Welcome to The Pentester’s 64-Bit AppSec Primer and challenge.

Here at The Pentesters, we have a passion for application security and all that goes with it. We think that application security is an extremely important part of the field of information security and have, “made it our business” so to speak to provide a means of education into modern-day application security. With modern computing becoming more and more advanced, and the requirements for understanding the functionality and security behind said computing becoming equally as challenging to understand, we figured that perhaps giving a set of challenges dedicated to learning the mere basics of 64 bit appsec would be beneficial to the security community.

The 64-Bit AppSec Primer consists of 16 challenges, increasingly more difficult than the previous one, dedicated to learning the basics of 64 bit binary exploitation and reverse engineering. The x64 instruction set, as you would expect, has many new instructions, registers, and calling conventions in comparison to the traditional x86 instruction set. Our goal, with this challenge, is to get you inside a debugger with intentionally vulnerable binaries, and get you looking at the inner-workings of a 64 bit binary. Alongside the increasing complexity of the instruction set, is an equally complexity of exploitation, which as a penetration tester and security engineer, will prove useful to understand.

The challenges consist of varying vulnerabilities and anti-debugger tricks in binaries, such as:

• Stack-based Buffer Overflows
• Format String Vulnerabilities
• Heap-based Buffer Overflows
• Detection of tracing
• Insecure validation of credentials
• and more… don’t want to give you all the good details eh?

As a bonus, we would like to contribute back to the security community. We are donating the VM to Vulnhub, for all to have, and we are also offering prizes to three people who gives us the most robust and complete write-up for the challenges. In order to qualify for the prizes, you must post your write-up on either your personal blog, or website (your choice), and post a link to http://thepentesters.net/challenge/ along with your username. If you are unable to solve all of the challenges, that is okay, we will still accept your write-up for judging, we still want to see what you completed and how you did it. Here are the prizes:

• 1st Place gets $150.00
• 2nd Place gets $75.00
• 3rd Place gets $25.00

The challenge ends on August 31st, 2016. All write-ups must be submitted by then, whoever has written the best write-up with the most detailed explanations wins. The judging will be done by our pentesting team.

Also, I would like to note a couple rules for the reverse engineering challenges.

• The challenge must be solved without attacking the encryption of the flag. Spoiler, I used a basic XOR encryption for most of them so they do not show up in strings. So, that is off-limits. The goal is to break the logic of the application.
• Some challenges have several ways of solving and we would like to see how you did it. My C coding skills are most certainly not expertise, but I feel as if this will prove to be a good exercise for many in regards to exploit development and reverse engineering.
• All else is fair game!

Note: ASLR must be disabled, log in as level17:madpwnage, and run “echo 0 > /proc/sys/kernel/randomize_va_space”. Also, challenge 3, is only a DoS challenge. This is the beta, so there are still glitches. If you find any, please contact me at [email protected] with your discovery.

There are a couple challenges that don’t have “flags” but you will know when you have solved those, please note your findings and take screen-shots of them as well. As for the VM, you are to ssh in as user n00b and password n00b where you will find gdb-peda installed for you to make your life easier. The VM gets its IP through DHCP and is set to host-only adapter in VMware, so it should work for you straight out of the box so to speak. That is all I have for you and I hope you enjoy.

Welcome to another boot2root / CTF this one is called Violator. The VM is set to grab a DHCP lease on boot. As with my previous VMs, there is a theme, and you will need to snag the flag in order to complete the challenge.

A word of warning: The VM has a small HDD so you can brute force, but please set the disk to non persistent so you can always revert.

Some hints for you:

• Vince Clarke can help you with the Fast Fashion.
• The challenge isn't over with root. The flag is something special.
• I have put a few trolls in, but only to sport with you.

SHA1SUM: 47F68241E95E189126E94A38CB4AD461DD58EE88 violator.ova

Many thanks to BenR and GKNSB for testing this CTF.

Special thanks and shout-outs go to BenR, Rasta_Mouse and g0tmi1k for helping me to learn a lot creating these challenges.

Title: The Necromancer

File: necromancer.ova

md5sum: 6c4cbb7776acac8c3fba27a0c4c8c98f

sha1sum: 712d4cfc19199dea92792e64a43ae7ac59b1dd05

Size: 345MB

Hypervisor: Created with VirtualBox 5.0.20. Tested with virtualbox and vmware player.

Author: @xerubus

Test Bunnies: @dooktwit and @RobertWinkel

Difficulty: Beginner

Description

The Necromancer boot2root box was created for a recent SecTalks Brisbane CTF competition.

There are 11 flags to collect on your way to solving the challenging, and the difficulty level is considered as beginner.

The end goal is simple... destroy The Necromancer!

Notes

• DHCP (Automatically assigned)
• IMPORTANT: The vm IS working as intended if you receive a successful DHCP lease as seen in the boot up sequence.
• The Necromancer VM MUST be on the same subnet as the attacking machine. Ideally both the boot2root VM and the attacking machine should be on the same HostOnly network. If you choose to use a physical box as the attacking machine, the boot2root VM must exist on the same network via a bridged interface.

6Days Lab

Boot2root machine for educational purposes

Our first boot2root machine, execute /flag to complete the game.

Try your skills against an environment protected by IDS and sandboxes!

“Our product Rashomon IPS is so good, even we use it!” they claim.

Hope you enjoy.

v1.0 - 2016-07-12

v1.1 - 2016-07-25

Description

=================

HOLY SCHNIKES! Tommy Boy needs your help!

The Callahan Auto company has finally entered the world of modern technology and stood up a Web server for their customers to use for ordering brake pads.

Unfortunately, the site just went down and the only person with admin credentials is Tom Callahan Sr. - who just passed away! And to make matters worse, the only other guy with knowledge of the server just quit!

You'll need to help Tom Jr., Richard and Michelle get the Web page restored again. Otherwise Callahan Auto will most certainly go out of business :-(

Objective

=================

The primary objective is to restore a backup copy of the homepage to Callahan Auto's server. However, to consider the box fully pwned, you'll need to collect 5 flags strewn about the system, and use the data inside them to unlock one final message.

Other info

=================

• Size: 1.3GB
• Hypervisor: Created with VMWare Fusion 8.1.1.
• Difficulty: ?

Special thanks to

=================

• Rand0mbytez for testing about 10 versions of this frickin' thing to get the bugs worked out.
• RobertWinkel for additional detailed testing and suggestions for tweaking the VM for a better overall experience.

Description

Wellcome to "PwnLab: init", my first Boot2Root virtual machine. Meant to be easy, I hope you enjoy it and maybe learn something. The purpose of this CTF is to get root and read de flag.

Can contact me at: [email protected] or on Twitter: @Chronicoder

• Difficulty: Low
• Flag: /root/flag.txt

File Information

• Filename: pwnlab_init.ova
• File size: 784 MB
• MD5: CE8AB26DE76E5883E67D6DE04C0F6E43
• SHA1: 575F19216A3FA3E377EFE69D5BF715913F294A3B

Virtual Machine

• Format: Virtual Machine (Virtualbox - OVA)
• Operating System: Debian

Networking

• DHCP service: Enabled
• IP address: Automatically assign

Second in a multi-part series, Breach 2.0 is a boot2root/CTF challenge which attempts to showcase a real-world scenario, with plenty of twists and trolls along the way.

The VM is configured with a static IP (192.168.110.151) so you'll need to configure your host only adaptor to this subnet. Sorry! Last one with a static IP ;)

A hint: Imagine this as a production environment during a busy work day.

Shout-out to knightmare for many rounds of testing and assistance with the final configuration as well as rastamouse, twosevenzero and g0blin for testing and providing valuable feedback. As always, thanks to g0tmi1k for hosting and maintaining #vulnhub.

VirtualBox users: if the screen goes black on boot once past the grub screen make sure to go to settings ---> general, and make sure it says Type: Linux Version: Debian 64bit

If you run into any issues, you can find me on Twitter: https://twitter.com/mrb3n813 or on IRC in #vulnhub.

Looking forward to the write-ups, especially any unintended paths to local/root.

Happy hunting!

SHA1:D8F33A9234E107CA745A8BEC853448408AD4773F

Note: v2.1 fixes a few issues.

IMPORTANT NOTE: do not use host-only mode, as issues have been discovered. Set the Billy Madison VM to "auto-detect" to get a regular DHCP address off your network.

Plot: Help Billy Madison stop Eric from taking over Madison Hotels!

Sneaky Eric Gordon has installed malware on Billy's computer right before the two of them are set to face off in an academic decathlon. Unless Billy can regain control of his machine and decrypt his 12th grade final project, he will not graduate from high school. Plus, it means Eric wins, and he takes over as head of Madison Hotels!

Objective: The primary objective of the VM is to figure out how Eric took over the machine and then undo his changes so you can recover Billy's 12th grade final project. You will probably need to root the box to complete this objective.

Download:

• BillyMadison1dot0.zip - https://dl.dropboxusercontent.com/u/5473387/BillyMadison1dot0.zip
• MD5 = afcb926608d6d7b2471e4de6c367afb4
• SHA1 = 4933ca408fcb2e88e6388fe4ea321f758b133d72

Other Information:

• Size: 1.68GB
• Hypervisor: Created with VMWare ESXi 6.0.0
• Difficulty: Beginner/Moderate

Special Thanks To:

• @rand0mbytez and @mrb3n813 for their tenacious help in beta testing, ironing out the bugs, suggesting better ways to do things, battling trolls and just generally being awesome.
• @g0tmi1k, @_RastaMouse and the VulnHub crew for hosting VMs, encouraging VM creators/testers and being a tremendous resource to the infosec community.
• @ReverseBrain for helping and testing with Vbox
• My wife. She rules.

Graceful’s VulnVM is web application running on a virtual machine, it’s designed to simulate a simple eCommerce style website which is purposely vulnerable to a number of well know security issues commonly seen in web applications. This is really a pre-release preview of the project but it’s certainly functional as it stands, but I’m planning on doing a lot of work on this in the near future.

The plan is ultimately to have the application vulnerable to a large number of issues with a selection of different filters at different difficulties that way the as testers become better at detecting and exploiting issues the application can get hardened against common exploitation methods to allow the testers a wider ranger of experiences.

The first filters have now been implemented! The application now supports “levels” where Level 1 includes no real filtration of user input and Level 2 includes a simple filter for each vulnerable function.

Currently it’s vulnerable to:

• SQL Injection (Error-based)
• SQL Injection (Blind)
• Reflected Cross-Site Scripting
• Stored Cross-Site Scripting
• Insecure Direct-Object Reference
• Username Enumeration
• Path Traversal
• Exposed phpinfo()
• Exposed Administrative Interface
• Weak Admin Credentials

Extracting the Virtual Machine

Install p7zip to unzip *.7z files on Fedora:

sudo dnf install p7zip

Install p7zip to unzip *.7z files on Debian and Ubuntu:

sudo apt-get install p7zip

Extract the archive:

7z x Seattle-0.0.3.7z

Then you can simply start up the virtual machine using Virtual Box! The root user account has a password of PASSWORD

Welcome to "IMF", my first Boot2Root virtual machine. IMF is a intelligence agency that you must hack to get all flags and ultimately root. The flags start off easy and get harder as you progress. Each flag contains a hint to the next flag. I hope you enjoy this VM and learn something.

Difficulty: Beginner/Moderate

Can contact me at: geckom at redteamr dot com or on Twitter: @g3ck0m

Welcome to another boot2root / CTF this one is called Teuchter. The VM is set to grab a DHCP lease on boot. As with my previous VMs, there is a theme, and you will need to snag the flag in order to complete the challenge. Less hochmagandy and more studying is needed for this one!

A word of warning: The VM has a small HDD so please set the disk to non persistent so you can always revert. You may need to set the MAC to 00:0C:29:65:D0:A0 too.

Hints for you:

• This VM is designed to be a bit of a joke/troll so a translator might be useful.
• The challenge isn't over with root. I've done my usual flag shenanigans.
• A bit of info security research and knowing your target helps here.
• http://www.jackiestewart.co.uk/jokes/weegie%20windies%202000.htm

SHA1SUM: b5a89761b0a0ee9f0c5e1089b2fde9649ba76b3f Teuchter_0.3.ova