Sokar Competition
Sokar

Filename:  sokar.ova
MD5:  75f5c48e65fa81dc81ef3b58b7ee6bab
SHA1:  5f4aca536898bf962bfcfd2aaccb66fda1ab790a
Author:  Rasta Mouse
Testers:  Barrebas & TheColonial

=====
Notes
=====
DHCP (Automatically Assigned)

    Special note to VMWare users - you must manually set the
    NIC MAC address to 08:00:27:F2:40:DB

Get root, then the flag!
  • Objective: gain shell access for each level. Then reach root.
  • Note: figure out what the blips are, where they are, and how to decode each one.
-=Pandora's Box =-
               ___
             (((((\\
              6_6 ((,
          __ -\_ __\--.
       ,-',\\` '//,\_  \
      |.----&----. \ `. \
      (__,___,__(_  \   |
  _____|        | |__`--'____
       |________|,'        hjw

Filename: pandoras_b0x.ova
MD5: bf3eb20ca837edccc7edbf627e095bbd
SHA1: 52652bb5f886f1253ff43a21536bc4fe09bdd201
Author: c0ne
Testers: Barrebas / Jelle
Difficulty: Medium

About:
Pandora's box is a Boot2Root VM focused on binary exploitation and 
reverse engineering. You have to complete all levels to r00t the box. 
Some levels come with a readme file which you should read.

Usage:
Import, boot and wait 60 seconds for everything to start up before 
scanning it.

Shootout:
Major thanks to Barrebas and Jelle for testing the VM and challenges 
and the feedback.


c0ne
  • Objective: gain shell access and root the box.
  • Hardness: intermediate-> advanced.
  • Note: The box doesn't respond to ping, so be sure to check the DHCP lease.

Pegasus: 1

Knapsy 16 Dec 2014

Pegasus

         .-.
   %%%%,/   :-.
   % `%%%, /   `\   _,
   |' )`%%|      '-' /            Filename:   pegasus.ova
   \_/\  %%%/`-.___.'             MD5:        5046e330ff42e9adee0a42b63694cbfe
    __/  %%%"--"""-.%,            SHA1:       f18b7437ca3c96f76a2e1b06f569186b63567dd5
  /`__|  %%         \%%           Difficulty: Intermediate
  \\  \   /   |     /'%,          Author:     Knaps
   \]  | /----'.   < `%,          Tester:     Mulitia
       ||       `>> >
       ||       ///`
       /(      //(

Welcome to my first boot2root VM! Inspired by various CTF events I took part in and by couple cool concepts I learnt in the last couple months.

Rules of engagement are simple - find a way in, escalate your privileges all the way up to the root and get the flag!

As with all VMs like this, think outside the box, don't jump to conclusions too early and "read between the lines" :)

The VM has been tested on VMWare and VirtualBox, just import it, ensure the network is set as "Host Only" and run it. It should pick up the IP address automatically.

Enjoy! :)

Underdist: 3

q3rv0 29 Nov 2014

Underc0de Weekend is a weekly challenge we (underc0de) are doing. The goal is to be the first to resolve it, to earn points and prizes (http://underc0de.org/underweekend.php).

Enjoy

----------------
bee-box - README
----------------

bee-box is a custom Linux VM pre-installed with bWAPP.

With bee-box you have the opportunity to explore all bWAPP vulnerabilities!
bee-box gives you several ways to hack and deface the bWAPP website.
It's even possible to hack the bee-box to get root access...

This project is part of the ITSEC GAMES project. ITSEC GAMES are a fun approach to IT security education. 
IT security, ethical hacking, training and fun... all mixed together.
You can find more about the ITSEC GAMES and bWAPP projects on our blog.

We offer a 2-day comprehensive web security course 'Attacking & Defending Web Apps with bWAPP'.
This course can be scheduled on demand, at your location!
More info: http://goo.gl/ASuPa1 (pdf)

Enjoy!

Cheers

Malik Mesellem
Twitter: @MME_IT

-----------------------
bee-box - Release notes
-----------------------

v1.6
****

Release date: 2/11/2014

bWAPP version: 2.2

New features:

- Vulnerable Drupal installation (Drupageddon)

Bug fixes: /

Modifications: /


v1.5
****

Release date: 27/09/2014

bWAPP version: 2.1

New features:

- CGI support (Shellshock ready)

Bug fixes: /

Modifications: /


v1.4
****

Release date: 12/05/2014

bWAPP version: 2.0

New features:

- Lighttpd web server installed, running on port TCP/9080 and TCP/9443
- PHP SQLite module installed
- SQLiteManager 1.2.4 installed
- Vulnerable bWAPP movie network service (BOF)

Bug fixes: /

Modifications: /


v1.3
****

Release date: 19/04/2014

bWAPP version: 1.9+

New features:

- Nginx web server installed, running on port TCP/8080 and TCP/8443
- Nginx web server configured with a vulnerable OpenSSL version (heartbleed vulnerability)
- Insecure distcc (a fast, free distributed C/C++ compiler)
- Insecure NTP configuration
- Insecure SNMP configuration
- Insecure VNC configuration

Bug fixes:

- bWAPP update script checks for Internet connectivity

Modifications: /


v1.2
****

Release date: 22/12/2013

bWAPP version: 1.8

New features:

- Apache modules enabled: rewrite, include, headers, dav, action
- Apache server-status directive enabled
- Insecure anonymous FTP configuration
- Insecure WebDAV configuration
- Server-Side Includes configuration
- Vulnerable PHP CGI configuration

Bug fixes: /

Modifications:

- MySQL listening on 0.0.0.0
- New bWAPP update script


v1.1
****

Release date: 12/09/2013

bWAPP version: 1.5

New features:

- bWAPP update script

Bug fixes: /

Modifications: /


v1.0
****

Release date: 15/07/2013

bWAPP version: 1.4

New features: /

Bug fixes: /

Modifications: /

-----------------
bee-box - INSTALL
-----------------

bee-box is a custom Linux VM pre-installed with bWAPP.

With bee-box you have the opportunity to explore all bWAPP vulnerabilities!
bee-box gives you several ways to hack and deface the bWAPP website.
It's even possible to hack the bee-box to get root access...


Requirements
////////////

*/ Windows, Linux or Mac OS
*/ VMware Player, Workstation, Fusion or Oracle VirtualBox


Installation steps
//////////////////

No! I will not explain how to install VMware or VirtualBox...

*/ Extract the compressed file.

*/ Double click on the VM configuration file (bee-box.vmx), or import the VM into the VMware software.

*/ Start the VM. It will login automatically.

*/ Check the IP address of the VM.

*/ Go to the bWAPP login page. If you browse the bWAPP root directory you will be redirected.

    example: http://[IP]/bWAPP/
    example: http://[IP]/bWAPP/login.php

*/ Login with the default bWAPP credentials, or make a new user.

    default credentials: bee/bug

*/ You are ready to explore and exploit the bee!


Notes
/////

*/ Linux credentials:

    bee/bug
    root/bug

*/ MySQL credentials:

    root/bug

*/ Modify the Postfix settings (relayhost,...) to your environment.

    config file: /etc/postfix/main.cf

*/ bee-box gives you several ways to deface the bWAPP website.
   It's even possible to hack the bee-box to get root access...

   Have fun!

*/ Take a snapshot of the VM before hacking the bee-box.
   There is also a backup of the bWAPP website (/var/www/bWAPP_BAK).

*/ To reinstall the bWAPP database, delete the database with phpmyadmin (http://[IP]/phpmyadmin/).
   Afterwards, browse to the following page: https://[IP]/bWAPP/install.php

*/ Don't upgrade the Linux operating system, you will lose all fun :)


This project is part of the ITSEC GAMES project. ITSEC GAMES are a fun approach to IT security education. 
IT security, ethical hacking, training and fun... all mixed together.
You can find more about the ITSEC GAMES and bWAPP projects on our blog.

We offer a 2-day comprehensive web security course 'Attacking & Defending Web Apps with bWAPP'.
This course can be scheduled on demand, at your location!
More info: http://goo.gl/ASuPa1 (pdf)

Enjoy!

Cheers

Malik Mesellem
Twitter: @MME_IT

Tr0ll: 2

Maleus 24 Oct 2014

The next machine in the Tr0ll series of VMs. This one is a step up in difficulty from the original Tr0ll but the time required to solve is approximately the same, and make no mistake, trolls are still present! :)

Difficulty is beginner++ to intermediate.

The VM should pull a valid IP from DHCP. This VM has been verified to work on VMware workstation 5, VMware player 5, VMware Fusion, and Virtual box. Virtual box users may need to enable the additional network card for it to pull a valid IP address.

Special thanks to @Eagle11, @superkojiman and @leonjza for suffering through the testing and the members of #overflowsec on freenode for giving me ideas.

If you have issues with the machine, feel free to contact me at @Maleus21 or maleus overflowsecurity.com.

-Maleus

www.overflowsecurity.com


Kvasir 1


Filename: kvasir1.ova

MD5: e987e8bbe319db072246ab749912ea91

SHA1: 029a59188cd3375fa50a5115db561f8a8ef69d4a

Author: Rasta Mouse

Testers: Barrebas & OJ


Notes to the Player


As part of the challenge, Kvasir utilises LXC to provide kernel isolation. When the host VM boots, it takes can take a little bit of time before the containers become available.

It is therefore advised to wait 30-60 seconds after the login prompt is presented, before attacking the VM.

A few other pointers:

  • Not every LXC is ‘rootable’
  • No SSH brute-forcing is required
 ____  __.                     __              ____  __.                     __      ____ 
|    |/ _| ____   ____   ____ |  | __         |    |/ _| ____   ____   ____ |  | __ /_   |
|      <  /    \ /  _ \_/ ___\|  |/ /  ______ |      <  /    \ /  _ \_/ ___\|  |/ /  |   |
|    |  \|   |  (  <_> )  \___|    <  /_____/ |    |  \|   |  (  <_> )  \___|    <   |   |
|____|__ \___|  /\____/ \___  >__|_ \         |____|__ \___|  /\____/ \___  >__|_ \  |___|
        \/    \/            \/     \/                 \/    \/            \/     \/

Pretty much thought of a pretty neat idea I hadn't seen done before with a VM, and I wanted to turn it into reality!

Your job is to escalate to root, and find the flag.

Since I've gotten a few PM's, remember: There is a difference between "Port Unreachable" and "Host Unreachable". DHCP is not broken ;)

Gotta give a huge shoutout to c0ne for helping to creating the binary challenge, and rasta_mouse and recrudesce for testing :)

Also, gotta thank barrebas who was able to find a way to make things easier... but of course that is fixed with this update! ;)

MD5 -- 3b6839a28b4be64bd71598aa374ef4a6 knock-knock-1-1.ova

SHA1 -- 0ec29d8baad9997fc250bda65a307e0f674e4180 knock-knock-1-1.ova

Feel free to hit me up in #vulnhub on freenode -- zer0w1re