The idea behind VulnVPN is to exploit the VPN service to gain access to the sever and ‘internal’ services. Once you have an internal client address there are a number of ways of gaining root (some easier than others).

Client VPN Configuration

I have created/uploaded the relevant files which can be obtained from the compressed file here. You’ll need to configure Openswan/xl2tpd on your system, if you’re using an Ubuntu based Linux variant you can follow the below steps – please note that I’ve used Backtrack 5r3 for all client testing (mentioned as I know it works well):

  1. apt-get install openswan xl2tpd ppp

  2. Copy the downloaded client files into the following locations:

    /etc/ipsec.conf

    /etc/ipsec.secrets

    /etc/ppp/options.l2tpd.client

    /etc/xl2tpd/xl2tpd.conf

  3. VulnVPN is located at 192.168.0.10 and the client configuration files state that the client IP address is 192.168.0.11. If you want your client to have a different address ensure you change the relevant settings in /etc/ipsec.conf.

  4. To establish a VPN connection run the following command: ipsec auto –up vpn (that’s two hyphens before up, they get lost in the post formatting). If you’re viewing the logs you should see something along the lines of ‘IPsec SA established’.

  5. If the connection succeeds (remember you’ll need to obtain the PSK before this is possible) you can run the ‘start-vpn.sh’ script (included with client config files download) or run the following command to initialise the PPP adaptor: echo “c vpn” > /var/run/xl2tpd/l2tp-control

  6. Run ip list or ifconfig and you should see that a new PPP adapter has been created and assigned an IP address (this may not be instant, give it a few seconds). If the adaptor fails to come up run the script/command again – I’ve come across this issue a few times.

Note: If you change your configuration/IP settings etc you’ll need to reload the relevant configuration files i.e. /etc/init.d/ipsec restart and/or /etc/init.d/xl2tpd restart

Troubleshooting

I realise that VPN’s can be very troublesome (setting this challenge up was bad enough), so I have allowed access to auth and ufw logs. These should help highlight issues you may be experiencing and can be found at http://192.168.0.10:81 (note port 81). Please note that hacking this page and associated scripts are not part of the challenge, rather they have been provided for assistance.

A useful config reference can also be found here: https://wiki.archlinux.org/index.php/L2TP/IPsec_VPN_client_setup

Download Information

Architecture: x86 Format: VMware (vmx & vmdk) compatibility with version 4 onwards RAM: 1GB Network: NAT – Static IP 192.168.0.10 (no G/W or DNS configured) Extracted size: 1.57GB Compressed (download size): 368MB – 7zip format – 7zip can be obtained from here Download VulnVPN from -HERE-

MD5 Hash of VulnVPN.7z: 9568aa4c94bf0b5809cb0a282fffa5c2

Download Client files from -HERE-

MD5 Hash of client.7z: e598887f2e4b18cd415ea747606644f6

As per usual, I shall add a related solutions post shortly. Until then, enjoy

Source: http://www.rebootuser.com/?p=1307

VulnVoIP is based on a relatively old AsteriskNOW distribution and has a number of weaknesses. The aim is to locate VoIP users, crack their passwords and gain access to the Support account voicemail.

Just to keep things interesting this particular disto also suffers from a known exploit from which it is relatively easy to gain a root shell. Once you've found the easy way, can you get root using a different method?

I've created these basic VoIP hacking training exercises as I found very limited resources online. Hopefully VulnVoIP will help others learn the basic fundamentals of VoIP hacking in a safe environment.

  • Architecture: x86
  • Format: VMware (vmx & vmdk) compatibility with version 4 onwards
  • RAM: 512MB
  • Network: NAT
  • Extracted size: 1.68GB
  • Compressed (download size): 552MB - 7zip format - 7zip can be obtained from here
  • MD5 Hash of VulnVoIP.7z: 1411bc06403307d5ca2ecae47181972a

Source: http://www.rebootuser.com/?p=1069

Here we have a vulnerable Linux host with configuration weaknesses rather than purposely vulnerable software versions (well at the time of release anyway!)

The host is based upon Ubuntu Server 12.04 and is fully patched as of early September 2012. The details are as follows:

  • Architecture: x86
  • Format: VMware (vmx & vmdk) compatibility with version 4 onwards
  • RAM: 512MB
  • Network: NAT
  • Extracted size: 820MB
  • Compressed (download size): 194MB – 7zip format – 7zip can be obtained from here
  • MD5 Hash of Vulnix.7z: 0bf19d11836f72d22f30bf52cd585757

  • Download Vulnix from HERE -

The goal; boot up, find the IP, hack away and obtain the trophy hidden away in /root by any means you wish – excluding the actual hacking of the vmdk

Free free to contact me with any questions/comments using the comments section below.

Enjoy!

Source: http://www.rebootuser.com/?p=933