Underc0de Weekend is a weekly challenge we (underc0de) are doing. The goal is to be the first to resolve it, to earn points and prizes (http://underc0de.org/underweekend.php).
The next machine in the Tr0ll series of VMs. This one is a step up in difficulty from the original Tr0ll but the time required to solve is approximately the same, and make no mistake, trolls are still present! :)
Difficulty is beginner++ to intermediate.
The VM should pull a valid IP from DHCP. This VM has been verified to work on VMware workstation 5, VMware player 5, VMware Fusion, and Virtual box. Virtual box users may need to enable the additional network card for it to pull a valid IP address.
Special thanks to @Eagle11, @superkojiman and @leonjza for suffering through the testing and the members of #overflowsec on freenode for giving me ideas.
If you have issues with the machine, feel free to contact me at @Maleus21 or maleus
Author: Rasta Mouse
Testers: Barrebas & OJ
Notes to the Player
As part of the challenge, Kvasir utilises LXC to provide kernel isolation. When the host VM boots, it takes can take a little bit of time before the containers become available.
It is therefore advised to wait 30-60 seconds after the login prompt is presented, before attacking the VM.
A few other pointers:
____ __. __ ____ __. __ ____ | |/ _| ____ ____ ____ | | __ | |/ _| ____ ____ ____ | | __ /_ | | < / \ / _ \_/ ___\| |/ / ______ | < / \ / _ \_/ ___\| |/ / | | | | \| | ( <_> ) \___| < /_____/ | | \| | ( <_> ) \___| < | | |____|__ \___| /\____/ \___ >__|_ \ |____|__ \___| /\____/ \___ >__|_ \ |___| \/ \/ \/ \/ \/ \/ \/ \/
Pretty much thought of a pretty neat idea I hadn't seen done before with a VM, and I wanted to turn it into reality!
Your job is to escalate to root, and find the flag.
Since I've gotten a few PM's, remember: There is a difference between "Port Unreachable" and "Host Unreachable". DHCP is not broken ;)
Gotta give a huge shoutout to c0ne for helping to creating the binary challenge, and rasta_mouse and recrudesce for testing :)
Also, gotta thank barrebas who was able to find a way to make things easier... but of course that is fixed with this update! ;)
MD5 -- 3b6839a28b4be64bd71598aa374ef4a6 knock-knock-1-1.ova
SHA1 -- 0ec29d8baad9997fc250bda65a307e0f674e4180 knock-knock-1-1.ova
Feel free to hit me up in #vulnhub on freenode -- zer0w1re
Quickly created an exercise for cve-2014-6271:
_______ _______ ______ _______ ___ _______ _______ _______ __ _ _______ _______ | || || _ | | || | | || || || | | || || | | _ || ___|| | || | _____|| | | _____||_ _|| ___|| |_| || || ___| | |_| || |___ | |_||_ | |_____ | | | |_____ | | | |___ | || || |___ | ___|| ___|| __ ||_____ || | |_____ | | | | ___|| _ || _|| ___| | | | |___ | | | | _____| || | _____| | | | | |___ | | | || |_ | |___ |___| |_______||___| |_||_______||___| |_______| |___| |_______||_| |__||_______||_______| "the fact of continuing in an opinion or course of action in spite of difficulty or opposition" by sagi- & superkojiman
By using this virtual machine, you agree that in no event will we be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of or in connection with the use of this software.
TL;DR - You are about to load up a virtual machine with vulnerabilities created by hackers. If something bad happens, it's not our fault.
Persistence aims to provide you with challenging obstacles that block your path to victory. It is perhaps best described by quotes made by some famous people:
"A little more persistence, a little more effort, and what seemed hopeless failure may turn to glorious success." - Calvin Coolidge
"Energy and persistence conquer all things." - Benjamin Franklin
"Persistence and resilience only come from having been given the chance to work though difficult problems." - Gever Tulley
Get a root shell and read the contents of /root/flag.txt to complete the challenge!
The virtual machine will get an IP address via DHCP, and it has been tested on the following hypervisors:
VMware Fusion 6 VMware Player 6 VMware Workstation 10 VirtualBox 4.3
Thanks @VulnHub for kindly hosting this challenge, and thanks to @recrudesce for testing it and providing valuable feedback!
,' ``', ' (o)(o) ` > ; ', . ...-'"""""`'. .'`',`''''`________: ": (`'. '.; | ;/\;\; (`',.',.; | | (,'` .`.,' | | (,.',.',' | | (,.',.-`_____| | __\_ _\_ | | |_______________|
Welcome to The Owl Nest Owls are lovely but hates you :) and maybe after this one, you will hate them too.
Notes from the author: I hope you will enjoy this game, i spent a fairly high amount of effort to build this, in an attempt to make the game funny, and provide an avarage amount of frustration to the players :) Even if the machine was tested, maybe there are shortcuts to reach the flag.. hopefully not :)
Expect some curve balls :)
Special thanks goes to Barrebas for testing the VM
Morning Catch is a VMware virtual machine, similar to Metasploitable, to demonstrate and teach about targeted client-side attacks and post-exploitation.
On this virtual machine, you will find: a website for a fictitious seafood company, self-contained email infrastructure to receive phishes, and two desktop environments. One desktop environment is a vulnerable Linux client-side attack surface. The other is a vulnerable Windows client-side attack surface.
Morning Catch uses a bleeding edge version of WINE to run a few vulnerable Windows applications AND experiment with post-exploitation tools in a fun and freely re-distributable environment.
Your use of Morning Catch starts with the login screen.
Boyd Jenius is the Systems Administrator and his password is ‘password’. Login as Boyd to get to the vulnerable Linux desktop.
Richard Bourne is Morning Catch’s CEO and his password is also ‘password’. Login as Richard to get to the vulnerable Windows desktop.
You can also RDP into the Morning Catch environment.
Richard’s desktop includes the Windows’ versions of Firefox, Thunderbird, Java, and putty. Open up Thunderbird to check Richard’s email.
You can send a phish to him too. This VM includes a mail server to receive email for users at the morningcatch.ph domain. Open up a terminal and find out the IP address of the VM. Make sure you relay messages through this server. Use [email protected] as the address.
Are you looking for some attacks to try? Here are a few staples:
Spin up a malicious Java Applet and visit it as Richard. The Firefox add-on attack exploit in the Metasploit Framework is a great candidate. Or, generate an executable with your payload and run it as Richard. I’m sure he won’t mind. Morning Catch’s WINE environment runs post-exploitation payloads, to include Windows Meterpreter and Beacon, without too much trouble.
Boyd’s desktop is the vulnerable Linux attack surface. Boyd has the Linux versions of Firefox, Java, and Thunderbird. Boyd also has an SSH key for the Metasploitable 2 virtual machine. Try to ssh to Metasploitable 2 as root and see what happens.
Morning Catch also includes RoundCube webmail for all of its users. Use this as a target to clone and harvest passwords from.
Morning Catch isn’t a replacement for a vulnerable Windows lab. It’s a safe and freely redistributable target to experiment with phishing and client-side attacks. It’s my hope that this environment will help more people experiment with and understand these attacks better.
Are you in Las Vegas for BlackHat USA or DEF CON? Stop by the Black Hat Arsenal on Wednesday at 10am for a demo of this new environment and a Morning Catch sticker. I’m also giving away DVDs with a revised Cobalt Strike pen testing lab that uses Morning Catch. Find me at the Cobalt Strike kiosk in the Innovation City portion of the Black Hat USA Exhibitor Hall. I will also give away these DVDs at the Cobalt Strike table in the DEF CON vendor area.
Tr0ll was inspired by the constant trolling of the machines within the OSCP labs.
The goal is simple, gain root and get Proof.txt from the /root directory.
Not for the easily frustrated! Fair warning, there be trolls ahead!
Difficulty: Beginner ; Type: boot2root
Special thanks to @OS_Eagle11 and @superkojiman for suffering through the testing all the way to root!
The machine should pull an IP using DHCP, if you have any problems, contact me for a password to get it to working.
Feedback is always appreciated!
MD5SUM (Tr0ll.rar): 318fe0b1c0dd4fa0a8dca43edace8b20
.o88o. oooo o8o oooo 888 `" `888 `"' `888 o888oo 888 oooo .ooooo. 888 oooo 888 888 `888 d88' `"Y8 888 .8P' 888 888 888 888 888888. 888 888 888 888 .o8 888 `88b. o888o o888o o888o `Y8bod8P' o888o o888o Welcome to the flick boot2root! - Where is the flag? - What do you need to flick to find it? Completing "flick" will require some sound thinking, good enumeration skills & time! The objective is to find and read the flag that lives /root/ As a bonus, can you get root command execution? Shoutout to @barrebas & @TheColonial for testing it out first :) $ sha1sum flick.ova 0e65f5a1f2b560d10115796c1adfb03548583db2 flick.ova Good Luck! @leonjza