This vulnerable-by-design box depicts a hacking company known as H.A.S.T.E, or Hackers Attack Specific Targets Expeditiously, capable of bringing down any domains on their hit list.

I would like to classify this challenge with medium difficulty, requiring some trial and error before a successful takeover can be attained.

This exercise covers the exploitation of the Struts S2-052 vulnerability

C0m80 Boot2Root

https://3mrgnc3.ninja/2017/09/c0m80/

About

This is my third public Boot2Root, This one is intended to be quite difficult compared to the last two.

But again, that being said, it will depend on you how hard it is :D

The theme with this one is all about 'enumeration, enumeration, enumeration', lateral thinking, and how to "combine" vulnerabilities in order to exploit a system.

Important Note

Once you have an IP insert it into your attack system /etc/hosts like this:

[dhcp-ip-address] C0m80.ctf

This VM will probably be different to other challenges you may have come across. With C0m80 You will be required to log in locally in the VirtualBox console window at some point. This, I know, may 'rile' some of the purists out there that say you should be able to compromise a boot2root fully remotely over a network. I agree to that in principle, and in this case I had intended to allow vnc or xrdp access. Alas, due to compatibility problems I had to make a compromise in this area in order to get the challenge published sooner rather than later.

It should be obvious at what point you need to log in. So when that time comes just pretend you are using remote desktop. ;D

Sorry, I hope you can forgive me.

Difficulty Rating

[Difficult] but depends on you really

Goal

There is only one goal here. Become God on the system and read the root flag.

I Hope You Enjoy It.

Download Link

https://3mrgnc3.ninja/files/C0m80_3mrgnc3_v1.0.ova

Details

• File: C0m80_3mrgnc3-v1.0.ova
• OS: WondawsXP ;D
• VM Type: VirtualBox
• IP Address: DHCP
• Size: 2.7 GB

Walkthroughs

Please leave feedback and comments below. Including any info on walkthroughs anyone wishes to publish, or bugs people find in the VM Image.

Alternatively email me at 3mrgnc3 at techie dot com

Many times while conducting a pentest, I need to script something up to make my life easier or to quickly test an attack idea or vector. Recently I came across an interesting command injection vector on a web application sitting on a client's internet-facing estate. There was a page, running in Java, that allowed me to type arbitrary commands into a form, and have it execute them. While developer-provided webshells are always nice, there were a few caveats. The page was expecting directory listing style output, which was then parsed and reformatted. If the output didn't match this parsing, no output to me. Additionally, there was no egress. ICMP, and all TCP/UDP ports including DNS were blocked outbound.

I was still able to leverage the command injection to compromise not just the server, but the entire infrastructure it was running on. After the dust settled, the critical report was made, and the vulnerability was closed, I thought the entire attack path was kind of fun, and decided to share how I went about it. Since I enjoy being a free man and only occasionally visit prisons, I've created a simple boot2root style VM that has a similar set of vulnerabilities to use in a walkthrough.

It is based on a real world scenario I faced while testing for a client's site. Dedicated to Aunty g0rmint who is fed up of this government (g0rmint).

Does anyone need to know about that Aunty to root the CTF? No

The CTF is tested on Vmware and working well as expected.

Difficulty level to get limited shell: Intermediate or advanced

Difficulty level for privilege escalation: No idea

Give me feed back @nomanriffat

Introduction

I'm really interesting about security, love to learn new technologies and play CTF sometime. I’ve been enjoying creating hacking challenges for the security community. This is my first Challenge of boot2root, I was created some web challenge and solved others.I hope you will get some knowledges about my challenge. Thanks u Laiwon . I love you.

Difficulty

Difficulty level to get limited shell: Intermediate or advanced

Difficulty level for privilege escalation: Depend on You.

Goal

You will be required to break into target server,exploit and root the machine, and retrieve the flag. The flag will contain more information about my private info..

Hints

This challenge is not for beginners. There is a relevant file on this machine that plays an important role in the challenge, do not waste your time trying to de-obfuscate the file, If you got big stuck, Try with Password start with "sec*" with nice wordlist. Ok.. Try Harder!..

• Homeless.zip (507MB) https://mega.nz/#!5aIB1IJZ!7N2HfO_HL_134-DMcbXKvVtG4aaakR_JMsc-T7Jtsjc

~Happy Hacking!...

Name: Gemini Inc v1

Date release: 2018-01-09

Author: 9emin1

Series: Gemini Inc

Description:

I have decided to create vulnerable machines that replicate the vulnerabilities and difficulties I’ve personally encountered during my last year (2017) of penetration testing.

Some of the vulnerabilities require the “Think out of the box (fun)” mentality and some are just plain annoyance difficulties that require some form of automation to ease the testing.

GeminiInc v1 has been created that replicate an issue that I’ve encountered which was really interesting and fun to tackle, I hope it will be fun for you guys as well.

Adding a little made-up background story to make it more interesting...

Introduction:

Gemini Inc has contacted you to perform a penetration testing on one of their internal system. This system has a web application that is meant for employees to export their profile to a PDF. Identify any vulnerabilities possible with the goal of complete system compromise with root privilege. To demonstrate the level of access obtained, please provide the content of flag.txt located in the root directory as proof.

Tweet me your writeup @ https://twitter.com/sec_9emin1

File Information:

Filename: Gemini-Pentest-v1.zip

File size: 3283684247

SHA 1: 47ca8fb27b9a4b59aa6c85b8b1fe4df564c19a1e

Virtual Machine:

Format: Virtual Machine (VMWare)

Operating System: Debian

Networking:

DHCP Service : Enabled

IP Address: Automatically Assigned

More information can be obtained from my blog post on this vulnerable machine: https://scriptkidd1e.wordpress.com/

Intended solution will be provided some time after this has been published: https://scriptkidd1e.wordpress.com/geminiinc-v1-vm-walkthrough/

The VM has been tested on the following platform and is working:

• Mac OSX VMWare Fusion
• Windows 10 VMWare Player
• Windows 10 VMWare Workstation

It should work with any virtual machine player as well. It will be able to obtain an I.P Address with DHCP so no additional configuration is required. Simply import the downloaded VM and you are good to go.

THE ARM IoT EXPLOIT LABORATORY - Damn Vulnerable ARM Router (DVAR)

DVAR is an emulated Linux based ARM router running a vulnerable web server that you can sharpen your ARM stack overflow skills with.

DVAR runs in the tinysploitARM VMWare VM under a fully emulated QEMU ARM router image.

Simply extract the ZIP file and launch the VM via tinysploitARM.vmx. After starting up, the VM's IP address and default URL shall be displayed on the console. Using your host computer's browser, navigate to the URL and follow the instructions and clues. The virtual network adapter is set to NAT mode.

Your goal is to write a working stack overflow exploit for the web server running on the DVAR tinysploitARM target.

SHA256: 1f2bdd9ae4e44443dbb4bf9062300f1991c47f609426a1d679b8dcd17abb384c

DVAR started as an optional preparatory exercise for the ARM IoT Exploit Lab.

UPCOMING ARM IoT EXPLOIT LABORATORY TRAINING

RECON Brussels 2018 (4 day) January 29-Feb 1 https://recon.cx/2018/brussels/training/trainingexploitlab.html

Offensivecon Berlin 2018 (4 day) February 12-15 https://www.offensivecon.org/trainings/2018/the-arm-iot-exploit-laboratory-saumil-shah.html

Cansecwest Vancouver 2018 (4 day) March 10-13 https://cansecwest.com/dojos/2018/exploitlab.html

SyScan360 Singapore 2018 (4 day) March 18-21 https://www.coseinc.com/syscan360/index.php/syscan360/details/SYS1842#regBox

Helpful material

If you are new to the world of ARM exploitation, I highly recommend Azeria's excellent tutorials on ARM Assembly, ARM Shellcode and the basics of ARM exploitation.

https://azeria-labs.com/ Twitter: @Fox0x01

And these are three general purpose concepts oriented tutorials that every systems enthusiast must know:

Operating Systems - A Primer: http://www.slideshare.net/saumilshah/operating-systems-a-primer

How Functions Work: http://www.slideshare.net/saumilshah/how-functions-work-7776073

Introduction to Debuggers: http://www.slideshare.net/saumilshah/introduction-to-debuggers

EXPLOIT LABORATORY BLOG:

http://blog.exploitlab.net/

Saumil Shah @therealsaumil

Name: Gemini Inc v2

Date release: 2018-07-10

Author: 9emin1

Series: Gemini Inc

Description: I have decided to create vulnerable machines that replicate the vulnerabilities and difficulties I’ve personally encountered during my last year (2017) of penetration testing.

Some of the vulnerabilities require the “Think out of the box (fun)” mentality and some are just plain annoyance difficulties that require some form of automation to ease the testing.

GeminiInc v2 has been created that replicate a few issues that I’ve encountered which was really interesting and fun to tackle, I hope it will be fun for you guys as well.

Adding a little made-up background story to make it more interesting…

Introduction: Gemini Inc has contacted you to perform a penetration testing on one of their internal system. This system has a web application that is meant for employees to export their profile to a PDF. Identify any vulnerabilities possible with the goal of complete system compromise with root privilege. To demonstrate the level of access obtained, please provide the content of flag.txt located in the root directory as proof.

Tweet me your writeup @ https://twitter.com/sec_9emin1

File Information:

• Filename: Gemini-Pentest-v2.zip
• File size: 2239959453
• SHA 1: 5f210dd9a52a701bab262a9def88009b1ca46300

Virtual Machine:

• Format: Virtual Machine (VMWare)
• Operating System: Debian

Networking:

• DHCP Service : Enabled
• IP Address: Automatically Assigned

More information can be obtained from my blog post on this vulnerable machine: https://scriptkidd1e.wordpress.com/

Intended solution will be provided some time after this has been published: https://scriptkidd1e.wordpress.com/geminiinc-v2-virtual-machine-walkthrough/

The VM has been tested on the following platform and is working:

• Mac OSX VMWare Fusion
• Windows 10 VMWare Player
• Windows 10 VMWare Workstation

It should work with any virtual machine player as well. It will be able to obtain an I.P Address with DHCP so no additional configuration is required. Simply import the downloaded VM and you are good to go.

I recently got done creating an OSCP type vulnerable machine that's themed after the great James Bond film (and even better n64 game) GoldenEye. The goal is to get root and capture the secret GoldenEye codes - flag.txt.

I'd rate it as Intermediate, it has a good variety of techniques needed to get root - no exploit development/buffer overflows. After completing the OSCP I think this would be a great one to practice on, plus there's a hint of CTF flavor.

I've created and validated on VMware and VirtualBox. You won't need any extra tools other than what's on Kali by default. Will need to be setup as Host-Only, and on VMware you may need to click "retry" if prompted, upon initially starting it up because of formatting.