Codename: NB0x01

Download: ly0n.me/nullbyte/NullByte.ova.zip

Objetcive: Get to /root/proof.txt and follow the instructions.

Level: Basic to intermediate.

Description: Boot2root, box will get IP from dhcp, works fine with virtualbox&vmware.

Hints: Use your lateral thinking skills, maybe you’ll need to write some code.

The Challenge:

You are looking for two flags. Using discovered pointers in various elements of the running web application you can deduce the first flag (a downloadable file) which is required to find the second flag (a text file). Look, read and maybe even listen. You will need to use basic web application recon skills as well as some forensics to find both flags.

Level: Intermediate

Description:

The virtual machine comes in an OVA format, and is a generic 32 bit CentOS Linux build with a single available service (HTTP) where the challenge resides. Feel free to enable bridged networking to have the VM automatically be assigned a DHCP address. This VM has been tested in VMware Workstation 12 Player (choose "Retry" if needed), and VirtualBox 4.3.

SHA1: f60f497f3f8fda0d0aeccfc84dad8e19ad164f55 Challenge.ova

Twitter: @SpyderSec

I created this machine to help others learn some basic CTF hacking strategies and some tools. I aimed this machine to be very similar in difficulty to those I was breaking on the OSCP.

This is a boot-to-root machine will not require any guest interaction.

There are two designed methods for privilege escalation.

• 23/09/2015 == v1.0.1
• 22/09/2015 == v1.0

If you are having issues with VirtualBox, try the following:

• Downloaded LordOfTheRoot_1.0.1.ova (confirmed file hash)
• Downloaded and installed VMWare ovftool.
• Converted the OVA to OVF using ovftool.

• Modified the OVF using text editor, and did the following:

  replaced all references to "ElementName" with "Caption" replaced the single reference to "vmware.sata.ahci" with "AHCI"

• Saved the OVF. +Deleted the .mf (Manifest) file. If you don't you get an error when importing, saying the SHA doesn't match for the OVF (I also tried modifying the hash, but no luck).

• Try import the OVF file, and it should work fine.

Source: https://twitter.com/dooktwit/status/646840273482330112

Simple CTF

Simple CTF is a boot2root that focuses on the basics of web based hacking. Once you load the VM, treat it as a machine you can see on the network, i.e. you don't have physical access to this machine. Therefore, tricks like editing the VM's BIOS or Grub configuration are not allowed. Only remote attacks are permitted. /root/flag.txt is your ultimate goal.

I suggest you use VirtualBox or VMWare Player with a Host Only adapter. The VM will assign itself an IP address through DHCP.

Location

https://www.dropbox.com/s/9spf5m9l87zjlps/Simple.ova?dl=0 [File size: 600MB]

Hints

1. Get a user shell by uploading a reverse shell and executing it.
2. A proxy may help you to upload the file you want, rather than the file that the server expects.
3. There are 3 known privesc exploits that work. Some people have had trouble executing one of them unless it was over a reverse shell using a netcat listener.

Contact @RobertWinkel for more hints.

About:

Name: Fristileaks 1.3
Author: Ar0xA
Series: Fristileaks
Style: Enumeration/Follow the breadcrumbs
Goal: get root (uid 0) and read the flag file
Tester(s): dqi, barrebas
Difficulty: Basic

Description:

A small VM made for a Dutch informal hacker meetup called Fristileaks. Meant to be broken in a few hours without requiring debuggers, reverse engineering, etc..

         _         _            _        _   _        _            _
        /\ \      /\ \         /\ \     /\_\/\_\ _   /\ \         /\ \
       /  \ \    /  \ \        \ \ \   / / / / //\_\/  \ \       /  \ \
      / /\ \ \  / /\ \ \       /\ \_\ /\ \/ \ \/ / / /\ \ \     / /\ \ \
     / / /\ \_\/ / /\ \_\     / /\/_//  \____\__/ / / /\ \_\   / / /\ \_\
    / / /_/ / / / /_/ / /    / / /  / /\/________/ /_/_ \/_/  / / /_/ / /
   / / /__\/ / / /__\/ /    / / /  / / /\/_// / / /____/\    / / /__\/ /
  / / /_____/ / /_____/    / / /  / / /    / / / /\____\/   / / /_____/
 / / /     / / /\ \ \  ___/ / /__/ / /    / / / / /______  / / /\ \ \
/ / /     / / /  \ \ \/\__\/_/___\/_/    / / / / /_______\/ / /  \ \ \
\/_/      \/_/    \_\/\/_________/       \/_/\/__________/\/_/    \_\/

Installation

1) Run the OVA in a VM and connect to the webserver 2) Have Fun!

Made by

couchsofa

Thanks to

morbidick einball sarah

I would probably have never finished', this project without you guys ;)',

mostley

For hinting me to Erik Österberg's Terminal.js

0xBEEF

For providing fuel in the form of fudge and premium grilled goods

More information: http://wiki.fablab-karlsruhe.de/doku.php?id=projekte:primer

Motivation

A friend wanted to get into some simple exploits. I suggested starting out with web security, she was all for it. But when I started browsing vulnhub and the likes I couldn't find anything like I had in mind. So I wrote my own.

Concept

This is a story based challenge written in a style heavily inspired by Neil Stephensons Snow Crash and William Gibsons Sprawl Trilogy. Each chapter is unlocked by solving the puzzle. From hardcoded clear text javascript password checks, SQL-injections and cracking hashes to a simulated terminal. You only need to start the VM, a webserver will come up and you can connect with your browser. In fact you never have to leave the browser.

Goal

Teach some basic well known techniques and attacks. Spark some curiosity, make the user look at the source code and try to figure out what's going on behind the scenes. The main goal is to give a nice welcoming intro to the scene and hopefully also teach something about ethics and responsibility.

Change log

v1.0.1 - 2016-01-15: https://twitter.com/CouchSofa/status/688129147848138752 v1.0.0 - 2015-10-27: https://twitter.com/CouchSofa/status/659148660152909824

SmashTheTux v1.0.1

by canyoupwn.me

Introduction to Application Vulnerabilities

For Educational Purposes

SmashTheTux is a new VM made by canyoupwn.me for those who wants to take a step into the world of binary exploitation. This VM consists of 9 challenges, each introducing a different type of vulnerability. SmashTheTux covers basic exploitation of the following weaknesses:

• Stack Overflow Vulnerability
• Off-by-One Vulnerability
• Integer Overflow
• Format String Vulnerability
• Race Conditions
• File Access Weaknesses
• Heap Overflow Vulnerability

Credentials => tux:tux, root:1N33dP0w3r

Have fun!

History

• SmashTheTux v1.0.1 (01/04/2016)

• Fixed 0x02 file permissions

• SmashTheTux v1.0.1 (18/03/2016)

• First Public Release

Welcome to 1989!

And welcome to Germany!

This VM is inspired by a book! There should be plenty of hints which one it is, if you havent read it.

This is a simple VM, so dont fear any advanced exploitation, reverse engineering or other advanced techniques!

Just a solid and simple advanced persistent threat (admins) ;)

So the level is clearly: beginner (as intended).

For some it may teach a solid (old) new Privesc technique that together with the above mentioned book inspired me to this VM.

I made the effort to throw some very basic story/polish into it.

Also if everythin runs smoothly the VM should show its IP adress in the Login screen on the console!

-No, I dont consider finding the VM in your own network a real challenge ;)-

If you should encounter any problems or want to drop me a line use #milet and @teh_warriar on twitter or chat me up in #vulnhub!

Hope you enjoy this VM!

Gonna enjoy reading some writeups and hope you might find other ways then the intended ones!

Best Regards

Warrior

Welcome to The Pentester’s 64-Bit AppSec Primer and challenge.

Here at The Pentesters, we have a passion for application security and all that goes with it. We think that application security is an extremely important part of the field of information security and have, “made it our business” so to speak to provide a means of education into modern-day application security. With modern computing becoming more and more advanced, and the requirements for understanding the functionality and security behind said computing becoming equally as challenging to understand, we figured that perhaps giving a set of challenges dedicated to learning the mere basics of 64 bit appsec would be beneficial to the security community.

The 64-Bit AppSec Primer consists of 16 challenges, increasingly more difficult than the previous one, dedicated to learning the basics of 64 bit binary exploitation and reverse engineering. The x64 instruction set, as you would expect, has many new instructions, registers, and calling conventions in comparison to the traditional x86 instruction set. Our goal, with this challenge, is to get you inside a debugger with intentionally vulnerable binaries, and get you looking at the inner-workings of a 64 bit binary. Alongside the increasing complexity of the instruction set, is an equally complexity of exploitation, which as a penetration tester and security engineer, will prove useful to understand.

The challenges consist of varying vulnerabilities and anti-debugger tricks in binaries, such as:

• Stack-based Buffer Overflows
• Format String Vulnerabilities
• Heap-based Buffer Overflows
• Detection of tracing
• Insecure validation of credentials
• and more… don’t want to give you all the good details eh?

As a bonus, we would like to contribute back to the security community. We are donating the VM to Vulnhub, for all to have, and we are also offering prizes to three people who gives us the most robust and complete write-up for the challenges. In order to qualify for the prizes, you must post your write-up on either your personal blog, or website (your choice), and post a link to http://thepentesters.net/challenge/ along with your username. If you are unable to solve all of the challenges, that is okay, we will still accept your write-up for judging, we still want to see what you completed and how you did it. Here are the prizes:

• 1st Place gets $150.00
• 2nd Place gets $75.00
• 3rd Place gets $25.00

The challenge ends on August 31st, 2016. All write-ups must be submitted by then, whoever has written the best write-up with the most detailed explanations wins. The judging will be done by our pentesting team.

Also, I would like to note a couple rules for the reverse engineering challenges.

• The challenge must be solved without attacking the encryption of the flag. Spoiler, I used a basic XOR encryption for most of them so they do not show up in strings. So, that is off-limits. The goal is to break the logic of the application.
• Some challenges have several ways of solving and we would like to see how you did it. My C coding skills are most certainly not expertise, but I feel as if this will prove to be a good exercise for many in regards to exploit development and reverse engineering.
• All else is fair game!

Note: ASLR must be disabled, log in as level17:madpwnage, and run “echo 0 > /proc/sys/kernel/randomize_va_space”. Also, challenge 3, is only a DoS challenge. This is the beta, so there are still glitches. If you find any, please contact me at [email protected] with your discovery.

There are a couple challenges that don’t have “flags” but you will know when you have solved those, please note your findings and take screen-shots of them as well. As for the VM, you are to ssh in as user n00b and password n00b where you will find gdb-peda installed for you to make your life easier. The VM gets its IP through DHCP and is set to host-only adapter in VMware, so it should work for you straight out of the box so to speak. That is all I have for you and I hope you enjoy.

Name: LazySysAdmin 1.0

Author: Togie Mcdogie

Twitter: @TogieMcdogie

[Description]

Difficulty: Beginner - Intermediate

Boot2root created out of frustration from failing my first OSCP exam attempt.

Aimed at:

      > Teaching newcomers the basics of Linux enumeration
      > Myself, I suck with Linux and wanted to learn more about each service whilst creating a playground for others to learn

Special thanks to @RobertWinkel @dooktwit for hosting LazySysAdmin at Sectalks Brisbane BNE0x18

[Lore]

LazySysadmin - The story of a lonely and lazy sysadmin who cries himself to sleep

[Tested with]

• Virtualbox
• Vnware Workstation player

[Preffered setup]

Host only networking

[Hints]

• Enumeration is key
• Try Harder
• Look in front of you
• Tweet @togiemcdogie if you need more hints

[Other]

• What could you of done to speed up the enumeration process?
• Are there any obvious things that you missed, which you shouldnt of missed?
• Did you learn anything interesting?
• What have you added to your enumeration process to prevent you from wasting time?

[Checksum]

• Name: Lazysysadmin.zip
• Size: 501925265 bytes (478 MB)
• SHA256: DBAC88A2E76FD5A6693A2890030DD3BE0DC2C09F30B43A79BE8AB7A23B708EF5

This is a small boot2root VM I created for my university’s cyber security group. It contains multiple remote vulnerabilities and multiple privilege escalation vectors. I did all of my testing for this VM on VirtualBox, so that’s the recommended platform. I have been informed that it also works with VMware, but I haven’t tested this personally.

This VM is specifically intended for newcomers to penetration testing. If you’re a beginner, you should hopefully find the difficulty of the VM to be just right.

Your goal is to remotely attack the VM and gain root privileges. Once you’ve finished, try to find other vectors you might have missed! If you enjoyed the VM or have questions, feel free to contact me at: [email protected]

If you finished the VM, please also consider posting a writeup! Writeups help you internalize what you worked on and help anyone else who might be struggling or wants to see someone else’s process. I look forward to reading them!