_______  _______  ______    _______  ___   _______  _______  _______  __    _  _______  _______ 
|       ||       ||    _ |  |       ||   | |       ||       ||       ||  |  | ||       ||       |
|    _  ||    ___||   | ||  |  _____||   | |  _____||_     _||    ___||   |_| ||       ||    ___|
|   |_| ||   |___ |   |_||_ | |_____ |   | | |_____   |   |  |   |___ |       ||       ||   |___ 
|    ___||    ___||    __  ||_____  ||   | |_____  |  |   |  |    ___||  _    ||      _||    ___|
|   |    |   |___ |   |  | | _____| ||   |  _____| |  |   |  |   |___ | | |   ||     |_ |   |___ 
|___|    |_______||___|  |_||_______||___| |_______|  |___|  |_______||_|  |__||_______||_______|

         "the fact of continuing in an opinion or course of action in spite of 
      difficulty or opposition"

                                                   by sagi- & superkojiman


By using this virtual machine, you agree that in no event will we be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of or in connection with the use of this software.

TL;DR - You are about to load up a virtual machine with vulnerabilities created by hackers. If something bad happens, it's not our fault.


Persistence aims to provide you with challenging obstacles that block your path to victory. It is perhaps best described by quotes made by some famous people:

"A little more persistence, a little more effort, and what seemed hopeless failure may turn to glorious success." - Calvin Coolidge

"Energy and persistence conquer all things." - Benjamin Franklin

"Persistence and resilience only come from having been given the chance to work though difficult problems." - Gever Tulley


Get a root shell and read the contents of /root/flag.txt to complete the challenge!


The virtual machine will get an IP address via DHCP, and it has been tested on the following hypervisors:

VMware Fusion 6 VMware Player 6 VMware Workstation 10 VirtualBox 4.3


Thanks @VulnHub for kindly hosting this challenge, and thanks to @recrudesce for testing it and providing valuable feedback!

         ,' ``',
        '  (o)(o)
       `       > ;
       ',     . ...-'"""""`'.
     .'`',`''''`________:   ":
   (`'. '.;  |           ;/\;\;
  (`',.',.;  |               |
 (,'` .`.,'  |               |
 (,.',.','   |               |
(,.',.-`_____|               |
    __\_ _\_ |               |

Welcome to The Owl Nest Owls are lovely but hates you :) and maybe after this one, you will hate them too.

Notes from the author: I hope you will enjoy this game, i spent a fairly high amount of effort to build this, in an attempt to make the game funny, and provide an avarage amount of frustration to the players :) Even if the machine was tested, maybe there are shortcuts to reach the flag.. hopefully not :)

Expect some curve balls :)

Special thanks goes to Barrebas for testing the VM


Morning Catch is a VMware virtual machine, similar to Metasploitable, to demonstrate and teach about targeted client-side attacks and post-exploitation.

On this virtual machine, you will find: a website for a fictitious seafood company, self-contained email infrastructure to receive phishes, and two desktop environments. One desktop environment is a vulnerable Linux client-side attack surface. The other is a vulnerable Windows client-side attack surface.

Morning Catch uses a bleeding edge version of WINE to run a few vulnerable Windows applications AND experiment with post-exploitation tools in a fun and freely re-distributable environment.

Login Screen

Your use of Morning Catch starts with the login screen.

Boyd Jenius is the Systems Administrator and his password is ‘password’. Login as Boyd to get to the vulnerable Linux desktop.

Richard Bourne is Morning Catch’s CEO and his password is also ‘password’. Login as Richard to get to the vulnerable Windows desktop.

You can also RDP into the Morning Catch environment.

Windows Desktop

Richard’s desktop includes the Windows’ versions of Firefox, Thunderbird, Java, and putty. Open up Thunderbird to check Richard’s email.

You can send a phish to him too. This VM includes a mail server to receive email for users at the morningcatch.ph domain. Open up a terminal and find out the IP address of the VM. Make sure you relay messages through this server. Use [email protected] as the address.

Are you looking for some attacks to try? Here are a few staples:

Spin up a malicious Java Applet and visit it as Richard. The Firefox add-on attack exploit in the Metasploit Framework is a great candidate. Or, generate an executable with your payload and run it as Richard. I’m sure he won’t mind. Morning Catch’s WINE environment runs post-exploitation payloads, to include Windows Meterpreter and Beacon, without too much trouble.

Linux Desktop

Boyd’s desktop is the vulnerable Linux attack surface. Boyd has the Linux versions of Firefox, Java, and Thunderbird. Boyd also has an SSH key for the Metasploitable 2 virtual machine. Try to ssh to Metasploitable 2 as root and see what happens.


Morning Catch also includes RoundCube webmail for all of its users. Use this as a target to clone and harvest passwords from.

Hopes and Dreams

Morning Catch isn’t a replacement for a vulnerable Windows lab. It’s a safe and freely redistributable target to experiment with phishing and client-side attacks. It’s my hope that this environment will help more people experiment with and understand these attacks better.

Are you in Las Vegas for BlackHat USA or DEF CON? Stop by the Black Hat Arsenal on Wednesday at 10am for a demo of this new environment and a Morning Catch sticker. I’m also giving away DVDs with a revised Cobalt Strike pen testing lab that uses Morning Catch. Find me at the Cobalt Strike kiosk in the Innovation City portion of the Black Hat USA Exhibitor Hall. I will also give away these DVDs at the Cobalt Strike table in the DEF CON vendor area.

Tr0ll: 1

Maleus 14 Aug 2014

Tr0ll was inspired by the constant trolling of the machines within the OSCP labs.

The goal is simple, gain root and get Proof.txt from the /root directory.

Not for the easily frustrated! Fair warning, there be trolls ahead!

Difficulty: Beginner ; Type: boot2root

Special thanks to @OS_Eagle11 and @superkojiman for suffering through the testing all the way to root!

The machine should pull an IP using DHCP, if you have any problems, contact me for a password to get it to working.

Feedback is always appreciated!


Freenode - Maleus

MD5SUM (Tr0ll.rar): 318fe0b1c0dd4fa0a8dca43edace8b20

Flick: 1

Leonjza 8 Aug 2014
 .o88o. oooo   o8o            oooo
 888 `" `888   `"'            `888
o888oo   888  oooo   .ooooo.   888  oooo
 888     888  `888  d88' `"Y8  888 .8P'
 888     888   888  888        888888.
 888     888   888  888   .o8  888 `88b.
o888o   o888o o888o `Y8bod8P' o888o o888o

Welcome to the flick boot2root!

- Where is the flag?
- What do you need to flick to find it?

Completing "flick" will require some sound
thinking, good enumeration skills & time! The
objective is to find and read the flag that
lives /root/

As a bonus, can you get root command execution?

Shoutout to @barrebas & @TheColonial for testing
it out first :)

$ sha1sum flick.ova
0e65f5a1f2b560d10115796c1adfb03548583db2  flick.ova

Good Luck!




This exercise covers the exploitation of a session injection in the Play framework

What you will learn?

  • Session injection
  • Play framework
  • Play's cookies

xerxes: 2.0.1

Bas 4 Aug 2014
____   ___  ____  ___  __ ____   ___  ____     ____     ____
`MM(   )P' 6MMMMb `MM 6MM `MM(   )P' 6MMMMb   6MMMMb\  6MMMMb
 `MM` ,P  6M'  `Mb MM69 "  `MM` ,P  6M'  `Mb MM'    ` MM'  `Mb
  `MM,P   MM    MM MM'      `MM,P   MM    MM YM.           ,MM
   `MM.   MMMMMMMM MM        `MM.   MMMMMMMM  YMMMMb      ,MM'
   d`MM.  MM       MM        d`MM.  MM            `Mb   ,M'
  d' `MM. YM    d9 MM       d' `MM. YM    d9 L    ,MM ,M'
_d_  _)MM_ YMMMM9 _MM_    _d_  _)MM_ YMMMM9  MYMMMM9  MMMMMMMM


                Before you lies the mainframe of XERXES.
                Compromise the subsystems and gain access to /root/flag.txt

                                XERXES wishes you
                                 a pleasant stay.


                Shoutout & Thanks
                Many thanks to
                        TheColonial (@TheColonial) & rasta_mouse (@_RastaMouse)
                for testing!

                File information

                md5   : 724d4be6ecd126d4591f487d1710f7af
                sha1  : 7978e6dde9e589c5ea90561502b297a8e08147a4

Welcome to SkyTower:1

This CTF was designed by Telspace Systems for the CTF at the ITWeb Security Summit and BSidesCPT (Cape Town). The aim is to test intermediate to advanced security enthusiasts in their ability to attack a system using a multi-faceted approach and obtain the "flag".

You will require skills across different facets of system and application vulnerabilities, as well as an understanding of various services and how to attack them. Most of all, your logical thinking and methodical approach to penetration testing will come into play to allow you to successfully attack this system. Try different variations and approaches. You will most likely find that automated tools will not assist you.

We encourage you to try it our for yourself first, give yourself plenty of time and then only revert to the Walkthroughs below.


Telspace Systems


Hell: 1

Peleus 7 Jul 2014

Welcome to the challenge.

This VM is designed to try and entertain the more advanced information security enthusiast. This doesn't exclude beginners however and I'm sure that a few of you could meet the challenge. There is no 'one' focus on the machine, a range of skills such as web exploitation, password cracking, exploit development, binary examination and most of all logical thinking is required to crack the box in the intended way - but who knows there might be some short cuts!

A few of the skills needed can be seen in some posts on http://netsec.ws. Otherwise enjoy the experience - remember that although vulnerabilities might not jump out at you straight away you may need to try some variations on the normal to get past the protections in place!

Feel free to discuss the experience on the #vulnhub irc channel on irc.freenode.net. If you want any hints feel free to PM my nick on there (Peleus). You won't get any, but I'll feel all warm and fuzzy inside knowing you're suffering.


CySCA2014-in-a-Box is a Virtual Machine that contains most of the challenges faced by players during CySCA2014. It allows players to complete challenges in their own time, to learn and develop their cyber security skills. The VM includes a static version of the scoring panel with all challenges, required files and flags.

To use CySCA2014 in a box virtual machines, players will need to have either Oracle VirtualBox or VMWare Player installed on their machines. Additionally we recommend players have at least 4GB of RAM. If you have less RAM, you can reduce the amount of RAM available to the VM down to 512MB, however it may adversely affect the speed of some of the challenges.

CAUTION The VM contains software that is deliberately vulnerable. We advise that you do not attach it to a critical network. Consider using your virtualisation softwares host-only network functionality.