The tower of hell is a privilege escalation script builder. The goal is to generate an special environment to play with privilege escalation.
Idea comes from a discussion with a friend, when we're building our first CTF :
- What if we built a script that generates randomly a privilege escalation over "n" levels ?
- We can add multiples type of exploits and shuffle them at build-time.
$ ./main.py -h
usage: main.py [-h] [-c CHALLENGE_DIR] [-s SIZE] [-p PASSWORD] [-o OUT] [-l]
optional arguments:
-h, --help show this help message and exit
-c CHALLENGE_DIR, --challenge-dir CHALLENGE_DIR
Challenge directory Default value : "challs"
-s SIZE, --size SIZE Tower of hell heigth Default value : 10
-p PASSWORD, --password PASSWORD
Default password for level_1 Default value : level_1
-o OUT, --out OUT Out file Default value : stdout
-l, --list List all available challenges
The main script main.py
takes 2 arguments :
- The challenge directory
- default value : "
challs
"
- default value : "
- The number of level to build
- default value :
10
- default value :
Each first level subdirectory of the challenge directory are used as a challenge type. As you may expect, we want to build a privilege escalation environment using multiple kind of flaws.
Current subdirectories / challenges types are :
- sudo
- exploit
- path
Let's speak about how the challenge is deployed.
Let's work in a challenge directory.
The needed files in a challenges are :
deploy.sh
: The shell script to deploy the challenge. The challenge level is passed with the environment variableLEVEL
. Do not insert the shebang..state.ready
: Mark the challenge as ready
Here's an example of deploy.sh
script:
if [ -n "${LEVEL}" ]; then
actual_user=${LEVEL}
next_user=$((LEVEL+1))
BINARY=$(which python3)
if [ -n "${BINARY}" ]; then
apt-get install -y python3
BINARY=$(which python3)
fi
cat > "/etc/sudoers.d/level_${actual_user}_to_${next_user}" << EOF
level_${actual_user} ALL = (level_${next_user}) NOPASSWD:${BINARY}
EOF
fi