The Challenge:

You are looking for two flags. Using discovered pointers in various elements of the running web application you can deduce the first flag (a downloadable file) which is required to find the second flag (a text file). Look, read and maybe even listen. You will need to use basic web application recon skills as well as some forensics to find both flags.

Level: Intermediate

Description:

The virtual machine comes in an OVA format, and is a generic 32 bit CentOS Linux build with a single available service (HTTP) where the challenge resides. Feel free to enable bridged networking to have the VM automatically be assigned a DHCP address. This VM has been tested in VMware Workstation 12 Player (choose "Retry" if needed), and VirtualBox 4.3.

SHA1: f60f497f3f8fda0d0aeccfc84dad8e19ad164f55 Challenge.ova

Twitter: @SpyderSec

SETUP

The named of the Virtual machine is "Acid-Reloaded". This Virtual Machine contains both network logics and web logics. I have added new concept here and let's see how many of you think more logically. :-)

You need to extract the rar and run the vmx using VMplayer . The machine has DHCP active list so once automatically assign an IP network, the next step will be to identify the target and discover the / the service / s to start the game.

GOAL

Escalate the privileges to root user and capture the flag. Once any one able to beat the box then shoot me a mail

NullByte: 1

ly0n 1 Aug 2015

Codename: NB0x01

Download: ly0n.me/nullbyte/NullByte.ova.zip

Objetcive: Get to /root/proof.txt and follow the instructions.

Level: Basic to intermediate.

Description: Boot2root, box will get IP from dhcp, works fine with virtualbox&vmware.

Hints: Use your lateral thinking skills, maybe you’ll need to write some code.

Welcome to the world of Acid.

Fairy tails uses secret keys to open the magical doors.

SETUP

The named of the Virtual machine is "Acid Server". This Virtual Machine is completely web based. I have added little new concept here and hope people will enjoy solving this.You need to extract the rar and run the vmx using VMplayer . The machine has DHCP active list so once automatically assign an IP network, the next step will be to identify the target and discover the / the service / s to start the game.

GOAL

Escalate the privileges to root and capture the flag. Once anyone able to beat the machine then please let me know.


Twitter: https://twitter.com/m_avinash143

LinkedIn: https://in.linkedin.com/pub/avinash-thapa/101/406/4b5

__________.__               
\______   \__|_____   ____  
 |     ___/  \____ \_/ __ \ 
 |    |   |  |  |_> >  ___/ 
 |____|   |__|   __/ \___  >
             |__|        \/  ·VM· (MiNi CHaLLeNGe BuiLT FoR ZaCoN Vi)

+-----------------------------------------------------------------------+
|  cReaTeD....: sagi- (@s4gi_)      |  DaTe......: 2015-10-02           |
|  oS.........: Linux               |  oBJecTiVe.: Get /root/flag.txt   |
|                                   |  GReeTZ....: @zac0n               |
|                                   |  TeSTeRs...: @leonjza             |
|                                   |              @barrebas            |
+-----------------------------------------------------------------------+
  _________.__                              
 /   _____/|  |   ____   ____ ______ ___.__.
 \_____  \ |  | _/ __ \_/ __ \\____ <   |  |
 /        \|  |_\  ___/\  ___/|  |_> >___  |
/_______  /|____/\___  >\___  >   __// ____| ·VM·
        \/           \/     \/|__|   \/

+-----------------------------------------------------------------------+
|  cReaTeD....: sagi- (@s4gi_)      |  DaTe......: 2015-10-02           |
|  oS.........: Linux               |  oBJecTiVe.: Get /root/flag.txt   |
|                                   |  GReeTZ....: @nanomebia           |
|                                   |  TeSTeRs...: @barrebas            |
|                                   |              Christopher Panayi   |
+-----------------------------------------------------------------------+
|  VM HiSToRY:                                                          |
|  v1.0 - Public release @ ZaCon VI "Capture the Flag (and in between)" |
|  V0.1 - Private release @ SecTalks Perth                              |
+-----------------------------------------------------------------------+

Flick: 2

Leonjza 20 Aug 2015
 _____  _      ____   __  __  _      ____  ____
|     || |    |    | /  ]|  |/ ]    |    ||    |
|   __|| |     |  | /  / |  ' /      |  |  |  |
|  |_  | |___  |  |/  /  |    \      |  |  |  |
|   _] |     | |  /   \_ |     \     |  |  |  |
|  |   |     | |  \     ||  .  |     |  |  |  |
|__|   |_____||____\____||__|\_|    |____||____|
                                    by: @leonjza

Welcome!

Your challenge, should you choose to accept, is to gain root access on the server! The employees over at Flick Inc. have been hard at work prepping the release of their server checker app. Amidst all the chaos, they finally have a version ready for testing before it goes live.

You have been given a pre-production build of the Android .apk that will soon appear on the Play Store, together with a VM sample of the server that they want to deploy to their cloud hosting provider.

The .apk may be installed on a phone (though I wont be offended if you don't trust me ;]) or run in an android emulator such as the Android Studio (https://developer.android.com/sdk/index.html).

Good Luck!

$ shasum * e74061c5348fef33d00f5f4f2aee9e921c591129 flick-check-dist.apk e6fbcd5aab5ed95c54d02855fdfbad74587f3db7 flickII-dist.ova

Note: Vmware will complain about the OVF specification. Just click retry on the import and everything should be ok!

Shouts:

@barrebas for testing and patience
@s4gi_ for testing and the inspiration

  __ )    _ \      \    _ _|   \  |   _ \    \      \  |     _ _| _ _| _ _| 
  __ \   |   |    _ \     |     \ |  |   |  _ \      \ |       |    |    |  
  |   |  __ <    ___ \    |   |\  |  ___/  ___ \   |\  |       |    |    |  
 ____/  _| \_\ _/    _\ ___| _| \_| _|   _/    _\ _| \_|     ___| ___| ___|

                                                            by superkojiman
                                                            techorganic.com

DISCLAIMER

By using this virtual machine, you agree that in no event will I be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of or in connection with the use of this software.

TL;DR: If something bad happens, it's not my fault.

SETUP

Brainpan 3 has been tested and found to work with VMware Player, VMware Fusion, and Virtual Box.

Check to make sure Brainpan_III.ova has following checksums so you know your download is intact:

MD5 : 170e0d8b26ab721587537fcde69087a0

SHA1: ed9ae53c556a1ce6988b3a54621dd6469c8b8aa5

Import Brainpan_III.ova into your preferred hypervisor and configure the network settings to your needs. It will get an IP address via DHCP, but it's recommended you run it within a NAT or visible to the host OS only since it is vulnerable to attacks.

GOAL

Get root and get the flag.

TESTERS

  • barrebas : https://twitter.com/barrebas
  • Swappage : https://twitter.com/Swappage

Darknet has a bit of everything, a sauce with a touch of makeup and frustration that I hope will lead hours of fun for migraines and who dares to conquer his chambers.

As the target gets used will read the file contents /root/flag.txt obviously once climbed the privileges necessary to accomplish the task.

The image can be mounted with VirtualBox . The machine has DHCP active list so once automatically assign an IP network, the next step will be to identify the target and discover the / the service / s to start the game. Good luck !. If you want to send in pdf format solucionarios can do so at the following address: s3csignal [at] gmail [dot] com

This exercise covers the exploitation of a session injection in the Play framework. This issue can be used to tamper with the content of the session while bypassing the signing mechanism