |
|---|---|
| CTF VM Image (OVA / VHD / VMware — zipped) | `RootQuest--Thieveshkar_CB013248.vmx` — [Download VM (zipped)](https://drive.google.com/file/d/1q-Ky1rF-6Bv0NTNyxYVWE9yT4AT5szfR/view?usp=sharing) |
| Technical Report (Design & Risk Analysis) | [Technical Report (PDF)](https://drive.google.com/file/d/1zsOs__cPM4ebu9hnzfR57mjg7FsYMAfP/view?usp=sharing) |
| Exploit Walkthrough (Step‑by‑Step Guide) | [Medium walkthrough](https://medium.com/@thieveshkar/rootquest-hacking-the-thieveshkar-box-from-forensic-challenge-to-kernel-root-7426b92ebbac) |
| License | `./LICENSE` |
---
## Project Goal 🎯
Design and implement a complex, 10-challenge Capture The Flag (CTF) virtual machine (**RootQuest**) that forces players to navigate a sequential attack path across **5 security domains** to achieve full root compromise.
---
## Architecture & Technology ⚙️
- **Base OS:** Ubuntu 14.04.1 LTS (targeted for the final Kernel exploit).
- **Services:** Apache `2.4.7`, PHP `5`, MySQL `5.5`, OpenSSH `6.6.1p1` (custom port `2222`), Custom Python TCP Service (port `8888`).
- **Exploitation Pipeline:** Challenges are interconnected, requiring the output of one step (e.g., XSS flag) as the input for the next (e.g., TCP service passphrase).
---
## Key Challenge Domains 🧩
| Domain | Difficulty | Exploit Technique |
|---|---:|---|
| Forensics | Medium / High | Corrupted PNG header repair (hex editing), Brainf**ck code extraction from PCAP |
| Web Exploitation | Medium / High | SQL Injection bypass (SHA1 hashing) → Session token extraction via XSS |
| Cryptography | Medium / High | AES-256 SSH key decryption using ROT13 + Base64 decoded passphrase; multi-layered 5-step cipher reversal |
| Privilege Escalation | Medium / High | SUID binary execution (`simple_suid`) to pivot user account; Kernel exploit (OverlayFS, CVE-2015-1328) for final root access |
| Network | Medium | Custom TCP service interaction using C2 flag as required secret code |
---
## Challenge Structure Summary
**Initial Access:** Fix corrupted PNG image (hex edit) to reveal hidden web page.
**Web Pivot:** Bypass SHA1-hashed login via SQL injection to reach forum page.
**C2 Acquisition:** Execute XSS payload on forum to steal session token from hidden page.
**Network Access:** Use XSS token as secret code to interact with custom TCP service.
**SSH Prep:** Decode passphrase (ROT13 + Base64) from page source to decrypt player's AES-256 encrypted SSH private key.
**User Shell:** SSH in as `player1`.
**Pivot Shell:** Exploit custom SUID binary to escalate to `developer` user.
**Root:** Compile and execute the vulnerable Linux Kernel (OverlayFS) exploit (CVE-2015-1328) to gain full root privileges.
---
## Files in the VM Archive
The provided zipped archive contains:
- `RootQuest--Thieveshkar_CB013248.vmx` — VMware configuration (double-click to open in VMware).
- Associated virtual disk files (`*.vmdk`) and any supporting files required by the VM.
- `README.md` (this file).
- `license_ctf_rootquest.md`.
- `report/` — Technical Report (Design & Risk Analysis) PDF included.
- `walkthrough/` — additional walkthrough resources (high-level walkthrough also on Medium).
**Download (VM archive / Drive):**
[Download RootQuest VM (zipped)](https://drive.google.com/file/d/1q-Ky1rF-6Bv0NTNyxYVWE9yT4AT5szfR/view?usp=sharing)
---
## How to open the VM (quick instructions)
### Windows / macOS (VMware Workstation / VMware Player / VMware Fusion)
1. Download the zipped archive from the Drive link above.
2. Extract/unzip the archive to a folder (right-click → *Extract all...* or use your archive tool).
3. Locate `RootQuest--Thieveshkar_CB013248.vmx`.
4. Double-click `RootQuest--Thieveshkar_CB013248.vmx` — VMware should open the VM automatically.
- OR open VMware → **File → Open** → select `RootQuest--Thieveshkar_CB013248.vmx`.
5. Confirm the VM network adapter is set to **NAT** or **Host-only** (recommended for isolation).
6. Power on the VM. Snapshot before destructive steps.
### Linux (VMware Workstation / Player)
```bash
# Example unzip + open steps (adjust to your GUI / VMware setup)
unzip RootQuest--Thieveshkar_CB013248.zip -d rootquest_vm
# Then open VMware and File → Open → rootquest_vm/RootQuest--Thieveshkar_CB013248.vmx
文件快照
[4.0K] /data/pocs/d192e32bf961fdfcadd8a8b5bb0c179647a1f650
├── [1.6K] LICENSE
└── [4.9K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。