deadwood-sec 0.1.0__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- deadwood_sec-0.1.0/.github/workflows/ci.yml +25 -0
- deadwood_sec-0.1.0/.github/workflows/release.yml +30 -0
- deadwood_sec-0.1.0/.gitignore +7 -0
- deadwood_sec-0.1.0/CHANGELOG.md +16 -0
- deadwood_sec-0.1.0/LICENSE +21 -0
- deadwood_sec-0.1.0/PKG-INFO +116 -0
- deadwood_sec-0.1.0/README.md +93 -0
- deadwood_sec-0.1.0/pyproject.toml +42 -0
- deadwood_sec-0.1.0/src/deadwood/__init__.py +10 -0
- deadwood_sec-0.1.0/src/deadwood/__main__.py +4 -0
- deadwood_sec-0.1.0/src/deadwood/cli.py +138 -0
- deadwood_sec-0.1.0/src/deadwood/data.py +127 -0
- deadwood_sec-0.1.0/src/deadwood/flags.py +42 -0
- deadwood_sec-0.1.0/src/deadwood/level.py +82 -0
- deadwood_sec-0.1.0/src/deadwood/levels/__init__.py +9 -0
- deadwood_sec-0.1.0/src/deadwood/levels/l01_first_blood.py +65 -0
- deadwood_sec-0.1.0/src/deadwood/levels/l02_whispers.py +70 -0
- deadwood_sec-0.1.0/src/deadwood/levels/l03_the_telegraph.py +61 -0
- deadwood_sec-0.1.0/src/deadwood/levels/l04_back_door.py +58 -0
- deadwood_sec-0.1.0/src/deadwood/progress.py +35 -0
- deadwood_sec-0.1.0/src/deadwood/server.py +109 -0
- deadwood_sec-0.1.0/src/deadwood/ui.py +41 -0
- deadwood_sec-0.1.0/src/deadwood/web.py +106 -0
- deadwood_sec-0.1.0/tests/test_flags.py +19 -0
- deadwood_sec-0.1.0/tests/test_levels.py +58 -0
- deadwood_sec-0.1.0/tests/test_progress.py +13 -0
- deadwood_sec-0.1.0/tests/test_server.py +28 -0
- deadwood_sec-0.1.0/tests/test_world.py +37 -0
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
name: CI
|
|
2
|
+
|
|
3
|
+
on:
|
|
4
|
+
push:
|
|
5
|
+
branches: [main]
|
|
6
|
+
pull_request:
|
|
7
|
+
branches: [main]
|
|
8
|
+
|
|
9
|
+
jobs:
|
|
10
|
+
test:
|
|
11
|
+
runs-on: ubuntu-latest
|
|
12
|
+
strategy:
|
|
13
|
+
fail-fast: false
|
|
14
|
+
matrix:
|
|
15
|
+
python-version: ["3.10", "3.11", "3.12"]
|
|
16
|
+
steps:
|
|
17
|
+
- uses: actions/checkout@v5
|
|
18
|
+
- name: Set up Python ${{ matrix.python-version }}
|
|
19
|
+
uses: actions/setup-python@v6
|
|
20
|
+
with:
|
|
21
|
+
python-version: ${{ matrix.python-version }}
|
|
22
|
+
- name: Install
|
|
23
|
+
run: pip install -e ".[dev]"
|
|
24
|
+
- name: Test
|
|
25
|
+
run: pytest -q
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
name: release
|
|
2
|
+
|
|
3
|
+
on:
|
|
4
|
+
push:
|
|
5
|
+
tags: ["v*"]
|
|
6
|
+
|
|
7
|
+
permissions:
|
|
8
|
+
contents: write
|
|
9
|
+
id-token: write # lets PyPI Trusted Publishing mint a short-lived token (no secrets stored)
|
|
10
|
+
|
|
11
|
+
jobs:
|
|
12
|
+
release:
|
|
13
|
+
runs-on: ubuntu-latest
|
|
14
|
+
environment: pypi # must match the environment set on the PyPI trusted publisher
|
|
15
|
+
steps:
|
|
16
|
+
- uses: actions/checkout@v5
|
|
17
|
+
- uses: actions/setup-python@v6
|
|
18
|
+
with:
|
|
19
|
+
python-version: "3.12"
|
|
20
|
+
- name: Build sdist and wheel
|
|
21
|
+
run: |
|
|
22
|
+
python -m pip install --upgrade build
|
|
23
|
+
python -m build
|
|
24
|
+
- name: Publish GitHub release
|
|
25
|
+
uses: softprops/action-gh-release@v3
|
|
26
|
+
with:
|
|
27
|
+
generate_release_notes: true
|
|
28
|
+
files: dist/*
|
|
29
|
+
- name: Publish to PyPI
|
|
30
|
+
uses: pypa/gh-action-pypi-publish@release/v1
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
# Changelog
|
|
2
|
+
|
|
3
|
+
All notable changes to this project are documented here. The format is loosely
|
|
4
|
+
based on [Keep a Changelog](https://keepachangelog.com/).
|
|
5
|
+
|
|
6
|
+
## [0.1.0]
|
|
7
|
+
|
|
8
|
+
### Added
|
|
9
|
+
- The range: a dependency-free, leveled web-security target that runs on
|
|
10
|
+
localhost only, with a town-map UI, per-level briefings, **progressive hints**,
|
|
11
|
+
a **view-the-vulnerable-source / how-to-fix** reveal, per-install flags
|
|
12
|
+
(`DEADWOOD{...}`) and a local scoreboard.
|
|
13
|
+
- A realistic seeded world — the fictional *Deadwood Telegraph & Trust Co.*
|
|
14
|
+
(employees, customers, accounts, transactions, telegrams).
|
|
15
|
+
- CLI: `serve`, `levels`, `learn <slug>`, `flag <slug> <value>`, `reset`.
|
|
16
|
+
- **Level 1 — First Blood**: in-band UNION SQL injection in the staff directory.
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
MIT License
|
|
2
|
+
|
|
3
|
+
Copyright (c) 2026 Gustavo Almeida
|
|
4
|
+
|
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
|
7
|
+
in the Software without restriction, including without limitation the rights
|
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
|
10
|
+
furnished to do so, subject to the following conditions:
|
|
11
|
+
|
|
12
|
+
The above copyright notice and this permission notice shall be included in all
|
|
13
|
+
copies or substantial portions of the Software.
|
|
14
|
+
|
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
21
|
+
SOFTWARE.
|
|
@@ -0,0 +1,116 @@
|
|
|
1
|
+
Metadata-Version: 2.4
|
|
2
|
+
Name: deadwood-sec
|
|
3
|
+
Version: 0.1.0
|
|
4
|
+
Summary: A self-hosted web-security range, leveled tutorial-to-impossible — the practice town for wraith and hickok.
|
|
5
|
+
Project-URL: Homepage, https://github.com/gusta-ve/deadwood
|
|
6
|
+
Project-URL: Source, https://github.com/gusta-ve/deadwood
|
|
7
|
+
Project-URL: Changelog, https://github.com/gusta-ve/deadwood/blob/main/CHANGELOG.md
|
|
8
|
+
Author: gusta-ve
|
|
9
|
+
License-Expression: MIT
|
|
10
|
+
License-File: LICENSE
|
|
11
|
+
Keywords: appsec,command-injection,ctf,education,lab,pentest,range,security,sql-injection,training,vulnerable
|
|
12
|
+
Classifier: Development Status :: 3 - Alpha
|
|
13
|
+
Classifier: Environment :: Web Environment
|
|
14
|
+
Classifier: Intended Audience :: Information Technology
|
|
15
|
+
Classifier: License :: OSI Approved :: MIT License
|
|
16
|
+
Classifier: Programming Language :: Python :: 3 :: Only
|
|
17
|
+
Classifier: Topic :: Education
|
|
18
|
+
Classifier: Topic :: Security
|
|
19
|
+
Requires-Python: >=3.10
|
|
20
|
+
Provides-Extra: dev
|
|
21
|
+
Requires-Dist: pytest; extra == 'dev'
|
|
22
|
+
Description-Content-Type: text/markdown
|
|
23
|
+
|
|
24
|
+
# deadwood
|
|
25
|
+
|
|
26
|
+
A self-hosted **web-security range** that doubles as a tutorial — graded levels
|
|
27
|
+
from the first trivial injection to the deliberately near-impossible. It's the
|
|
28
|
+
practice town for the dead man's hand: scout each room with
|
|
29
|
+
[**wraith**](https://github.com/gusta-ve/wraith), take it with
|
|
30
|
+
[**hickok**](https://github.com/gusta-ve/hickok), capture the flag, then read the
|
|
31
|
+
vulnerable source and the fix.
|
|
32
|
+
|
|
33
|
+
Dependency-free (stdlib + SQLite). Runs on **127.0.0.1 only**.
|
|
34
|
+
|
|
35
|
+
[](https://pypi.org/project/deadwood-sec/)
|
|
36
|
+

|
|
37
|
+

|
|
38
|
+
|
|
39
|
+
> ⚠️ **deadwood is intentionally vulnerable, by design.** It refuses to bind
|
|
40
|
+
> anything but loopback unless you force it. Never expose it to a network, a VM
|
|
41
|
+
> bridge, or the internet. Attack only this app, on your own machine.
|
|
42
|
+
|
|
43
|
+
- [Install](#install)
|
|
44
|
+
- [Run it](#run-it)
|
|
45
|
+
- [How a level works](#how-a-level-works)
|
|
46
|
+
- [The levels](#the-levels)
|
|
47
|
+
- [Pairing with wraith & hickok](#pairing-with-wraith--hickok)
|
|
48
|
+
|
|
49
|
+
## Install
|
|
50
|
+
|
|
51
|
+
```bash
|
|
52
|
+
pipx install deadwood-sec # gives you the `deadwood` command
|
|
53
|
+
```
|
|
54
|
+
|
|
55
|
+
Or from a clone: `pip install -e .` — or run it with no install:
|
|
56
|
+
`PYTHONPATH=src python3 -m deadwood`.
|
|
57
|
+
|
|
58
|
+
## Run it
|
|
59
|
+
|
|
60
|
+
```bash
|
|
61
|
+
deadwood serve # http://127.0.0.1:8666 (the town map)
|
|
62
|
+
deadwood levels # list the rooms and your progress
|
|
63
|
+
deadwood learn first-blood # a level's briefing: objective, hints, source, the fix
|
|
64
|
+
deadwood flag first-blood 'DEADWOOD{...}' # submit a captured flag
|
|
65
|
+
```
|
|
66
|
+
|
|
67
|
+
Open the map in a browser, pick a room, and point your tools at the app URL it
|
|
68
|
+
gives you (e.g. `http://127.0.0.1:8666/l/first-blood/app?id=1`).
|
|
69
|
+
|
|
70
|
+
## How a level works
|
|
71
|
+
|
|
72
|
+
Every room is the same shape, easy to the hard:
|
|
73
|
+
|
|
74
|
+
- a **realistic app** (the fictional *Deadwood Telegraph & Trust Co.* — employees,
|
|
75
|
+
customers, accounts, telegrams) with one real flaw;
|
|
76
|
+
- a **flag** to capture (`DEADWOOD{...}`, unique to your install);
|
|
77
|
+
- **progressive hints** — reveal them one at a time, only if you want them;
|
|
78
|
+
- the **vulnerable source** and **how to fix it**, once you ask (spoilers).
|
|
79
|
+
|
|
80
|
+
Play blind for the CTF, or lean on the hints and `learn` for the tutorial. Your
|
|
81
|
+
captures are tracked locally.
|
|
82
|
+
|
|
83
|
+
## The levels
|
|
84
|
+
|
|
85
|
+
Tutorial → impossible. Each maps to a technique you can practise by hand or drive
|
|
86
|
+
with hickok/wraith:
|
|
87
|
+
|
|
88
|
+
| # | Room | Tier | Vector |
|
|
89
|
+
|---|------|------|--------|
|
|
90
|
+
| 1 | First Blood | Tutorial | SQL injection — UNION (in-band) |
|
|
91
|
+
| 2 | Whispers | Easy | SQL injection — boolean-blind |
|
|
92
|
+
| 3 | The Telegraph | Medium | SQL injection — time-based blind |
|
|
93
|
+
| 4 | Back Door | Medium | OS command injection → shell |
|
|
94
|
+
|
|
95
|
+
*(more rooms land as the range grows — auth bypass, filtered/WAF'd injection,
|
|
96
|
+
SSTI, and the Vault.)*
|
|
97
|
+
|
|
98
|
+
## Pairing with wraith & hickok
|
|
99
|
+
|
|
100
|
+
deadwood is the range the tools grew up on. A typical run:
|
|
101
|
+
|
|
102
|
+
```bash
|
|
103
|
+
deadwood serve & # the town
|
|
104
|
+
hickok sql -u 'http://127.0.0.1:8666/l/first-blood/app?id=1' -p id --dump secrets
|
|
105
|
+
```
|
|
106
|
+
|
|
107
|
+
When a tool can't take a room, that's a bug to fix in the tool; when a room is
|
|
108
|
+
too easy, that's a room to harden. They sharpen each other.
|
|
109
|
+
|
|
110
|
+
## License
|
|
111
|
+
|
|
112
|
+
MIT.
|
|
113
|
+
|
|
114
|
+
---
|
|
115
|
+
|
|
116
|
+
*Deadwood, 1876 — where the dead man's hand was dealt.*
|
|
@@ -0,0 +1,93 @@
|
|
|
1
|
+
# deadwood
|
|
2
|
+
|
|
3
|
+
A self-hosted **web-security range** that doubles as a tutorial — graded levels
|
|
4
|
+
from the first trivial injection to the deliberately near-impossible. It's the
|
|
5
|
+
practice town for the dead man's hand: scout each room with
|
|
6
|
+
[**wraith**](https://github.com/gusta-ve/wraith), take it with
|
|
7
|
+
[**hickok**](https://github.com/gusta-ve/hickok), capture the flag, then read the
|
|
8
|
+
vulnerable source and the fix.
|
|
9
|
+
|
|
10
|
+
Dependency-free (stdlib + SQLite). Runs on **127.0.0.1 only**.
|
|
11
|
+
|
|
12
|
+
[](https://pypi.org/project/deadwood-sec/)
|
|
13
|
+

|
|
14
|
+

|
|
15
|
+
|
|
16
|
+
> ⚠️ **deadwood is intentionally vulnerable, by design.** It refuses to bind
|
|
17
|
+
> anything but loopback unless you force it. Never expose it to a network, a VM
|
|
18
|
+
> bridge, or the internet. Attack only this app, on your own machine.
|
|
19
|
+
|
|
20
|
+
- [Install](#install)
|
|
21
|
+
- [Run it](#run-it)
|
|
22
|
+
- [How a level works](#how-a-level-works)
|
|
23
|
+
- [The levels](#the-levels)
|
|
24
|
+
- [Pairing with wraith & hickok](#pairing-with-wraith--hickok)
|
|
25
|
+
|
|
26
|
+
## Install
|
|
27
|
+
|
|
28
|
+
```bash
|
|
29
|
+
pipx install deadwood-sec # gives you the `deadwood` command
|
|
30
|
+
```
|
|
31
|
+
|
|
32
|
+
Or from a clone: `pip install -e .` — or run it with no install:
|
|
33
|
+
`PYTHONPATH=src python3 -m deadwood`.
|
|
34
|
+
|
|
35
|
+
## Run it
|
|
36
|
+
|
|
37
|
+
```bash
|
|
38
|
+
deadwood serve # http://127.0.0.1:8666 (the town map)
|
|
39
|
+
deadwood levels # list the rooms and your progress
|
|
40
|
+
deadwood learn first-blood # a level's briefing: objective, hints, source, the fix
|
|
41
|
+
deadwood flag first-blood 'DEADWOOD{...}' # submit a captured flag
|
|
42
|
+
```
|
|
43
|
+
|
|
44
|
+
Open the map in a browser, pick a room, and point your tools at the app URL it
|
|
45
|
+
gives you (e.g. `http://127.0.0.1:8666/l/first-blood/app?id=1`).
|
|
46
|
+
|
|
47
|
+
## How a level works
|
|
48
|
+
|
|
49
|
+
Every room is the same shape, easy to the hard:
|
|
50
|
+
|
|
51
|
+
- a **realistic app** (the fictional *Deadwood Telegraph & Trust Co.* — employees,
|
|
52
|
+
customers, accounts, telegrams) with one real flaw;
|
|
53
|
+
- a **flag** to capture (`DEADWOOD{...}`, unique to your install);
|
|
54
|
+
- **progressive hints** — reveal them one at a time, only if you want them;
|
|
55
|
+
- the **vulnerable source** and **how to fix it**, once you ask (spoilers).
|
|
56
|
+
|
|
57
|
+
Play blind for the CTF, or lean on the hints and `learn` for the tutorial. Your
|
|
58
|
+
captures are tracked locally.
|
|
59
|
+
|
|
60
|
+
## The levels
|
|
61
|
+
|
|
62
|
+
Tutorial → impossible. Each maps to a technique you can practise by hand or drive
|
|
63
|
+
with hickok/wraith:
|
|
64
|
+
|
|
65
|
+
| # | Room | Tier | Vector |
|
|
66
|
+
|---|------|------|--------|
|
|
67
|
+
| 1 | First Blood | Tutorial | SQL injection — UNION (in-band) |
|
|
68
|
+
| 2 | Whispers | Easy | SQL injection — boolean-blind |
|
|
69
|
+
| 3 | The Telegraph | Medium | SQL injection — time-based blind |
|
|
70
|
+
| 4 | Back Door | Medium | OS command injection → shell |
|
|
71
|
+
|
|
72
|
+
*(more rooms land as the range grows — auth bypass, filtered/WAF'd injection,
|
|
73
|
+
SSTI, and the Vault.)*
|
|
74
|
+
|
|
75
|
+
## Pairing with wraith & hickok
|
|
76
|
+
|
|
77
|
+
deadwood is the range the tools grew up on. A typical run:
|
|
78
|
+
|
|
79
|
+
```bash
|
|
80
|
+
deadwood serve & # the town
|
|
81
|
+
hickok sql -u 'http://127.0.0.1:8666/l/first-blood/app?id=1' -p id --dump secrets
|
|
82
|
+
```
|
|
83
|
+
|
|
84
|
+
When a tool can't take a room, that's a bug to fix in the tool; when a room is
|
|
85
|
+
too easy, that's a room to harden. They sharpen each other.
|
|
86
|
+
|
|
87
|
+
## License
|
|
88
|
+
|
|
89
|
+
MIT.
|
|
90
|
+
|
|
91
|
+
---
|
|
92
|
+
|
|
93
|
+
*Deadwood, 1876 — where the dead man's hand was dealt.*
|
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
[build-system]
|
|
2
|
+
requires = ["hatchling"]
|
|
3
|
+
build-backend = "hatchling.build"
|
|
4
|
+
|
|
5
|
+
[project]
|
|
6
|
+
name = "deadwood-sec"
|
|
7
|
+
dynamic = ["version"]
|
|
8
|
+
description = "A self-hosted web-security range, leveled tutorial-to-impossible — the practice town for wraith and hickok."
|
|
9
|
+
readme = "README.md"
|
|
10
|
+
requires-python = ">=3.10"
|
|
11
|
+
license = "MIT"
|
|
12
|
+
authors = [{ name = "gusta-ve" }]
|
|
13
|
+
keywords = [
|
|
14
|
+
"security", "ctf", "training", "education", "pentest", "appsec",
|
|
15
|
+
"sql-injection", "command-injection", "vulnerable", "range", "lab",
|
|
16
|
+
]
|
|
17
|
+
classifiers = [
|
|
18
|
+
"Development Status :: 3 - Alpha",
|
|
19
|
+
"Environment :: Web Environment",
|
|
20
|
+
"Intended Audience :: Information Technology",
|
|
21
|
+
"License :: OSI Approved :: MIT License",
|
|
22
|
+
"Programming Language :: Python :: 3 :: Only",
|
|
23
|
+
"Topic :: Security",
|
|
24
|
+
"Topic :: Education",
|
|
25
|
+
]
|
|
26
|
+
|
|
27
|
+
[project.optional-dependencies]
|
|
28
|
+
dev = ["pytest"]
|
|
29
|
+
|
|
30
|
+
[project.scripts]
|
|
31
|
+
deadwood = "deadwood.cli:main"
|
|
32
|
+
|
|
33
|
+
[project.urls]
|
|
34
|
+
Homepage = "https://github.com/gusta-ve/deadwood"
|
|
35
|
+
Source = "https://github.com/gusta-ve/deadwood"
|
|
36
|
+
Changelog = "https://github.com/gusta-ve/deadwood/blob/main/CHANGELOG.md"
|
|
37
|
+
|
|
38
|
+
[tool.hatch.version]
|
|
39
|
+
path = "src/deadwood/__init__.py"
|
|
40
|
+
|
|
41
|
+
[tool.hatch.build.targets.wheel]
|
|
42
|
+
packages = ["src/deadwood"]
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
"""deadwood — a self-hosted web-security range, leveled tutorial-to-impossible.
|
|
2
|
+
|
|
3
|
+
The practice town for the dead man's hand: bring wraith to scout it and hickok to
|
|
4
|
+
take it. Every saloon and back room is a level — a real-looking flaw with a flag,
|
|
5
|
+
a lesson, and the source laid bare once you've earned it.
|
|
6
|
+
|
|
7
|
+
Intentionally vulnerable. Runs on 127.0.0.1 only. Never expose it.
|
|
8
|
+
"""
|
|
9
|
+
|
|
10
|
+
__version__ = "0.1.0"
|
|
@@ -0,0 +1,138 @@
|
|
|
1
|
+
"""deadwood command line — run the range, browse and learn the levels, grade flags."""
|
|
2
|
+
|
|
3
|
+
from __future__ import annotations
|
|
4
|
+
|
|
5
|
+
import argparse
|
|
6
|
+
import sys
|
|
7
|
+
|
|
8
|
+
import deadwood.levels # noqa: F401 (importing registers every level)
|
|
9
|
+
from deadwood import __version__, flags, progress, server
|
|
10
|
+
from deadwood.level import all_levels, by_slug
|
|
11
|
+
|
|
12
|
+
_BANNER = r"""
|
|
13
|
+
___ _ _
|
|
14
|
+
/ _ \___ __ _ __| |_ _____ (_)__/ /
|
|
15
|
+
/ // / -_) _` |/ _` \ \ /\ / / _ \ / / _ /
|
|
16
|
+
/____/\__/\__,_|\__,_/\_\/\_/\___//_/\_,_/ a vulnerable range · tutorial → impossible
|
|
17
|
+
"""
|
|
18
|
+
|
|
19
|
+
|
|
20
|
+
def _print_banner():
|
|
21
|
+
print(_BANNER.rstrip("\n"))
|
|
22
|
+
print(f" v{__version__} · the practice town for wraith & hickok\n")
|
|
23
|
+
|
|
24
|
+
|
|
25
|
+
def cmd_serve(args):
|
|
26
|
+
_print_banner()
|
|
27
|
+
sv = progress.solved()
|
|
28
|
+
print(f" map http://{args.host}:{args.port}/")
|
|
29
|
+
print(f" levels {len(all_levels())} loaded · {len(sv)} taken")
|
|
30
|
+
print(f" warning intentionally vulnerable — keep it on localhost, never expose it")
|
|
31
|
+
print("\n Ctrl-C to stop the range.\n")
|
|
32
|
+
try:
|
|
33
|
+
server.serve(args.host, args.port, allow_unsafe=args.unsafe)
|
|
34
|
+
except PermissionError as exc:
|
|
35
|
+
print(f" [-] {exc}", file=sys.stderr)
|
|
36
|
+
raise SystemExit(2)
|
|
37
|
+
except OSError as exc:
|
|
38
|
+
print(f" [-] cannot bind {args.host}:{args.port} — {exc}", file=sys.stderr)
|
|
39
|
+
raise SystemExit(2)
|
|
40
|
+
except KeyboardInterrupt:
|
|
41
|
+
print("\n range closed.")
|
|
42
|
+
|
|
43
|
+
|
|
44
|
+
def cmd_levels(args):
|
|
45
|
+
sv = progress.solved()
|
|
46
|
+
print()
|
|
47
|
+
for lv in all_levels():
|
|
48
|
+
mark = "✓" if lv.slug in sv else " "
|
|
49
|
+
print(f" [{mark}] {lv.num:02d} {lv.title:<18} {lv.tier:<11} {lv.category}")
|
|
50
|
+
print(f" {lv.slug:<18} {lv.brief}")
|
|
51
|
+
print(f"\n {len(sv)}/{len(all_levels())} taken · learn a level with `deadwood learn <slug>`\n")
|
|
52
|
+
|
|
53
|
+
|
|
54
|
+
def cmd_learn(args):
|
|
55
|
+
lv = by_slug(args.slug)
|
|
56
|
+
if lv is None:
|
|
57
|
+
print(f" no level '{args.slug}'. see `deadwood levels`.", file=sys.stderr)
|
|
58
|
+
raise SystemExit(2)
|
|
59
|
+
bar = "─" * 60
|
|
60
|
+
print(f"\n {lv.num:02d} · {lv.title} [{lv.tier}] {lv.category}\n {bar}")
|
|
61
|
+
print(f" objective\n {lv.objective}\n")
|
|
62
|
+
print(" hints")
|
|
63
|
+
for i, h in enumerate(lv.hints, 1):
|
|
64
|
+
print(f" {i}. {h}")
|
|
65
|
+
print(f"\n the vulnerable source\n{_indent(lv.source)}")
|
|
66
|
+
print(f"\n how to fix it\n {lv.remediation}")
|
|
67
|
+
print(f"\n capture the flag, then: deadwood flag {lv.slug} 'DEADWOOD{{...}}'\n")
|
|
68
|
+
|
|
69
|
+
|
|
70
|
+
def _indent(text, pad=" | "):
|
|
71
|
+
return "\n".join(pad + ln for ln in text.splitlines())
|
|
72
|
+
|
|
73
|
+
|
|
74
|
+
def cmd_flag(args):
|
|
75
|
+
lv = by_slug(args.slug)
|
|
76
|
+
if lv is None:
|
|
77
|
+
print(f" no level '{args.slug}'.", file=sys.stderr)
|
|
78
|
+
raise SystemExit(2)
|
|
79
|
+
if flags.check(lv.slug, args.value):
|
|
80
|
+
progress.mark(lv.slug)
|
|
81
|
+
print(f" ✓ {lv.title} — taken. that's the hand.")
|
|
82
|
+
else:
|
|
83
|
+
print(" ✗ not it. keep working the room.")
|
|
84
|
+
raise SystemExit(1)
|
|
85
|
+
|
|
86
|
+
|
|
87
|
+
def cmd_reset(args):
|
|
88
|
+
progress.reset()
|
|
89
|
+
print(" progress reset — every room is open again.")
|
|
90
|
+
|
|
91
|
+
|
|
92
|
+
def build_parser() -> argparse.ArgumentParser:
|
|
93
|
+
p = argparse.ArgumentParser(prog="deadwood",
|
|
94
|
+
description="A self-hosted, leveled web-security range "
|
|
95
|
+
"(tutorial → impossible). Intentionally vulnerable; "
|
|
96
|
+
"runs on localhost only.")
|
|
97
|
+
p.add_argument("--version", action="version", version=f"deadwood {__version__}")
|
|
98
|
+
sub = p.add_subparsers(dest="command", metavar="<command>")
|
|
99
|
+
|
|
100
|
+
s = sub.add_parser("serve", help="run the range")
|
|
101
|
+
s.add_argument("-H", "--host", default="127.0.0.1", help="bind host (default: 127.0.0.1)")
|
|
102
|
+
s.add_argument("-p", "--port", type=int, default=8666, help="bind port (default: 8666)")
|
|
103
|
+
s.add_argument("--unsafe", action="store_true",
|
|
104
|
+
help="allow binding a non-loopback host (dangerous — it's vulnerable)")
|
|
105
|
+
s.set_defaults(func=cmd_serve)
|
|
106
|
+
|
|
107
|
+
ls = sub.add_parser("levels", help="list the levels and your progress")
|
|
108
|
+
ls.set_defaults(func=cmd_levels)
|
|
109
|
+
|
|
110
|
+
lr = sub.add_parser("learn", help="the briefing for a level (objective, hints, source, fix)")
|
|
111
|
+
lr.add_argument("slug")
|
|
112
|
+
lr.set_defaults(func=cmd_learn)
|
|
113
|
+
|
|
114
|
+
fl = sub.add_parser("flag", help="submit a captured flag")
|
|
115
|
+
fl.add_argument("slug")
|
|
116
|
+
fl.add_argument("value")
|
|
117
|
+
fl.set_defaults(func=cmd_flag)
|
|
118
|
+
|
|
119
|
+
rs = sub.add_parser("reset", help="clear your captured-flag progress")
|
|
120
|
+
rs.set_defaults(func=cmd_reset)
|
|
121
|
+
return p
|
|
122
|
+
|
|
123
|
+
|
|
124
|
+
def main(argv=None):
|
|
125
|
+
argv = sys.argv[1:] if argv is None else list(argv)
|
|
126
|
+
args = build_parser().parse_args(argv)
|
|
127
|
+
if not getattr(args, "func", None):
|
|
128
|
+
_print_banner()
|
|
129
|
+
print(" deadwood serve run the range (http://127.0.0.1:8666)")
|
|
130
|
+
print(" deadwood levels list the levels")
|
|
131
|
+
print(" deadwood learn <slug> a level's briefing + how to fix it")
|
|
132
|
+
print(" deadwood flag <slug> ... submit a captured flag\n")
|
|
133
|
+
return
|
|
134
|
+
args.func(args)
|
|
135
|
+
|
|
136
|
+
|
|
137
|
+
if __name__ == "__main__":
|
|
138
|
+
main()
|
|
@@ -0,0 +1,127 @@
|
|
|
1
|
+
"""The world: a believable frontier company seeded into SQLite.
|
|
2
|
+
|
|
3
|
+
Deadwood Telegraph & Trust Co. — a bank and telegraph office. Employees, customers,
|
|
4
|
+
accounts, transactions and internal telegrams, all generated by a small seeded
|
|
5
|
+
faker (stdlib only) so the data looks real and is the same every time. Levels read
|
|
6
|
+
from this shared world and seed their own secrets on top.
|
|
7
|
+
"""
|
|
8
|
+
|
|
9
|
+
from __future__ import annotations
|
|
10
|
+
|
|
11
|
+
import hashlib
|
|
12
|
+
import random
|
|
13
|
+
import sqlite3
|
|
14
|
+
import time as _time
|
|
15
|
+
|
|
16
|
+
_FIRST = [
|
|
17
|
+
"Wyatt", "Martha", "Calamity", "Seth", "Al", "Sol", "Jane", "Charlie", "Doc",
|
|
18
|
+
"Ellis", "Nora", "Sage", "Hattie", "Cyrus", "Mabel", "Otis", "Pearl", "Gus",
|
|
19
|
+
"Ada", "Levi", "Ruth", "Silas", "Della", "Amos", "Iris", "Roy", "Etta", "Hank",
|
|
20
|
+
"Cora", "Jeb", "Lula", "Virgil", "Tess", "Boone", "Winnie", "Clay", "Goldie",
|
|
21
|
+
]
|
|
22
|
+
_LAST = [
|
|
23
|
+
"Earp", "Bullock", "Hickok", "Canary", "Swearengen", "Star", "Utter", "Holliday",
|
|
24
|
+
"Tilghman", "Masterson", "Garrett", "Cody", "Oakley", "Ringo", "Younger", "Dalton",
|
|
25
|
+
"Plummer", "Slade", "Boot", "Hardin", "Doolin", "Starr", "Bass", "Reeves",
|
|
26
|
+
]
|
|
27
|
+
_TOWNS = [
|
|
28
|
+
"Deadwood", "Tombstone", "Dodge City", "Abilene", "Cheyenne", "Laramie", "Yuma",
|
|
29
|
+
"Silverton", "Leadville", "Virginia City", "Bisbee", "Tascosa",
|
|
30
|
+
]
|
|
31
|
+
_ROLES = [
|
|
32
|
+
"Teller", "Head Teller", "Clerk", "Telegraph Operator", "Bookkeeper", "Vault Manager",
|
|
33
|
+
"Loan Officer", "Branch Manager", "Stagecoach Agent", "Auditor",
|
|
34
|
+
]
|
|
35
|
+
_MEMOS = [
|
|
36
|
+
"deposit, gold dust", "withdrawal, cash", "wire transfer", "loan repayment",
|
|
37
|
+
"stagecoach freight", "saloon takings", "claim payout", "cattle sale",
|
|
38
|
+
"telegraph fee", "vault audit adjustment",
|
|
39
|
+
]
|
|
40
|
+
_DOMAIN = "deadwood-trust.example"
|
|
41
|
+
|
|
42
|
+
|
|
43
|
+
def _slugify(name: str) -> str:
|
|
44
|
+
return name.lower().replace(" ", "")
|
|
45
|
+
|
|
46
|
+
|
|
47
|
+
def _sleep(n):
|
|
48
|
+
"""A SQLite `sleep()` — real engines have one natively; SQLite doesn't, so the
|
|
49
|
+
time-based level (The Telegraph) needs it provided. Capped, so an injection
|
|
50
|
+
can't hang the range."""
|
|
51
|
+
try:
|
|
52
|
+
_time.sleep(min(float(n), 5))
|
|
53
|
+
except (TypeError, ValueError):
|
|
54
|
+
pass
|
|
55
|
+
return 0
|
|
56
|
+
|
|
57
|
+
|
|
58
|
+
def build(db: sqlite3.Connection, seed: int = 1876) -> None:
|
|
59
|
+
"""(Re)build the company world into `db`. Deterministic for a given seed."""
|
|
60
|
+
db.create_function("sleep", 1, _sleep)
|
|
61
|
+
rng = random.Random(seed)
|
|
62
|
+
db.executescript("""
|
|
63
|
+
DROP TABLE IF EXISTS employees;
|
|
64
|
+
DROP TABLE IF EXISTS customers;
|
|
65
|
+
DROP TABLE IF EXISTS accounts;
|
|
66
|
+
DROP TABLE IF EXISTS transactions;
|
|
67
|
+
DROP TABLE IF EXISTS telegrams;
|
|
68
|
+
DROP TABLE IF EXISTS secrets;
|
|
69
|
+
CREATE TABLE employees (id INTEGER PRIMARY KEY, name TEXT, role TEXT, town TEXT,
|
|
70
|
+
username TEXT, pw_md5 TEXT, email TEXT);
|
|
71
|
+
CREATE TABLE customers (id INTEGER PRIMARY KEY, name TEXT, town TEXT, email TEXT, joined TEXT);
|
|
72
|
+
CREATE TABLE accounts (id INTEGER PRIMARY KEY, customer_id INTEGER, number TEXT,
|
|
73
|
+
kind TEXT, balance INTEGER);
|
|
74
|
+
CREATE TABLE transactions (id INTEGER PRIMARY KEY, account_id INTEGER, day TEXT,
|
|
75
|
+
amount INTEGER, memo TEXT);
|
|
76
|
+
CREATE TABLE telegrams (id INTEGER PRIMARY KEY, sender TEXT, recipient TEXT,
|
|
77
|
+
subject TEXT, body TEXT);
|
|
78
|
+
CREATE TABLE secrets (id INTEGER PRIMARY KEY, label TEXT, value TEXT);
|
|
79
|
+
""")
|
|
80
|
+
|
|
81
|
+
def person():
|
|
82
|
+
return f"{rng.choice(_FIRST)} {rng.choice(_LAST)}"
|
|
83
|
+
|
|
84
|
+
# employees — note the weak MD5 password hashes (a lesson for later levels)
|
|
85
|
+
employees = []
|
|
86
|
+
used = set()
|
|
87
|
+
for i in range(1, 19):
|
|
88
|
+
name = person()
|
|
89
|
+
user = _slugify(name)
|
|
90
|
+
while user in used:
|
|
91
|
+
name = person()
|
|
92
|
+
user = _slugify(name)
|
|
93
|
+
used.add(user)
|
|
94
|
+
pw = rng.choice(["summer76", "letmein", "goldrush", "deadwood", "trotter",
|
|
95
|
+
"marshal", "blackhills", "aceshigh", "wagon", "telegraph"])
|
|
96
|
+
employees.append((i, name, rng.choice(_ROLES), rng.choice(_TOWNS), user,
|
|
97
|
+
hashlib.md5(pw.encode()).hexdigest(), f"{user}@{_DOMAIN}"))
|
|
98
|
+
db.executemany("INSERT INTO employees VALUES (?,?,?,?,?,?,?)", employees)
|
|
99
|
+
|
|
100
|
+
# customers + their accounts + a ledger of transactions
|
|
101
|
+
acc_id = tx_id = 0
|
|
102
|
+
for cid in range(1, 41):
|
|
103
|
+
name = person()
|
|
104
|
+
town = rng.choice(_TOWNS)
|
|
105
|
+
db.execute("INSERT INTO customers VALUES (?,?,?,?,?)",
|
|
106
|
+
(cid, name, town, f"{_slugify(name)}@mail.example",
|
|
107
|
+
f"187{rng.randint(2, 9)}-{rng.randint(1, 12):02d}-{rng.randint(1, 28):02d}"))
|
|
108
|
+
for _ in range(rng.randint(1, 2)):
|
|
109
|
+
acc_id += 1
|
|
110
|
+
kind = rng.choice(["checking", "savings", "gold deposit"])
|
|
111
|
+
bal = rng.randint(20, 9000) * (100 if kind == "gold deposit" else 1)
|
|
112
|
+
db.execute("INSERT INTO accounts VALUES (?,?,?,?,?)",
|
|
113
|
+
(acc_id, cid, f"DW-{rng.randint(10000, 99999)}", kind, bal))
|
|
114
|
+
for _ in range(rng.randint(2, 6)):
|
|
115
|
+
tx_id += 1
|
|
116
|
+
db.execute("INSERT INTO transactions VALUES (?,?,?,?,?)",
|
|
117
|
+
(tx_id, acc_id, f"187{rng.randint(2, 9)}-{rng.randint(1, 12):02d}-{rng.randint(1, 28):02d}",
|
|
118
|
+
rng.randint(-2000, 5000), rng.choice(_MEMOS)))
|
|
119
|
+
|
|
120
|
+
# a few internal telegrams for colour (and a place to hide things)
|
|
121
|
+
for i in range(1, 9):
|
|
122
|
+
db.execute("INSERT INTO telegrams VALUES (?,?,?,?,?)",
|
|
123
|
+
(i, person(), person(), rng.choice(
|
|
124
|
+
["VAULT COMBINATION CHANGED", "SHIPMENT DELAYED", "AUDIT NEXT WEEK",
|
|
125
|
+
"NEW TELLER STARTS MONDAY", "WIRE CONFIRMED", "CLOSE EARLY FRIDAY"]),
|
|
126
|
+
"STOP. " + rng.choice(_MEMOS).upper() + ". STOP."))
|
|
127
|
+
db.commit()
|