Skip to content

appleweiping/seed-labs

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

SEED Labs — Hands-on Security Education

Working, verified solutions to a representative subset of the Syracuse SEED Labs spanning software, cryptography, network, and web security — an independent, educational implementation, part of a csdiy.wiki full-catalog build.

status labs language license

Educational scope (read me first)

This repository is authorized self-study of a public university security course. Every exploit here targets the course's own intentionally vulnerable programs / lab sandboxes, run entirely inside an isolated local WSL2 environment (private 10.9.0.0/24 network namespaces, lab-local files, a localhost-only web app). Nothing here targets real third-party systems, and there is no malware, botnet/C2, DoS, or detection-evasion tooling. The memory -corruption labs deliberately disable modern defenses (-fno-stack-protector, -z execstack, ASLR off) only inside the sandbox so the classic techniques can be studied. Use this material to learn how attacks work and how to defend against them.

Overview

The SEED project (Syracuse University, Prof. Wenliang Du) offers 40+ hands-on security labs. The full set ships as a large Ubuntu VM with multi-container topologies (Elgg/phpBB web apps, VPN, Mitnick multi-host, etc.). This repo implements a genuinely representative, substantial subset that runs offline on a Windows host via WSL2 Ubuntu, and captures real output from each attack. Labs that fundamentally require the full SEED VM or a vulnerable kernel are called out as documented partials below.

Results (measured on Windows 11 + WSL2 Ubuntu 24.04, kernel 6.18, gcc 13.3, Python 3.12, CPU-only)

Software security (32-bit sandbox: -m32 -fno-stack-protector -z execstack, ASLR off via setarch -R)

Lab What it does Result (measured)
buffer-overflow Stack smash of a setuid-root binary, shellcode setuid(0)+execve Unprivileged seed gets uid=0(root) shell
return-to-libc Defeat non-executable stack via system("/bin/sh") Shell spawned through libc (NX bypassed)
format-string %n arbitrary write + stack leak target flipped 0x112233440xdeadbeef
race-condition TOCTOU access()/fopen() symlink race Injected UID-0 account into a root-owned file (won in ~2 tries)
dirty-cow CVE-2016-5195 PoC Partial — kernel 6.18 patched, file unchanged (see below)

Cryptography (from-scratch Python)

Lab What it does Result (measured)
secret-key-encryption AES ECB vs CBC leakage; break a substitution cipher ECB 12288 duplicate blocks vs CBC 0; substitution recovered 98.5% (988/1003 chars)
hash-length-extension Forge SHA256(key‖msg) MAC with no key Forged MAC verifies against the real key
rsa Keygen/enc/dec/sign from scratch; factoring attack 512-bit roundtrip + sign/verify OK; 63-bit modulus factored → plaintext recovered
padding-oracle CBC PKCS#7 padding-oracle decryption Full plaintext recovered, no key used

Network (scapy over network-namespace 10.9.0.0/24 segment)

Lab What it does Result (measured)
packet-sniffing-spoofing Passive ICMP sniff (hub) + forged-source ICMP Captured victim↔server ICMP; spoofed request reached server
arp-cache-poisoning Continuous ARP flood → MITM Victim cache maps server → attacker MAC; redirected traffic captured
tcp-attacks TCP RST injection with exact seq Live connection RESET (server + client both observe)
dns-spoofing Race the resolver, forge an A record Victim resolves to attacker's 6.6.6.6 (beats real 1.2.3.4)
firewall Stateful iptables/netfilter policy Victim ICMP + TCP/8080 allowed; attacker ICMP + TCP/9999 blocked

Web (local vulnerable Flask app on 127.0.0.1)

Lab What it does Result (measured)
sql-injection Auth bypass + UNION exfiltration on /login Logged in as admin with no password; dumped all credentials
xss Reflected + stored XSS Raw <script> served unescaped; safe endpoint escapes it
csrf Forged state-changing POST Victim email changed to attacker@evil.com; token endpoint returns 403

Sample captured evidence (software-security/buffer-overflow/results/run.log):

### ROOT SHELL SPAWNED ###
uid=0(root) gid=1002(seed) groups=1002(seed)

and the ECB-vs-CBC image leakage (crypto/secret-key-encryption/results/): original.bmp, encrypted_ecb.bmp (structure still visible), encrypted_cbc.bmp (noise).

Implemented labs

  • Software — buffer-overflow, return-to-libc, format-string, race-condition · dirty-cow (documented partial)
  • Crypto — secret-key-encryption, hash-length-extension, rsa, padding-oracle
  • Network — packet-sniffing-spoofing, arp-cache-poisoning, tcp-attacks, dns-spoofing, firewall
  • Web — sql-injection, xss, csrf

16 labs verified end-to-end + 1 documented partial, covering all four SEED categories.

Project structure

seed-labs/
├── software-security/      # C memory-safety & OS labs (WSL2, 32-bit)
│   ├── buffer-overflow/  return-to-libc/  format-string/  race-condition/  dirty-cow/
├── crypto/                 # from-scratch Python crypto attacks
│   ├── secret-key-encryption/  hash-length-extension/  rsa/  padding-oracle/
├── network/                # scapy attacks over network namespaces
│   ├── common/topo.sh    # shared bridge + 3-host 10.9.0.0/24 topology
│   ├── packet-sniffing-spoofing/  arp-cache-poisoning/  tcp-attacks/  dns-spoofing/  firewall/
├── web/                    # local vulnerable Flask app + attacks
│   ├── webapp/app.py     # intentionally vulnerable app (SQLi/XSS/CSRF)
│   ├── sql-injection/  xss/  csrf/
└── each lab: source + run.sh + results/run.log (captured real output)

How to run

All labs run inside WSL2 Ubuntu (Linux is required for gcc -m32, setuid, network namespaces, scapy, and iptables). One-time setup:

# inside WSL2 Ubuntu, as root (the default WSL user)
sudo apt-get install -y gcc-multilib gdb libpcap-dev iproute2 iptables
python3 -m venv ~/seed-venv
~/seed-venv/bin/pip install -r requirements.txt   # scapy flask pycryptodome requests

# run any lab (each is self-contained and prints its own evidence):
bash software-security/buffer-overflow/run.sh
bash crypto/rsa/run.sh
bash network/arp-cache-poisoning/run.sh
bash web/sql-injection/run.sh
# ... or everything:
bash scripts/run_all.sh

Each run.sh relocates its build off the Windows drive (drvfs cannot hold setuid bits), compiles/launches the target, performs the attack, and writes a log to that lab's results/ directory.

Verification

Every result above is the actual output of running the lab, saved under each lab's results/run.log. Highlights:

  • buffer-overflow / race-condition — real privilege escalation: an unprivileged user obtains a root shell / writes a root-owned file.
  • crypto — the from-scratch SHA-256 is cross-checked against hashlib; the padding-oracle and RSA-factoring attacks recover the exact original secrets.
  • network — captured packet lines show the sniffed/redirected/forged frames (source IPs, MAC addresses, sequence numbers) for each attack.
  • web — HTTP responses show the auth bypass, the unescaped <script>, and the CSRF'd state change, each with a safe-endpoint contrast.

Documented partials

  • dirty-cow (CVE-2016-5195) — the PoC compiles and runs, but the WSL2 kernel (6.18) is patched, so the root-owned file is not modified; run.log captures the "PATCHED: file unchanged" outcome. Requires a vulnerable kernel (< 4.8.3), which is out of scope for a modern host.
  • Full SEED-VM / multi-container labs — the exact SEED web apps (Elgg, phpBB), the VPN, Mitnick multi-host TCP hijack, and Meltdown/Spectre labs need the complete SEED Ubuntu VM or specific hardware. The web labs here use a representative local Flask app that reproduces the same SQLi/XSS/CSRF classes; the network attacks use isolated namespaces instead of separate VMs.

Environment notes (WSL2 adaptations)

  • Global ASLR can't be turned off on the WSL2 kernel, so the memory labs disable it per process with setarch -R (equivalent effect).
  • Docker/WSL2 sets the bridge FORWARD policy to DROP and routes bridged frames through iptables; network/common/topo.sh sets net.bridge.bridge-nf-call-iptables=0 for the lab segment and restores it on teardown.

Tech stack

C (32-bit, gcc 13.3), Python 3.12 (scapy, pycryptodome, Flask, requests), bash, gdb, iproute2 network namespaces, iptables/netfilter — all on WSL2 Ubuntu 24.04.

Key ideas / what I learned

  • How stack layout, saved return addresses, shellcode, and NX/ASLR/canary defenses interact — and how ret2libc and format strings sidestep them.
  • Why textbook crypto fails: ECB structure leakage, Merkle–Damgård length extension, CBC padding oracles, and small-modulus RSA factoring.
  • Layer-2/3 trust assumptions: ARP has no authentication, TCP trusts sequence numbers, DNS trusts the first matching answer — and how a stateful firewall re-imposes policy.
  • The web trinity: injection (SQLi), output encoding (XSS), and request provenance (CSRF), each with its concrete defense.

Credits & license

Based on the SEED Labs by Prof. Wenliang Du, Syracuse University (https://seedsecuritylabs.org/). This repository is an independent educational reimplementation; all original lab designs and specifications belong to their authors. Original code here is released under the MIT License and is intended solely for authorized, ethical security education.

About

Working, verified solutions to a representative subset of Syracuse SEED Labs across software, crypto, network, and web security (WSL2, real captured evidence). Educational.

Topics

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors