-- S1.100

SCENARIO

The scenario for this LiveCD is that a CEO of a small company has been pressured by the Board of Directors to have a penetration test done within the company. The CEO, believing his company is secure, feels this is a huge waste of money, especially since he already has a company scan their network for vulnerabilities (using nessus). To make the BoD happy, he decides to hire you for a 5-day job; and because he really doesn't believe the company is insecure, he has contracted you to look at only one server - a old system that only has a web-based list of the company's contact information.

The CEO expects you to prove that the admins of the box follow all proper accepted security practices, and that you will not be able to obtain access to the box. Prove to him that a full penetration test of their entire corporation would be the best way to ensure his company is actually following best security practices.

CONFIGURATION

PenTest Lab Disk 1.100: This LiveCD is configured with an IP address of 192.168.1.100 - no additional configuration is necessary.

Pentest Machine:

Your second system will use the BackTrack (v.2) LiveCD as provided by remote-exploit.org. A copy of the LiveCD can be downloaded from remote-exploit.org. This disk is configured to obtain an IP address through DHCP - thus no additional configuration is required. All tools necessary to exploit Disk 1.100 can be found on the BackTrack Disk. No additional installations will be necessary.

Router Configuration:

The PenTest Lab system and the PenTest machine must connect to a router that has been configured with the following values: + DHCP Server: active + Pool Starting Addr.: 192.168.1.2

LAN TCP/IP: + IP Address: 192.168.1.1 + IP Subnet Mask: 255.255.255.0

-- S1.110

SCENARIO

The scenario for this LiveCD is that a CEO of a small company has tasked you to do more extensive penetration testing of systems within his company. The network administrator has reconfigured systems within his network to meet tougher security requirements and expects you to fail any further penetration attempts. This system is an ftp server used by the network administrator team to create / reload systems on the company intranet. No classified or sensitive information should reside on this server. Through discussion with the administrator, you found out that this server had been used in the past to maintain customer information, but has been sanitized (as opposed to re-built).

Prove to the network administrator that proper system configuration is not the only thing critical in securing a server.

CONFIGURATION

PenTest Lab Disk 1.110:

This LiveCD is configured with an IP address of 192.168.1.110 - no additional configuration is necessary.

Pentest Machine:

Your second system will use the BackTrack (v.2) LiveCD as provided by remote-exploit.org. A copy of the LiveCD can be downloaded from remote-exploit.org. This disk is configured to obtain an IP address through DHCP - thus no additional configuration is required. All tools necessary to exploit Disk 1.110 can be found on the BackTrack Disk. No additional installations will be necessary.

Router Configuration:

The PenTest Lab system and the PenTest machine must connect to a router that has been configured with the following values: + DHCP Server: active + Pool Starting Addr.: 192.168.1.2

LAN TCP/IP: + IP Address: 192.168.1.1 + IP Subnet Mask: 255.255.255.0

Damn Vulnerable Linux (DVL) E605 (1.3):

Added many many vulnerabilities. Added much exercise material including sources. Now included the HoneyNet Project and WebGoat.

• 0000070: [Reverse Code Engineering] Add Boomerang Decompiler
• 0000082: [Application Development] Free Pascal Compiler
• 0000136: [Tools] Add Valgrind 3.2.0 + Valkyrie
• 0000135: [Application Development] Add SmallBasic 0.9.7
• 0000134: [Application Development] Add Dr. Scheme
• 0000133: [Application Development] Add SWI Prolog
• 0000131: [Application Development] Add GCC-g77
• 0000127: [Web Exploitation] Add Cyphor
• 0000109: [Shellcode / Exploitation] Add atari800 Local Root Exploit
• 0000120: [Shellcode / Exploitation] Add phpBB 2.0.13 (admin_styles.php) Remote Command Execution Exploit
• 0000125: [Web Exploitation] Add Joomla <= 1.0.9 (Weblinks) Remote Blind SQL Injection Exploit
• 0000126: [Web Exploitation] Add Joomla <=1.0.7 (feed) Denial of Service Exploit
• 0000123: [Web Exploitation] Add PHPNuke 7.8
• 0000124: [Application Development] Add PHP-Nuke 7.4 POST Method Admin Variable Privilege Escalation
• 0000122: [Shellcode / Exploitation] Add linux-ftpd-ssl 0.17 (MKD/CWD) Remote Root Exploit
• 0000110: [Shellcode / Exploitation] Add Aeon 0.2a Local Linux Exploit
• 0000108: [Shellcode / Exploitation] Add SoX Local Buffer Overflow Exploit
• 0000111: [Shellcode / Exploitation] Add sash <= 3.7 Local Buffer Overflow Exploit
• 0000104: [Shellcode / Exploitation] Add splitvt < 1.6.5 Local Exploit
• 0000121: [Web Exploitation] Add e107 <= 0.6172 (resetcore.php) Remote SQL Injection Exploit
• 0000102: [Shellcode / Exploitation] Add ProFTPD <= 1.3.0a (mod_ctrls support) Local Buffer Overflow PoC
• 0000016: [Reverse Code Engineering] Fenris should be added
• 0000067: [Reverse Code Engineering] Add ELFIO
• 0000084: [Application Development] Add FakeAP
• 0000083: [Application Development] Add BestCrypt
• 0000085: [Application Development] Add FindDDOS
• 0000078: [Tools] Add QTParted
• 0000094: [Shellcode / Exploitation] Add Minicom 1.81
• 0000096: [Shellcode / Exploitation] Add Nestea \"Off By One\" attack
• 0000099: [Web Exploitation] Add PhpBB 2.0.12 Session Handling Authentication Bypass
• 0000100: [Web Exploitation] Add WordPress 1.5.1.1 SQL Injection
• 0000101: [Web Exploitation] Add Nabopoll 1.2 Remote File Inclusion, Remote Configuration Disclosure
• 0000093: [Application Development] Add HLA Compiler Construction Kit
• 0000092: [Application Development] Add YASM Assembler
• 0000091: [Application Development] Add FASM
• 0000090: [Application Development] Add SciLab
• 0000081: [Application Development] Add GSL GNU Scientific Library
• 0000080: [Application Development] Add FreeBasic
• 0000079: [Application Development] Add BlueFish Editor
• 0000033: [Application Development] RHIDE should be added
• 0000089: [Application Development] Add C++6 libs
• 0000088: [Application Development] Add LibGC
• 0000087: [Application Development] Add BOOST Library
• 0000076: [Application Development] Remove JRE and add JDK 1.5
• 0000075: [Application Development] Add QEMU
• 0000074: [Application Development] Add Scite Editor
• 0000073: [Peneration Testing] Add OWASP's WebGoat

DVL Strychnine + E605 is final! I just remastered the ISO and we land at 1050 MB size which fits perfectly on a 2 GB USB stick (and gives us more free space to add additional stuff). I will upload the ISO today and inform the mirrors. Finally after all this installation part I can play myself with it :)

--S2.100

SCENARIO

The scenario for this LiveCD is that you have been given an assignment to test a company's 192.168.2.xxx network to identify any vulnerabilities or exploits. The systems within this network are not critical systems and recent backups have been created and tested, so any damage you might cause is of little concern. The organization has had multiple system administrators manage the network over the last couple of years, and they are unsure of the competency previous (or current) staff2

CONFIGURATIO

PenTest Lab Disk 2.100: This LiveCD is configured with an IP address of 192.168.2.100 - no additional configuration is necessary.

Pentest Machine:

Your second system will use the BackTrack (v.2) LiveCD as provided by remote-exploit.org. A copy of the LiveCD can be downloaded from remote-exploit.org. This disk is configured to obtain an IP address through DHCP - thus no additional configuration is required. All tools necessary to exploit Disk 2.100 can be found on the BackTrack Disk. No additional installations will be necessary.

Router Configuration:

The PenTest Lab system and the PenTest machine must connect to a router that has been configured with the following values:

• DHCP Server: active
• Pool Starting Addr.: 192.168.2.2

LAN TCP/IP: + IP Address: 192.168.2.1 + IP Subnet Mask: 255.255.255.0

Some of you may have noticed this new pWnOS forum section. I created pWnOS as a virtual machine and Grendel was nice enough to let me post about it here. Here's a bit of information on pWnOS.

It's a linux virtual machine intentionally configured with exploitable services to provide you with a path to r00t. :) Currently, the virtual machine NIC is configured in bridged networking, so it will obtain a normal IP address on the network you are connected to. You can easily change this to NAT or Host Only if you desire. A quick ping sweep will show the IP address of the virtual machine.

Sorry...no scenario/storyline with this one. I wasn't really planning to release it like this, so maybe for version 2.0 I'll be more creative. :) I'm anxious to get feedback so let me know how it goes or if you have questions. Thanks and good luck!

Where to get the current Hackerdemia PenTest Tool Tutorial disk: http://heorot.net/instruction/tutorials/iso/hackerdemia-1.1.0.iso

The MD5 Hash Values of Each Disk: 09e960360714df7879679dee72ce5733 ==> hackerdemia-1.1.0.iso

How to start the disk: Boot the LiveCD on a system within your pentest lab, which needs to be configured to be in the 192.168.xxx.xxx range. Connect to http://192.168.1.123 using a web browser (preferably in BackTrack or your favorite pentest platform)

You will be presented with a web page, which is your tutorials. All hands-on examples were created with the Hackerdemia disk as the target, so your results should exactly match those found in the tutorials.

Where to get the BackTrack disk: http://remote-exploit.org/backtrack_download.html

Network configuration: The LiveCD configures itself to an IP address of 192.168.1.123 by default. If you want to change it, simply log in as: username: root password: toor

...and change the ifconfig information (If you don't know what I'm talking about, go to: http://en.wikipedia.org/wiki/Ifconfig)

A flexible web app showing vulnerabilities such as cross site scripting, sql injections, and session management issues. Helpful to IT auditors honing web security skills and setting up 'capture the flag'.

Holynix is a Linux distribution that was deliberately built to have security holes for the purposes of penetration testing. If you're having trouble, or there are any problems, it can be discussed here.

It's been a while since the last Kioptrix VM challenge. Life keeps getting the way of these things you know.

After the seeing the number of downloads for the last two, and the numerous videos showing ways to beat these challenges. I felt that 1.2 (or just level 3) needed to come out. Thank you to all that downloaded and played the first two. And thank you to the ones that took the time to produce video solutions of them. Greatly appreciated.

As with the other two, this challenge is geared towards the beginner. It is however different. Added a few more steps and a new skill set is required. Still being the realm of the beginner I must add. The same as the others, there’s more then one way to “pwn” this one. There’s easy and not so easy. Remember… the sense of “easy” or “difficult” is always relative to ones own skill level. I never said these things were exceptionally hard or difficult, but we all need to start somewhere. And let me tell you, making these vulnerable VMs is not as easy as it looks…

Important thing with this challenge. Once you find the IP (DHCP Client) edit your hosts file and point it to kioptrix3.com

Under Windows, you would edit C:\Windows\System32\drivers\etc\hosts to look something like this:

# localhost name resolution is handled within DNS itself.
#   127.0.0.1 localhost
#   ::1 localhost127.0.0.1 static3.cdn.ubi.com
192.168.1.102 kioptrix3.com

Under Linux that would be /etc/hosts

There’s a web application involved, so to have everything nice and properly displayed you really need to this.

Hope you enjoy Kioptrix VM Level 1.2 challenge.

452 Megs

MD5 Hash : d324ffadd8e3efc1f96447eec51901f2

Have fun

About

Protostar introduces the following in a friendly way:

• Network programming
• Byte order
• Handling sockets
• Stack overflows
• Format strings
• Heap overflows The above is introduced in a simple way, starting with simple memory corruption and modification, function redirection, and finally executing custom shellcode.

In order to make this as easy as possible to introduce Address Space Layout Randomisation and Non-Executable memory has been disabled.

Getting started

Once the virtual machine has booted, you are able to log in as the "user" account with the password "user" (without the quotes).

The levels to be exploited can be found in the /opt/protostar/bin directory.

For debugging the final levels, you can log in as root with password "godmode" (without the quotes)

Core files

README! The /proc/sys/kernel/core_pattern is set to /tmp/core.%s.%e.%p. This means that instead of the general ./core file you get, it will be in a different directory and different file name.

Again a long delay between VMs, but that cannot be helped. Work, family must come first. Blogs and hobbies are pushed down the list. These things aren’t as easy to make as one may think. Time and some planning must be put into these challenges, to make sure that:

1. It’s possible to get root remotely [ Edit: sorry not what I meant ]

1a. It’s possible to remotely compromise the machine

1. Stays within the target audience of this site

2. Must be “realistic” (well kinda…)

3. Should serve as a refresher for me. Be it PHP or MySQL usage etc. Stuff I haven’t done in a while.

I also had lots of troubles exporting this one. So please take the time to read my comments at the end of this post.

Keeping in the spirit of things, this challenge is a bit different than the others but remains in the realm of the easy. Repeating myself I know, but things must always be made clear: These VMs are for the beginner. It’s a place to start.

I’d would love to code some small custom application for people to exploit. But I’m an administrator not a coder. It would take too much time to learn/code such an application. Not saying I’ll never try doing one, but I wouldn’t hold my breath. If someone wants more difficult challenges, I’m sure the Inter-tubes holds them somewhere. Or you can always enroll in Offsec’s PWB course. *shameless plug

-- A few things I must say. I made this image using a new platform. Hoping everything works but I can’t test for everything. Initially the VM had troubles getting an IP on boot-up. For some reason the NIC wouldn’t go up and the machine was left with the loopback interface. I hope that I fixed the problem. Don’t be surprised if it takes a little moment for this one to boot up. It’s trying to get an IP. Be a bit patient. Someone that tested the image for me also reported the VM hung once powered on. Upon restart all was fine. Just one person reported this, so hoping it’s not a major issue. If you plan on running this on vmFusion, you may need to convert the imagine to suit your fusion version.

-- Also adding the VHD file for download, for those using Hyper-V. You guys may need to change the network adapter to “Legacy Network Adapter”. I’ve test the file and this one seems to run fine for me… If you’re having problems, or it’s not working for any reason email comms[=]kioptrix.com

Thanks to @shai_saint from www.n00bpentesting.com for the much needed testing with various VM solutions.

Thanks to Patrick from Hackfest.ca for also running the VM and reporting a few issues. And Swappage & @Tallenz for doing the same. All help is appreciated guys

So I hope you enjoy this one.

The Kioptrix Team

Configuration

The network is configured to obtain an IP address via DHCP by default. Although if you want to further configure the virtual machine you can login as user root and password toor. The apache web server is configured to run on port 8880.

Mission

The challenge includes an image hosting web service that has various design vulnerabilities. You must enumerate the various web service features and find an exploitable vulnerability in order to read system hidden files. The web application is 100% custom so do not try to search google for relative PoC exploit code.

FINAL GOAL: Reveal the hidden message for a date arrange that Bob sent to Alice.