cliffe · cliffe · Dec 8, 2025 · Nov 10, 2025 · Nov 10, 2025
diff --git a/modules/vulnerabilities/unix/ctf/pwn/relative_path_suid_hardlinks/manifests/account.pp b/modules/vulnerabilities/unix/ctf/pwn/relative_path_suid_hardlinks/manifests/account.pp
@@ -1,12 +1,32 @@
 define relative_path_suid_hardlinks::account($username, $password, $strings_to_leak, $leaked_filenames) {
-  ::accounts::user { $username:
+  # Create matching group first
+  group { $username:
+    ensure => present,
+  }
+
+  # Create user account
+  user { $username:
+    ensure     => present,
     shell      => '/bin/bash',
     password   => pw_hash($password, 'SHA-512', 'mysalt'),
     managehome => true,
-    home_mode  => '0755',
+    home       => "/home/${username}",
+    gid        => $username,
+    require    => Group[$username],
+  }
+
+  # Ensure home directory has correct permissions for the exploit to work
+  # The attacker needs to be able to traverse into the directory to create hardlinks
+  file { "/home/${username}":
+    ensure  => directory,
+    mode    => '0755',
+    owner   => $username,
+    group   => $username,
+    require => User[$username],
   }
 
   # Leak strings in a text file in the users home directory
+  # Hardlinks can still be created with fs.protected_hardlinks=0
   ::secgen_functions::leak_files { "$username-file-leak":
     storage_directory => "/home/$username/",
     leaked_filenames  => $leaked_filenames,
@@ -32,8 +52,23 @@
   }
 
   # overwrite any existing content (exists on Debian Buster)
-  file { '/etc/sysctl.d/protect-links.conf':
-    content => "fs.protected_hardlinks = 0",
+  # Debian 12 requires additional settings for the hardlink exploit to work:
+  # - fs.protected_hardlinks = 0: Disables hardlink protections (necessary but not sufficient)
+  # - fs.protected_regular = 0: Allows creating hardlinks to files in world-writable sticky directories
+  # - fs.protected_fifos = 0: Additional protection that may interfere
+  if !defined(File['/etc/sysctl.d/protect-links.conf']) {
+    file { '/etc/sysctl.d/protect-links.conf':
+      content => "fs.protected_hardlinks = 0\nfs.protected_symlinks = 0\nfs.protected_regular = 0\nfs.protected_fifos = 0\n",
+      notify  => Exec['reload-sysctl-hardlinks'],
+    }
+  }
+
+  # Apply the sysctl settings immediately for Debian 12
+  if !defined(Exec['reload-sysctl-hardlinks']) {
+    exec { 'reload-sysctl-hardlinks':
+      command     => '/sbin/sysctl -p /etc/sysctl.d/protect-links.conf',
+      refreshonly => true,
+    }
   }
 
-}
+}
diff --git a/scenarios/ctf/access_can_roll.xml b/scenarios/ctf/access_can_roll.xml
@@ -6,6 +6,7 @@
 
   <name>Access can roll</name>
   <author>Z. Cliffe Schreuders</author>
+  <author>Rosie Fletcher</author>
   <description>
 There are two problem solving access control challenges on the server. Look at the home directories and the .c files.
 
@@ -17,7 +18,7 @@ Your password on both systems is: tiaspbiqe2r
   </description>
 
   <type>ctf-lab</type>
-  <type>hackerbot-lab</type>
+  <!--<type>hackerbot-lab</type>-->
   <type>lab-sheet</type>
   <difficulty>intermediate</difficulty>
 
@@ -49,7 +50,7 @@ Your password on both systems is: tiaspbiqe2r
       <!-- 1 server -->
       <value>172.16.0.3</value>
       <!-- 2 hackerbot_server -->
-      <value>172.16.0.4</value>
+      <!--<value>172.16.0.4</value>-->
     </input>
 
     <!-- generate some usernames to use -->
@@ -176,7 +177,7 @@ int main()
     <utility module_path=".*/handy_cli_tools"/>
     <utility module_path=".*/gcc"/>
 
-    <utility module_path=".*/iceweasel">
+    <!-- <utility module_path=".*/iceweasel">
       <input into="accounts">
         <datastore>user_accounts_desktop</datastore>
       </input>
@@ -195,7 +196,7 @@ int main()
       <input into="accounts">
         <datastore access="0">user_accounts_desktop</datastore>
       </input>
-    </utility>
+    </utility> -->
 
     <vulnerability module_path=".*/ssh_root_login">
       <input into="root_password">
@@ -271,6 +272,7 @@ int main()
     </utility>
 
     <utility module_path=".*/handy_cli_tools"/>
+    <utility module_path=".*/gcc"/>
 
     <vulnerability module_path=".*/ssh_root_login">
       <input into="root_password">
@@ -280,7 +282,7 @@ int main()
 
     <vulnerability module_path=".*/relative_path_suid_hardlinks"/>
     <vulnerability module_path=".*/two_shell_calls"/>
-    <vulnerability module_path=".*/ssh_leaked_keys"/>
+    <!-- <vulnerability module_path=".*/ssh_leaked_keys"/> -->
 
 
     <network type="private_network">