I recently got done creating an OSCP type vulnerable machine that's themed after the great James Bond film (and even better n64 game) GoldenEye. The goal is to get root and capture the secret GoldenEye codes - flag.txt.
I'd rate it as Intermediate, it has a good variety of techniques needed to get root - no exploit development/buffer overflows. After completing the OSCP I think this would be a great one to practice on, plus there's a hint of CTF flavor.
I've created and validated on VMware and VirtualBox. You won't need any extra tools other than what's on Kali by default. Will need to be setup as Host-Only, and on VMware you may need to click "retry" if prompted, upon initially starting it up because of formatting.
A new OSCP style lab involving 2 vulnerable machines, themed after the cyberpunk classic Neuromancer - a must read for any cyber-security enthusiast. This lab makes use of pivoting and post exploitation, which I've found other OSCP prep labs seem to lack. The goal is the get root on both machines. All you need is default Kali Linux.
I'd rate this as Intermediate. No buffer overflows or exploit development - any necessary password cracking can be done with small wordlists. It's much more related to an OSCP box vs a CTF. I've tested it quite a bit, but if you see any issues or need a nudge PM me here.
Virtual Box Lab setup instructions are included in the zip download, but here's a quick brief:
Straylight - simulates a public facing server with 2 NICS. Cap this first, then pivot to the final machine. Neuromancer - is within a non-public network with 1 NIC. Your Kali box should ONLY be on the same virtual network as Straylight.
This virtual machine is having intermediate to medium difficulty level.
One need to break into VM using web application and from there escalate privileges to gain root access.
Gaining low or root privilege shell can be done in two ways (for both)
Description: This boot2root is an Ubuntu Based virtual machine and has been tested using VirtualBox. The network interface of the virtual machine will take it's IP settings from DHCP.
Your goal is to capture the flag on /root.
Description: I have decided to create vulnerable machines that replicate the vulnerabilities and difficulties I’ve personally encountered during my last year (2017) of penetration testing.
Some of the vulnerabilities require the “Think out of the box (fun)” mentality and some are just plain annoyance difficulties that require some form of automation to ease the testing.
GeminiInc v2 has been created that replicate a few issues that I’ve encountered which was really interesting and fun to tackle, I hope it will be fun for you guys as well.
Adding a little made-up background story to make it more interesting…
Introduction: Gemini Inc has contacted you to perform a penetration testing on one of their internal system. This system has a web application that is meant for employees to export their profile to a PDF. Identify any vulnerabilities possible with the goal of complete system compromise with root privilege. To demonstrate the level of access obtained, please provide the content of flag.txt located in the root directory as proof.
Tweet me your writeup @ https://twitter.com/sec_9emin1
File size: 2239959453
SHA 1: 5f210dd9a52a701bab262a9def88009b1ca46300
Format: Virtual Machine (VMWare)
Operating System: Debian
DHCP Service : Enabled
IP Address: Automatically Assigned
More information can be obtained from my blog post on this vulnerable machine: https://scriptkidd1e.wordpress.com/
Intended solution will be provided some time after this has been published: https://scriptkidd1e.wordpress.com/geminiinc-v2-virtual-machine-walkthrough/
The VM has been tested on the following platform and is working:
Mac OSX VMWare Fusion
Windows 10 VMWare Player
Windows 10 VMWare Workstation
It should work with any virtual machine player as well. It will be able to obtain an I.P Address with DHCP so no additional configuration is required. Simply import the downloaded VM and you are good to go.
The links below are community submitted 'solutions' showing hints/nudges or possibly a complete walkthrough* of how they solved the puzzle.
Please note, there could be (many) more methods of completing this, they just haven't, either been discovered, or submitted. If you know something that isn't listed, please submit it or get in touch and we would be glad to add it.
* This is a spoiler. It could possibly show you a way of completely solving it.
Here you can download the mentioned files using various methods.
We have listed the original source, from the author's page. However, after time these links 'break', for example: either the files are moved, they have reached their maximum bandwidth limit, or, their hosting/domain has expired.
For these reasons, we have been in touch with each author asking for permission to mirror the files. If the author has agreed, we have created mirrors. These are untouched copies of the listed files. (You can check for yourself via the MD5 & SHA1 checksums which are individually displayed on their entry page. See how here).
We also offer the download via BitTorrent. We prefer that people use BitTorrent, however, we do understand that it is not as straight forward as clicking on a direct link.
To make sure everyone using VulnHub has the best experience possible using the site, we have had to
limit the amount of simultaneous direct download files to two files, with a max speed of 3mb
This is because the average file size is currently about 700mb, which causes our bandwidth to be high (couple of terabytes each month!). As this is a privately funded project, we believe we have chosen the best hosting provider for the limited budget.
If would you like to be able to download a mass, and at quicker speed, please use torrents as these will be seeded 24/7. For a guide on how to setup and use torrents, see here.
If you're the owner of a listed file or believe that we are unlawfully distributing files without permission, please get in touch here.