-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

Welcome to

  ___           _            ___          _
 |   \ ___ _ _ | |_____ _  _|   \ ___  __| |_____ _ _
 | |) / _ \ ' \| / / -_) || | |) / _ \/ _| / / -_) '_|
 |___/\___/_||_|_\_\___|\_, |___/\___/\__|_\_\___|_|
                        |__/
                             Made with <3 v.1.0 - 2017

This is my first boot2root - CTF VM. I hope you enjoy it. if you run into any issue you can find me on Twitter: @dhn_ or feel free to write me a mail to:

• Email: [email protected]
• GPG key: 0x2641123C
• GPG fingerprint: 4E3444A11BB780F84B58E8ABA8DD99472641123C

Level: I think the level of this boot2root challange is hard or intermediate.

Try harder!: If you are confused or frustrated don't forget that enumeration is the key!

Thanks: Special thanks to @1nternaut for the awesome CTF VM name!

Feedback: This is my first boot2root - CTF VM, please give me feedback on how to improve!

Tested: This VM was tested with:

• VMware Workstation 12 Pro
• VMware Workstation 12 Player
• VMware vSphere Hypervisor (ESXi) 6.5

Networking: DHCP service: Enabled

IP address: Automatically assign

SHA-1:

77439cb457a03d554bec78303dc42e5d3074ff85  DonkeyDocker-disk1.vmdk
d3193cca484f7f1b36c20116f49e9025bf60889c  DonkeyDocker.mf
7013d6a7c151332c99c0e96d34b812e0e7ce3d57  DonkeyDocker.ovf

Looking forward to the write-ups!

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

iQIcBAEBCgAGBQJY2snaAAoJEKjdmUcmQRI8fG0QAK9eCaBggC4+aRD2SrY5ZFtI
/5Lyi8fdGCrtIDhLIoAoM/HHX68GH6pPzWt2VesW1zCM0pnO+hAaQSzl5+C4e39g
IYIUx9WMojxrrDgvvZ0NxosYMTFyyXCudCpGZXo2fjW3xnZ9v1n/Yid0H23gXKyo
gLzMEVuCh4/Bh1YNx5Jc6X03rZg6nhWEaLzShDOsUu0d4bYD6ZL7Cnr1W7HFmoEn
oV3OOOEj79VG2EeIc4nNzyVnp1I+C3BjngAV0w6bQdepbWZvy/pyzdk8HEB4Xc56
MkKidbVx9oTh38tro//VzDCTwfGHyt+V3RhXpIQvvFOboG/CpvQFxMpSIn25tGNY
2rADxHJ40KG85MWey4lP2jzpbJDH5LYYMIej8w8iz1+DN9czXSRDVVdY3aAGaghe
NaWwqdktT0j0j2/6w2kiRR60LOaRK+u1rNckm6qBrlEQ+M3Pv7yD4A9rR8K4FVF8
2PyRrtltI8RkucJP0JjHWtl4Sry4dPA5EDtuUWQIO5mYjeJlQ9yg7TPGne4/hWSx
Gibj9XfiwwvpZ9qTJu2W91rt3P+xm6ic2QVCJ8oNRgwi0jGP4nhryg4I1yyaRpeR
ANbof9vxkEct1fuDODgXTIwQ1uGtG2X3khHiKxt5wcymCZ1v8CwQ0+vyiK/sbOsS
TyJq5lfMNJWrdsMNowNm
=Oo5M
-----END PGP SIGNATURE-----

+---------------------------------------------------------+
|                     Name: Moria                         |
|                       IP: Through DHCP                  |
|               Difficulty: Not easy!                     |
|                     Goal: Get root                      |
+---------------------------------------------------------+
|                                                         |
| DESCRIPTION:                                            |
| Moria is NOT a beginner-oriented Boot2Root VM, it will  |
| require good enum skills and a lot of persistence.      |
|                                                         |
| VM has been tested on both VMware and VirtualBox, and   |
| gets its IP through DHCP, make sure you're on the same  |
| network.                                                |
|                                                         |
| Special thanks to @seriousblank for helping me create it|
| and @johnm and @cola for helping me test it.            |
|                                                         |
|     Link: dropbox.com/s/r3btdcmwjigk62d/Moria1.1.rar    |
|     Size: 1.56GB                                        |
|      MD5: 2789bca41a7b8f5cc48e92c635eb83cb              |
|     SHA1: e3bddd4133320ae42ff65aec41b9f6516d33bb89      |
|                                                         |
| CONTACT:                                                |
| You can find me on NetSecFocus slack, twitter at        |
| @abatchy17 or occasionally on #vulnhub for questions.   |
|                                                         |
| PS: No Lord of The Rings knowledge is required ;)       |
|                                                         |
| -Abatchy                                                |
+---------------------------------------------------------+

Dolev

One of the VMs used in the online CTF hosted back in September 2016 by Defcon Toronto, slightly modified to suit boot2root challenges.

Difficulty: Easy

Information: Overall 7 flags to collect, id 0 is the final step.

Details:

• File: Galahad.zip (ovf)
• Date: September 2016
• VM Type: Tested on VMware Workstation
• Notes: If the VM was able to obtain a DHCP you will likely see the IP in the VM login prompt.
• Networking: DHCP
• Checksum[SHA256]: c42839feadc8077380e167af9639cfcf9ebe3ffed083c98aee1e7d453022af5d

For any issues you can shoot an email to: dolev at dc416.com or DM me @dolevfarhi

Name: LazySysAdmin 1.0

Author: Togie Mcdogie

Twitter: @TogieMcdogie

[Description]

Difficulty: Beginner - Intermediate

Boot2root created out of frustration from failing my first OSCP exam attempt.

Aimed at:

      > Teaching newcomers the basics of Linux enumeration
      > Myself, I suck with Linux and wanted to learn more about each service whilst creating a playground for others to learn

Special thanks to @RobertWinkel @dooktwit for hosting LazySysAdmin at Sectalks Brisbane BNE0x18

[Lore]

LazySysadmin - The story of a lonely and lazy sysadmin who cries himself to sleep

[Tested with]

• Virtualbox
• Vnware Workstation player

[Preffered setup]

Host only networking

[Hints]

• Enumeration is key
• Try Harder
• Look in front of you
• Tweet @togiemcdogie if you need more hints

[Other]

• What could you of done to speed up the enumeration process?
• Are there any obvious things that you missed, which you shouldnt of missed?
• Did you learn anything interesting?
• What have you added to your enumeration process to prevent you from wasting time?

[Checksum]

• Name: Lazysysadmin.zip
• Size: 501925265 bytes (478 MB)
• SHA256: DBAC88A2E76FD5A6693A2890030DD3BE0DC2C09F30B43A79BE8AB7A23B708EF5

Many times while conducting a pentest, I need to script something up to make my life easier or to quickly test an attack idea or vector. Recently I came across an interesting command injection vector on a web application sitting on a client's internet-facing estate. There was a page, running in Java, that allowed me to type arbitrary commands into a form, and have it execute them. While developer-provided webshells are always nice, there were a few caveats. The page was expecting directory listing style output, which was then parsed and reformatted. If the output didn't match this parsing, no output to me. Additionally, there was no egress. ICMP, and all TCP/UDP ports including DNS were blocked outbound.

I was still able to leverage the command injection to compromise not just the server, but the entire infrastructure it was running on. After the dust settled, the critical report was made, and the vulnerability was closed, I thought the entire attack path was kind of fun, and decided to share how I went about it. Since I enjoy being a free man and only occasionally visit prisons, I've created a simple boot2root style VM that has a similar set of vulnerabilities to use in a walkthrough.

Introduction

Lately, I’ve been enjoying creating hacking challenges for the security community. This new challenge encapsulates a company, entitled – The Ether, who has proclaimed an elixir that considerably alters human welfare. The CDC has become suspicious of this group due to the nature of the product they are developing.

The Goal

The goal is to find out what The Ether is up to. You will be required to break into their server, root the machine, and retrieve the flag. The flag will contain more information about The Ether’s ominous operations regarding this medicine.

Any Hints?

This challenge is not for beginners. There is a relevant file on this machine that plays an important role in the challenge, do not waste your time trying to de-obfuscate the file, I say this to keep you on track. This challenge is designed test you on multiple areas and it’s not for the feint of heart!

Last Words

Whatever you do, do not give up! Exhaust all of your options! Looking forward to have OSCPs take this challenge. As always, good luck, have fun, God bless, and may the s0urce be with you.

THE ARM IoT EXPLOIT LABORATORY - Damn Vulnerable ARM Router (DVAR)

DVAR is an emulated Linux based ARM router running a vulnerable web server that you can sharpen your ARM stack overflow skills with.

DVAR runs in the tinysploitARM VMWare VM under a fully emulated QEMU ARM router image.

Simply extract the ZIP file and launch the VM via tinysploitARM.vmx. After starting up, the VM's IP address and default URL shall be displayed on the console. Using your host computer's browser, navigate to the URL and follow the instructions and clues. The virtual network adapter is set to NAT mode.

Your goal is to write a working stack overflow exploit for the web server running on the DVAR tinysploitARM target.

SHA256: 1f2bdd9ae4e44443dbb4bf9062300f1991c47f609426a1d679b8dcd17abb384c

DVAR started as an optional preparatory exercise for the ARM IoT Exploit Lab.

UPCOMING ARM IoT EXPLOIT LABORATORY TRAINING

RECON Brussels 2018 (4 day) January 29-Feb 1 https://recon.cx/2018/brussels/training/trainingexploitlab.html

Offensivecon Berlin 2018 (4 day) February 12-15 https://www.offensivecon.org/trainings/2018/the-arm-iot-exploit-laboratory-saumil-shah.html

Cansecwest Vancouver 2018 (4 day) March 10-13 https://cansecwest.com/dojos/2018/exploitlab.html

SyScan360 Singapore 2018 (4 day) March 18-21 https://www.coseinc.com/syscan360/index.php/syscan360/details/SYS1842#regBox

Helpful material

If you are new to the world of ARM exploitation, I highly recommend Azeria's excellent tutorials on ARM Assembly, ARM Shellcode and the basics of ARM exploitation.

https://azeria-labs.com/ Twitter: @Fox0x01

And these are three general purpose concepts oriented tutorials that every systems enthusiast must know:

Operating Systems - A Primer: http://www.slideshare.net/saumilshah/operating-systems-a-primer

How Functions Work: http://www.slideshare.net/saumilshah/how-functions-work-7776073

Introduction to Debuggers: http://www.slideshare.net/saumilshah/introduction-to-debuggers

EXPLOIT LABORATORY BLOG:

http://blog.exploitlab.net/

Saumil Shah @therealsaumil

Difficulty:

Beginner

Description:

Mr. Derp and Uncle Stinky are two system administrators who are starting their own company, DerpNStink. Instead of hiring qualified professionals to build up their IT landscape, they decided to hack together their own system which is almost ready to go live...

Instructions:

This is a boot2root Ubuntu based virtual machine. It was tested on VMware Fusion and VMware Workstation12 using DHCP settings for its network interface. It was designed to model some of the earlier machines I encountered during my OSCP labs also with a few minor curve-balls but nothing too fancy. Stick to your classic hacking methodology and enumerate all the things!

Your goal is to remotely attack the VM and find all 4 flags eventually leading you to full root access. Don't forget to #tryharder

Example: flag1(AB0BFD73DAAEC7912DCDCA1BA0BA3D05). Do not waste time decrypting the hash in the flag as it has no value in the challenge other than an identifier.

Contact

Hit me up if you enjoy this VM! Twitter: @securekomodo Email: [email protected]

You've received intelligence of a new Villain investing heavily into Space and Laser Technologies. Although the Villian is unknown we know the motives are ominous and apocalyptic.

Hack into the Moonraker system and discover who's behind these menacing plans once and for all. Find and destroy the Villain before it's too late!

-- Difficulty: Challenging

-- Flag is /root/flag.txt

-- Tested on VMware

-- DCHP enabled

-- No extra tools besides what's on Kali by default

-- Learning Objectives: Client-side Attacks, NoSQL, RESTful, NodeJS, Linux Enumeration and Google-fu.

Thanks to /u/limbernie on Reddit for testing!

Good luck and have fun!

Description

DC-1 is a purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing.

It was designed to be a challenge for beginners, but just how easy it is will depend on your skills and knowledge, and your ability to learn.

To successfully complete this challenge, you will require Linux skills, familiarity with the Linux command line and experience with basic penetration testing tools, such as the tools that can be found on Kali Linux, or Parrot Security OS.

There are multiple ways of gaining root, however, I have included some flags which contain clues for beginners.

There are five flags in total, but the ultimate goal is to find and read the flag in root's home directory. You don't even need to be root to do this, however, you will require root privileges.

Depending on your skill level, you may be able to skip finding most of these flags and go straight for root.

Beginners may encounter challenges that they have never come across previously, but a Google search should be all that is required to obtain the information required to complete this challenge.

Technical Information

DC-1 is a VirtualBox VM built on Debian 32 bit, so there should be no issues running it on most PCs.

While I haven't tested it within a VMware environment, it should also work.

It is currently configured for Bridged Networking, however, this can be changed to suit your requirements. Networking is configured for DHCP.

Installation is simple - download it, unzip it, and then import it into VirtualBox and away you go.

Important

While there should be no problems using this VM, by downloading it, you accept full responsibility for any unintentional damage that this VM may cause.

In saying that, there shouldn't be any problems, but I feel the need to throw this out there just in case.

Contact

This is the first vulnerable lab challenge that I've created, so feel free to let me know what you think of it.

I can be contacted via Twitter - @DCAU7

Description

Much like DC-1, DC-2 is another purposely built vulnerable lab for the purpose of gaining experience in the world of penetration testing.

As with the original DC-1, it's designed with beginners in mind.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

Just like with DC-1, there are five flags including the final flag.

And again, just like with DC-1, the flags are important for beginners, but not so important for those who have experience.

In short, the only flag that really counts, is the final flag.

For beginners, Google is your friend. Well, apart from all the privacy concerns etc etc.

I haven't explored all the ways to achieve root, as I scrapped the previous version I had been working on, and started completely fresh apart from the base OS install.

Technical Information

DC-2 is a VirtualBox VM built on Debian 32 bit, so there should be no issues running it on most PCs.

While I haven't tested it within a VMware environment, it should also work.

It is currently configured for Bridged Networking, however, this can be changed to suit your requirements. Networking is configured for DHCP.

Installation is simple - download it, unzip it, and then import it into VirtualBox and away you go.

Please note that you will need to set the hosts file on your pentesting device to something like:

192.168.0.145 dc-2

Obviously, replace 192.168.0.145 with the actual IP address of DC-2.

It will make life a whole lot simpler (and a certain CMS may not work without it).

If you're not sure how to do this, instructions are here.

Important

While there should be no problems using this VM, by downloading it, you accept full responsibility for any unintentional damage that this VM may cause.

In saying that, there shouldn't be any problems, but I feel the need to throw this out there just in case.

Contact

This is the second vulnerable lab challenge that I've created, so feel free to let me know what you think of it.

I'm also very interested in hearing how people go about solving these challenges, so if you're up for writing a walkthrough, please do so and send me a link, or alternatively, follow me on Twitter, and DM me (you can unfollow after you've DM'd me if you'd prefer).

I can be contacted via Twitter - @DCAU7