Title: The Wall
File: thewall.ova
md5sum: a5e6ebde160239bce605cca8e1cf207d
Size: 299.4MB
Hypervisor: Created with VMWare Fusion.  Tested with vmware (fusion) and virtualbox.
Author:  @xerubus
Test Bunnies:  Rasta Mouse and TheColonial
Difficulty: Intermediate

This boot2root box is exclusive to VulnHub. If you have a crack at the challenge, please consider supporting VulnHub for the great work they do for our offsec community.


In 1965, one of the most influential bands of our times was formed.. Pink Floyd. This boot2root box has been created to celebrate 50 years of Pink Floyd's contribution to the music industry, with each challenge giving the attacker an introduction to each member of the Floyd.

You challenge is simple... set your controls for the heart of the sun, get root, and grab the flag! Rock on!


  • DHCP (Automatically assigned)
  • IMPORTANT: The vm IS working as intended if you receive a successful DHCP lease as seen in the boot up sequence.
  • 'thewall' vm must be on the same subnet as the attacking machine AND the attacking machine should ideally be a vm on the same network as 'thewall'. If you choose to use a physical box as the attacking machine, 'thewall' must exist on the same network via a bridged interface.
 /   _____/|  |   ____   ____ ______ ___.__.
 \_____  \ |  | _/ __ \_/ __ \\____ <   |  |
 /        \|  |_\  ___/\  ___/|  |_> >___  |
/_______  /|____/\___  >\___  >   __// ____| ·VM·
        \/           \/     \/|__|   \/

|  cReaTeD....: sagi- (@s4gi_)      |  DaTe......: 2015-10-02           |
|  oS.........: Linux               |  oBJecTiVe.: Get /root/flag.txt   |
|                                   |  GReeTZ....: @nanomebia           |
|                                   |  TeSTeRs...: @barrebas            |
|                                   |              Christopher Panayi   |
|  VM HiSToRY:                                                          |
|  v1.0 - Public release @ ZaCon VI "Capture the Flag (and in between)" |
|  V0.1 - Private release @ SecTalks Perth                              |
\______   \__|_____   ____  
 |     ___/  \____ \_/ __ \ 
 |    |   |  |  |_> >  ___/ 
 |____|   |__|   __/ \___  >
             |__|        \/  ·VM· (MiNi CHaLLeNGe BuiLT FoR ZaCoN Vi)

|  cReaTeD....: sagi- (@s4gi_)      |  DaTe......: 2015-10-02           |
|  oS.........: Linux               |  oBJecTiVe.: Get /root/flag.txt   |
|                                   |  GReeTZ....: @zac0n               |
|                                   |  TeSTeRs...: @leonjza             |
|                                   |              @barrebas            |

I created this machine to help others learn some basic CTF hacking strategies and some tools. I aimed this machine to be very similar in difficulty to those I was breaking on the OSCP.

This is a boot-to-root machine will not require any guest interaction.

There are two designed methods for privilege escalation.

  • 23/09/2015 == v1.0.1
  • 22/09/2015 == v1.0

If you are having issues with VirtualBox, try the following:

  • Downloaded LordOfTheRoot_1.0.1.ova (confirmed file hash)
  • Downloaded and installed VMWare ovftool.
  • Converted the OVA to OVF using ovftool.
  • Modified the OVF using text editor, and did the following:

    replaced all references to "ElementName" with "Caption" replaced the single reference to "vmware.sata.ahci" with "AHCI"

  • Saved the OVF. +Deleted the .mf (Manifest) file. If you don't you get an error when importing, saying the SHA doesn't match for the OVF (I also tried modifying the hash, but no luck).

  • Try import the OVF file, and it should work fine.

Source: https://twitter.com/dooktwit/status/646840273482330112

The Challenge:

You are looking for two flags. Using discovered pointers in various elements of the running web application you can deduce the first flag (a downloadable file) which is required to find the second flag (a text file). Look, read and maybe even listen. You will need to use basic web application recon skills as well as some forensics to find both flags.

Level: Intermediate


The virtual machine comes in an OVA format, and is a generic 32 bit CentOS Linux build with a single available service (HTTP) where the challenge resides. Feel free to enable bridged networking to have the VM automatically be assigned a DHCP address. This VM has been tested in VMware Workstation 12 Player (choose "Retry" if needed), and VirtualBox 4.3.

SHA1: f60f497f3f8fda0d0aeccfc84dad8e19ad164f55 Challenge.ova

Twitter: @SpyderSec


The named of the Virtual machine is "Acid-Reloaded". This Virtual Machine contains both network logics and web logics. I have added new concept here and let's see how many of you think more logically. :-)

You need to extract the rar and run the vmx using VMplayer . The machine has DHCP active list so once automatically assign an IP network, the next step will be to identify the target and discover the / the service / s to start the game.


Escalate the privileges to root user and capture the flag. Once any one able to beat the box then shoot me a mail

Flick: 2

Leonjza 20 Aug 2015
 _____  _      ____   __  __  _      ____  ____
|     || |    |    | /  ]|  |/ ]    |    ||    |
|   __|| |     |  | /  / |  ' /      |  |  |  |
|  |_  | |___  |  |/  /  |    \      |  |  |  |
|   _] |     | |  /   \_ |     \     |  |  |  |
|  |   |     | |  \     ||  .  |     |  |  |  |
|__|   |_____||____\____||__|\_|    |____||____|
                                    by: @leonjza


Your challenge, should you choose to accept, is to gain root access on the server! The employees over at Flick Inc. have been hard at work prepping the release of their server checker app. Amidst all the chaos, they finally have a version ready for testing before it goes live.

You have been given a pre-production build of the Android .apk that will soon appear on the Play Store, together with a VM sample of the server that they want to deploy to their cloud hosting provider.

The .apk may be installed on a phone (though I wont be offended if you don't trust me ;]) or run in an android emulator such as the Android Studio (https://developer.android.com/sdk/index.html).

Good Luck!

$ shasum * e74061c5348fef33d00f5f4f2aee9e921c591129 flick-check-dist.apk e6fbcd5aab5ed95c54d02855fdfbad74587f3db7 flickII-dist.ova

Note: Vmware will complain about the OVF specification. Just click retry on the import and everything should be ok!


@barrebas for testing and patience
@s4gi_ for testing and the inspiration

Welcome to the world of Acid.

Fairy tails uses secret keys to open the magical doors.


The named of the Virtual machine is "Acid Server". This Virtual Machine is completely web based. I have added little new concept here and hope people will enjoy solving this.You need to extract the rar and run the vmx using VMplayer . The machine has DHCP active list so once automatically assign an IP network, the next step will be to identify the target and discover the / the service / s to start the game.


Escalate the privileges to root and capture the flag. Once anyone able to beat the machine then please let me know.

Twitter: https://twitter.com/m_avinash143

LinkedIn: https://in.linkedin.com/pub/avinash-thapa/101/406/4b5


The Broken Web Applications (BWA) Project produces a Virtual Machine running a variety of applications with known vulnerabilities for those interested in:

  • learning about web application security
  • testing manual assessment techniques
  • testing automated tools
  • testing source code analysis tools
  • observing web attacks
  • testing WAFs and similar code technologies

all the while saving people interested in doing either learning or testing the pain of having to compile, configure, and catalog all of the things normally involved in doing this process from scratch.

Source: http://owasp.com/index.php/OWASP_Broken_Web_Applications_Project

Release notes for the Open Web Application Security Project (OWASP) Broken Web Applications Project, a collection of vulnerable web applications that is distributed on a Virtual Machine in VMware format compatible with their no-cost and commercial VMware products.

More information about the project can be found at http://www.owaspbwa.org/.

The VM can be downloaded as a .zip file or as a much smaller .7z 7-zip Archive. BOTH FILES CONTAIN THE EXACT SAME VM! We recommend that you download the .7z archive if possible to save bandwidth (and time). 7-zip is available for Windows, Mac, Linux, and other Operating Systems.

!!! This VM has many serious security issues. We strongly recommend that you run it only on the "host only" or "NAT" network in the virtual machine settings !!!

Version 1.2 - 2015-08-03

  • Updated Mutillidae
  • Other miscellaneous, minor updates

Version 1.2rc1 - 2015-06-24

  • Updated Mutillidae and WAVSEP
  • Removed IP address restrictions on Mutillidae
  • Added script to rebuild WAVSEP
  • Added bWAPP application and script to automatically update bWAPP
  • Added OWASP Security Shepherd application and supporting scripts.
  • Likely updated other applications

Version 1.1.1 - 2013-09-27

  • Updated Mutillidae and transitioned to use its new Git repository
  • Fixed issue with Tomcat not starting in some circumstances

Version 1.1 - 2013-07-30

  • Updated Mutillidae, Cyclone, and WAVSEP
  • Updated OWASP Bricks and configured it to pull from SVN
  • Fixed ModSecurity CRS blocking and rebuilt ModSecurity to include Lua support
  • Increased VM's RAM allocation to 1Gb
  • Set Tomcat to run as root (to allow some traversal issues tested by WAVSEP)
  • Updated landing page for OWASP 1-Liner to reflect that the application is not fully functional

Version 1.1beta1 - 2013-07-10

  • Added new applications: OWASP 1-liner, OWASP RailsGoat, OWASP Bricks, SpiderLabs "Magical Code Injection Rainbow", Cyclone
  • Updated Mutillidae (name, version, and to use new SVN repository)
  • Updated DVWA to new Git repository
  • Added SSL support to web server
  • Updated ModSecurity and updated Core Rule Set to current in Git
  • Known issues:
  • ModSecurity CRS blocking does not work
  • OWASP 1-liner application appears to have functional issues (it was heavily modified to run on the VM through Apache)
  • Other new applications have not been fully tested
  • User Guide has not been updated

Version 1.0 - 2012-07-24

  • Added new application: WIVET (http://code.google.com/p/wivet/)
  • Updated WAVSEP, Mutillidae, Vicnum
  • Created new category for "Applications for Testing Tools", containing OWASP ZAP WAVE, WIVET, and WAVSEP
  • Major update to User Guide at http://code.google.com/p/owaspbwa/wiki/UserGuide. Removed some other project Wiki pages that were incorporated into User Guide.
  • More improvements to index.html

Version 1.0rc2 - 2012-07-14

  • Added new application: WAVSEP (http://code.google.com/p/wavsep/)
  • Updated WebGoat.NET, WebGoat (Java), and other applications from source repositories. Updated Mutillidae.
  • Removed links to OWASP ESAPI SwingSet (non-Interactive). That application has been deprecated and replaced by the SwingSet Interactive.
  • Changed version numbers in index.html to better indicate applications that are updated from public SVN or GIT repositories.
  • Layout improvements to index.html file (layout could still use some work).
  • Fixed bugs in Yazd (may have been present in 1.0rc1 or before)
  • Changes MySQL configuration to store database and table names as lower case (facilitates use of software written on Windows that may not strictly adhere to one case for identifiers)

Version 1.0rc1 - 2012-04-04

  • Added new applications:
  • Added OWASP WebGoat.NET (https://www.owasp.org/index.php/Category:OWASP_WebGoat.NET)
  • Added OWASP ESAPI SwingSet (https://www.owasp.org/index.php/ESAPI_Swingset)
  • Added OWASP ESAPI SwingSet Interactive (https://www.owasp.org/index.php/ESAPI_Swingset)
  • Added Jotto (from OWASP Vicnum project - http://www.owasp.org/index.php/Category:OWASP_Vicnum_Project)
  • Updated applications: Mutillidae, WebGoat (Java), ModSecurity, ModSecurity Core Rule Set, BodgeIt, OWASP ZAP WAVE, Damn Vulnerable Web Application, WackoPicko
  • Added owaspbwa-*-rebuild.sh scripts to build and deploy applications from source (WebGoat, Yazd, CSRFGuard Test Apps, SwingSet Apps)
  • Added owaspbwa-update-*.sh scripts to automatically pull updates from source repositories (OWASP BWA only and for all applications)
  • Cleaned up installations of WebGoat and Yazd
  • Fixed issue with PHP configuration to allow Remote File Include (RFI) vulnerabilities.
  • Created User Guide at http://code.google.com/p/owaspbwa/wiki/UserGuide (not yet complete).

Version 0.94 - 2011-07-24

  • No changes from 0.94rc3.

Version 0.94rc3 - 2011-07-14

  • More fixes to hackxor applications (thanks again to Albino Wax).

Version 0.94rc2 - 2011-07-13

  • Fixes to hackxor applications (thanks to Albino Wax for fixes).

Version 0.94rc1 - 2011-07-11

  • Added a number of new applications, including Gruyere, Hackxor, WackoPicko, BodgeIt, TikiWiki, Joomla, Gallery2, WebCalendar, AWStats, and ZAP-Wave (thanks to Mike Cyr for lots of work in this area).
  • New and improved "home" page in the VM (thanks again to Mike Cyr).

Version 0.93rc1 - 2011-01-19

  • Rebuilt OrangeHRM database to fix login issue (thanks to Dave van Stein for reporting this)
  • Configured mod_proxy on Apache web server to reverse proxy applications running on Tomcat web server. Disabled direct access to Tomcat server
  • Installed ModSecurity to 2.5.13 from source (needed by Core Rule Set)
  • Configured the ModSecurity Core Rule Set. It is disabled by default, but can be enabled through the use of new shell scripts in /usr/local/bin
  • Adjusted Samba shares to follow symlinks
  • Removed some miscellaneous old / duplicate files
  • Attempted to fix phpBB issues, but was unsuccessful. That application is broken for this release and marked as such in the index.html file (thanks to Dave van Stein for reporting this issue)

Version 0.92rc2 - 2010-11-15

  • Fixed bug with MySQL databases not starting properly (thanks to Tom Neaves for reporting this)

Version 0.92rc1 - 2010-11-10

  • Developed method for tracking known issues in the applications at http://sourceforge.net/apps/trac/owaspbwa/report/1.
  • Updated base OS to Ubuntu 10.04 LTS
  • Updated DVWA to SVN version > 1.07
  • Updated Mutillidae to version 1.5
  • Updated WebGoat to SVN version > 5.3
  • Added and configured three "real" applications suggested by Matt Tesauro:
  • Added application: GetBoo version 1.04 (http://sourceforge.net/projects/getboo/files/)
  • Added application: GTD-PHP version 0.7 (http://sourceforge.net/projects/gtd-php/files/)
  • Added application: OrangeHRM version 2.4.2 (http://www.orangehrm.com/)
  • Fixed bug in DVWA database permissions that was preventing stored XSS from working (thanks to Owen Wright for reporting this)

Version 0.91rc1 - 2010-03-24

  • Updated OWASP Vicnum to version 1.4 (http://www.owasp.org/index.php/Category:OWASP_Vicnum_Project)
  • Added application: Ghost (http://webdevelopmentsolutions.org/)
  • Added application: Peruggia version 1.2 (http://peruggia.sourceforge.net/)
  • Added application: OWASP AppSensor Demo (http://www.owasp.org/index.php/Category:OWASP_AppSensor_Project)
  • Fixed bug where VM would sometimes not get an address from DHCP on boot
  • Fixed bug where PHP magic quotes were enabled for some applications, preventing SQL Injection
  • Changed password for some applications to match standard users named 'admin' and 'user' with the password the same as the username
  • Moved databases, applications that run on Apache web server, some configuration files, and some applications that run on Tomcat web server into SVN with symlinks to the SVN directory in the normal file system.
  • Fixed bug in where permissions on /var/www/dvwa were not set properly (thanks to Dale Castle for reporting this)

Version 0.9 - 2009-11-11

  • Initial Release

NullByte: 1

ly0n 1 Aug 2015

Codename: NB0x01

Download: ly0n.me/nullbyte/NullByte.ova.zip

Objetcive: Get to /root/proof.txt and follow the instructions.

Level: Basic to intermediate.

Description: Boot2root, box will get IP from dhcp, works fine with virtualbox&vmware.

Hints: Use your lateral thinking skills, maybe you’ll need to write some code.