64Base Boot2Root

This is my very first public Boot2Root, It’s intended to be more of a fun game than a serious hacking challenge. Hopefully anyone interested enough to give it a try will enjoy the story with this one.

It is based on the StarWars storyline and is designed to Troll you in a fun way.

Just be warned, it’s littered with more than a few “Red Herrings” ;D

Difficulty Rating

[BEGINNER - INTERMEDIATE]

Capture The Flags

There are 6 flags to collect. Each in the format of flag1{ZXhhbXBsZSBmbGFnCg==} Beat the Empire and steal the plans for the Death Star before its too late.

I Hope You Enjoy It.

This is my first boot2root machine. It's begginer-intermediate level.

It's been tested in VBox and VMware and seems to work without issues in both.

A tip, anything can be a vector, really think things through here based on how the machine works. Make a wrong move though and some stuff gets moved around and makes the machine more difficult!

This is part one in a two part series. I was inspired by several vms I found on vulnhub and added a bit of a twist to the machine.

Good luck and I hope you guys enjoy!

This is my first CTF/Vulnerable VM ever. I created it both for educational purposes and so people can have a little fun testing their skills in a legal, pentest lab environment.

Some notes before you download!

• Try to use a Host-Only Adapter. This is an intentionally vulnerable machine and leaving it open on your network can have bad results.
• It should work with Vmware flawlessly. I've tested it with vbox and had one other friend test it on Vbox as well so I think it should work just fine on anything else.

This is a Boot2Root machine. The goal is for you to attempt to attempt to gain root privileges in the VM. Do not try to get the root flag through a recovery iso etc, this is essentially cheating! The idea is to get through by pretending this machine is being attacked over a network with no physical access.

I themed this machine to make it feel a bit more realistic. You are breaking into a fictional characters server (named Wallaby) and trying to gain root without him noticing, or else the difficulty level will increase if you make the wrong move! Good luck and I hope you guys enjoy!

Third in a multi-part series, Breach 3.0 is a slightly longer boot2root/CTF challenge which attempts to showcase a few real-world scenarios/vulnerabilities, with plenty of twists and trolls along the way.

Difficulty: Intermediate, requires some creative thinking and persistence more so than advanced exploitation.

The VM is configured to grab a lease via DHCP.

A few things:

1) This is the culmination of the series, keep your notes close from the previous 2 challenges, they may come in handy. 2) Remember that recon is an iterative process. Make sure you leave no stone unturned. 3) The VM uses KVM and QEMU for virtualization. It is not necessary to root every host to progress. 4) There are 3 flags throughout, once you reach a flag you have achieved that intended level of access and can move on. These 3 flags are your objectives and it will be clear once you have found each and when it is time to move on.

Shout-out to knightmare for many rounds of testing and assistance with the final configuration as well as g0blin, Rand0mByteZ, mr_h4sh and vdbaan for testing and providing valuable feedback. As always, thanks to g0tmi1k for hosting and maintaining Vulnhub.

If you run into any issues you can find me on Twitter: https://twitter.com/mrb3n813 or on IRC in #vulnhub.

Looking forward to the write-ups!

Enjoy and happy hunting!

SHA1: EBB2123E65106F161479F3067C68CFA143CA98D3

Welcome to another boot2root / CTF this one is called Analougepond. The VM is set to grab a DHCP lease on boot. I've tried to mix things up a little on this one, and have used the feedback from #vulnhub to make this VM a little more challenging (I hope).

Since you're not a Teuchter, I'll offer some hints to you:

Remember TCP is not the only protocol on the Internet My challenges are never finished with root. I make you work for the flags. The intended route is NOT to use forensics or 0-days, I will not complain either way.

To consider this VM complete, you need to have obtained:

• Troll Flag: where you normally look for them
• Flag 1: You have it when you book Jennifer tickets to Paris on Pan Am.
• Flag 2: It will include a final challenge to confirm you hit the jackpot.
• Have root everywhere (this will make sense once you're in the VM)
• User passwords
• 2 VNC passwords

Best of luck! If you get stuck, eat some EXTRABACON

NB: Please allow 5-10 minutes or so from powering on the VM for background tasks to run before proceeding to attack.

Changelog

• v0.1b - Initial Version
• v01.c - Fixes for flags based on feedback from mrB3n
• v0.1d - Fixes based on shortcut to intended route
• v0.2a - Fixes and clean up of disks for smaller OVA export
• v0.2b - Small edit to remove copy of flag in wrong folder

SHA1SUM: D75AA2405E2DFB30C1470358EFD0767A10CF1EB1 analoguepond-0.2b.ova

Many thanks to mrB3n, Rand0mByteZ and kevinnz for testing this CTF.

A special thank you to g0tmi1k for hosting all these challenges and offering advice. A tip of the hat to mrb3n for his recent assistence.

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

Welcome to

  ___           _            ___          _
 |   \ ___ _ _ | |_____ _  _|   \ ___  __| |_____ _ _
 | |) / _ \ ' \| / / -_) || | |) / _ \/ _| / / -_) '_|
 |___/\___/_||_|_\_\___|\_, |___/\___/\__|_\_\___|_|
                        |__/
                             Made with <3 v.1.0 - 2017

This is my first boot2root - CTF VM. I hope you enjoy it. if you run into any issue you can find me on Twitter: @dhn_ or feel free to write me a mail to:

• Email: [email protected]
• GPG key: 0x2641123C
• GPG fingerprint: 4E3444A11BB780F84B58E8ABA8DD99472641123C

Level: I think the level of this boot2root challange is hard or intermediate.

Try harder!: If you are confused or frustrated don't forget that enumeration is the key!

Thanks: Special thanks to @1nternaut for the awesome CTF VM name!

Feedback: This is my first boot2root - CTF VM, please give me feedback on how to improve!

Tested: This VM was tested with:

• VMware Workstation 12 Pro
• VMware Workstation 12 Player
• VMware vSphere Hypervisor (ESXi) 6.5

Networking: DHCP service: Enabled

IP address: Automatically assign

SHA-1:

77439cb457a03d554bec78303dc42e5d3074ff85  DonkeyDocker-disk1.vmdk
d3193cca484f7f1b36c20116f49e9025bf60889c  DonkeyDocker.mf
7013d6a7c151332c99c0e96d34b812e0e7ce3d57  DonkeyDocker.ovf

Looking forward to the write-ups!

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

iQIcBAEBCgAGBQJY2snaAAoJEKjdmUcmQRI8fG0QAK9eCaBggC4+aRD2SrY5ZFtI
/5Lyi8fdGCrtIDhLIoAoM/HHX68GH6pPzWt2VesW1zCM0pnO+hAaQSzl5+C4e39g
IYIUx9WMojxrrDgvvZ0NxosYMTFyyXCudCpGZXo2fjW3xnZ9v1n/Yid0H23gXKyo
gLzMEVuCh4/Bh1YNx5Jc6X03rZg6nhWEaLzShDOsUu0d4bYD6ZL7Cnr1W7HFmoEn
oV3OOOEj79VG2EeIc4nNzyVnp1I+C3BjngAV0w6bQdepbWZvy/pyzdk8HEB4Xc56
MkKidbVx9oTh38tro//VzDCTwfGHyt+V3RhXpIQvvFOboG/CpvQFxMpSIn25tGNY
2rADxHJ40KG85MWey4lP2jzpbJDH5LYYMIej8w8iz1+DN9czXSRDVVdY3aAGaghe
NaWwqdktT0j0j2/6w2kiRR60LOaRK+u1rNckm6qBrlEQ+M3Pv7yD4A9rR8K4FVF8
2PyRrtltI8RkucJP0JjHWtl4Sry4dPA5EDtuUWQIO5mYjeJlQ9yg7TPGne4/hWSx
Gibj9XfiwwvpZ9qTJu2W91rt3P+xm6ic2QVCJ8oNRgwi0jGP4nhryg4I1yyaRpeR
ANbof9vxkEct1fuDODgXTIwQ1uGtG2X3khHiKxt5wcymCZ1v8CwQ0+vyiK/sbOsS
TyJq5lfMNJWrdsMNowNm
=Oo5M
-----END PGP SIGNATURE-----

D0Not5top Boot2Root

This is my second public Boot2Root, It’s intended to be a little more difficult that the last one I made. That being said, it will depend on you how hard it is :D It's filled with a few little things to make the player smile.

Again there are a few “Red Herrings”, and enumeration is key.

DIFFICULTY ?????

CAPTURE THE FLAGS
There are 7 flags to collect, designed to get progressively more difficult to obtain

DETAILS

• File: D0Not5top_3mrgnc3_v1.2.ova
• OS: ?????
• VM Type: VirtualBox
• IP Address: DHCP
• Size: 700 MB

SUPPORT Any support issues can be directed to [email protected]

+---------------------------------------------------------+
|                     Name: Moria                         |
|                       IP: Through DHCP                  |
|               Difficulty: Not easy!                     |
|                     Goal: Get root                      |
+---------------------------------------------------------+
|                                                         |
| DESCRIPTION:                                            |
| Moria is NOT a beginner-oriented Boot2Root VM, it will  |
| require good enum skills and a lot of persistence.      |
|                                                         |
| VM has been tested on both VMware and VirtualBox, and   |
| gets its IP through DHCP, make sure you're on the same  |
| network.                                                |
|                                                         |
| Special thanks to @seriousblank for helping me create it|
| and @johnm and @cola for helping me test it.            |
|                                                         |
|     Link: dropbox.com/s/r3btdcmwjigk62d/Moria1.1.rar    |
|     Size: 1.56GB                                        |
|      MD5: 2789bca41a7b8f5cc48e92c635eb83cb              |
|     SHA1: e3bddd4133320ae42ff65aec41b9f6516d33bb89      |
|                                                         |
| CONTACT:                                                |
| You can find me on NetSecFocus slack, twitter at        |
| @abatchy17 or occasionally on #vulnhub for questions.   |
|                                                         |
| PS: No Lord of The Rings knowledge is required ;)       |
|                                                         |
| -Abatchy                                                |
+---------------------------------------------------------+

Dolev

One of the VMs used in the online CTF hosted back in September 2016 by Defcon Toronto, slightly modified to suit boot2root challenges.

Difficulty: Easy

Information: Overall 7 flags to collect, id 0 is the final step.

Details:

• File: Galahad.zip (ovf)
• Date: September 2016
• VM Type: Tested on VMware Workstation
• Notes: If the VM was able to obtain a DHCP you will likely see the IP in the VM login prompt.
• Networking: DHCP
• Checksum[SHA256]: c42839feadc8077380e167af9639cfcf9ebe3ffed083c98aee1e7d453022af5d

For any issues you can shoot an email to: dolev at dc416.com or DM me @dolevfarhi

Hacker House are community sponsors at this year’s BSides London 2017 and, to celebrate, we have an exploit challenge for you. A key date in the UK security scene, it offers an alternative technical conference for the hackers and tech geeks to share war stories and learn. We are providing a challenge lab designed especially for the conference that attendees can sink disassemblers into. If you aren’t at the event, you can also hack along at home, but remember that prizes for solutions can only be claimed at our stand during the event! The challenge is provided in ISO format which you can boot in VirtualBox or any similar virtualisation software, heck you can even run it on an ATM if you like, but this is unsupported. If you solve our little brain teasing conundrums and beat the system to get root, the first three successful solutions presented to us at our stand can claim one of our awesome hoodies, check them out in our shop! This challenge is open to individuals, but if you do decide to team up, then let us know as only one prize can be claimed per solution. We are also giving several t-shirts away during the raffle so make sure you get your tickets!

Our challenge will test your elite hacking skills and requires web application, reverse engineering, cryptography and exploit abilities. It shouldn’t take the competent skilled hacker too much time, but if you do struggle then watch our social media feeds during the event for some tips to this adventure. You should run the challenge in Host-Only networking mode and on successful boot you will be presented with a console, similar to the one shown at the end of this post. You should solve the challenge from a network perspective, only solutions using this route will be accepted for prizes (unless they are really cool!).

The goal of the challenge is to hack the ISO, level up your skills and get root, come and show us how you did it if you want to claim your prize! If you are struggling with the configuration of our challenge, you can check out our training course free module, which details steps for configuring a similar lab. You can find details and upcoming dates of our training here.

Happy hacking and remember sharing is caring so post (tweet us @myhackerhouse!) or email a solution and let us know about it after the event. We will share links to the best of them on this blog! May the force be with you, young padawan, and remember that hacking isn’t just a skill – it’s a survival trade.

Zico's Shop: A Boot2Root Machine intended to simulate a real world cenario

Disclaimer:

By using this virtual machine, you agree that in no event will I be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of or in connection with the use of this software.

TL;DR - You are about to load up a virtual machine with vulnerabilities. If something bad happens, it's not my fault.

Level: Intermediate

Goal: Get root and read the flag file

Description:

Zico is trying to build his website but is having some trouble in choosing what CMS to use. After some tries on a few popular ones, he decided to build his own. Was that a good idea?

Hint: Enumerate, enumerate, and enumerate!

Thanks to: VulnHub

Author: Rafael (@rafasantos5)

Bulldog Industries recently had its website defaced and owned by the malicious German Shepherd Hack Team. Could this mean there are more vulnerabilities to exploit? Why don't you find out? :)

This is a standard Boot-to-Root. Your only goal is to get into the root directory and see the congratulatory message, how you do it is up to you!

Difficulty: Beginner/Intermediate, if you get stuck, try to figure out all the different ways you can interact with the system. That's my only hint ;)

Made by Nick Frichette (frichetten.com) Twitter: @frichette_n

I'd highly recommend running this on Virtualbox, I had some issues getting it to work in VMware. Additionally DHCP is enabled so you shouldn't have any troubles getting it onto your network. It defaults to bridged mode, but feel free to change that if you like.

Name: LazySysAdmin 1.0

Author: Togie Mcdogie

Twitter: @TogieMcdogie

[Description]

Difficulty: Beginner - Intermediate

Boot2root created out of frustration from failing my first OSCP exam attempt.

Aimed at:

      > Teaching newcomers the basics of Linux enumeration
      > Myself, I suck with Linux and wanted to learn more about each service whilst creating a playground for others to learn

Special thanks to @RobertWinkel @dooktwit for hosting LazySysAdmin at Sectalks Brisbane BNE0x18

[Lore]

LazySysadmin - The story of a lonely and lazy sysadmin who cries himself to sleep

[Tested with]

• Virtualbox
• Vnware Workstation player

[Preffered setup]

Host only networking

[Hints]

• Enumeration is key
• Try Harder
• Look in front of you
• Tweet @togiemcdogie if you need more hints

[Other]

• What could you of done to speed up the enumeration process?
• Are there any obvious things that you missed, which you shouldnt of missed?
• Did you learn anything interesting?
• What have you added to your enumeration process to prevent you from wasting time?

[Checksum]

• Name: Lazysysadmin.zip
• Size: 501925265 bytes (478 MB)
• SHA256: DBAC88A2E76FD5A6693A2890030DD3BE0DC2C09F30B43A79BE8AB7A23B708EF5