Single
single series all timeline

Kevgir

by canyoupwn.me

Multi Vulnerable Virtual Machine

For Educational Purposes

Kevgir has designed by canyoupwnme team for training, hacking practices and exploiting. Kevgir has lots of vulnerable services and web applications for testing. We are happy to announced that.

Have fun!

Default username:pass => user:resu

  • Bruteforce Attacks
  • Web Application Vulnerabilities
  • Hacking with Redis
  • Hacking with Tomcat, Jenkins
  • Hacking with Misconfigurations
  • Hacking with CMS Exploits
  • Local Privilege Escalation
  • And other vulnerabilities.
more...
Kevgir: 1
15 Feb 2016
 by 
CanYouPwn.Me
ellipsis 
         _         _            _        _   _        _            _
        /\ \      /\ \         /\ \     /\_\/\_\ _   /\ \         /\ \
       /  \ \    /  \ \        \ \ \   / / / / //\_\/  \ \       /  \ \
      / /\ \ \  / /\ \ \       /\ \_\ /\ \/ \ \/ / / /\ \ \     / /\ \ \
     / / /\ \_\/ / /\ \_\     / /\/_//  \____\__/ / / /\ \_\   / / /\ \_\
    / / /_/ / / / /_/ / /    / / /  / /\/________/ /_/_ \/_/  / / /_/ / /
   / / /__\/ / / /__\/ /    / / /  / / /\/_// / / /____/\    / / /__\/ /
  / / /_____/ / /_____/    / / /  / / /    / / / /\____\/   / / /_____/
 / / /     / / /\ \ \  ___/ / /__/ / /    / / / / /______  / / /\ \ \
/ / /     / / /  \ \ \/\__\/_/___\/_/    / / / / /_______\/ / /  \ \ \
\/_/      \/_/    \_\/\/_________/       \/_/\/__________/\/_/    \_\/

Installation

1) Run the OVA in a VM and connect to the webserver 2) Have Fun!

Made by

couchsofa

Thanks to

morbidick einball sarah

I would probably have never finished', this project without you guys ;)',

mostley

For hinting me to Erik Österberg's Terminal.js

0xBEEF

For providing fuel in the form of fudge and premium grilled goods

More information: http://wiki.fablab-karlsruhe.de/doku.php?id=projekte:primer

Motivation

A friend wanted to get into some simple exploits. I suggested starting out with web security, she was all for it. But when I started browsing vulnhub and the likes I couldn't find anything like I had in mind. So I wrote my own.

Concept

This is a story based challenge written in a style heavily inspired by Neil Stephensons Snow Crash and William Gibsons Sprawl Trilogy. Each chapter is unlocked by solving the puzzle. From hardcoded clear text javascript password checks, SQL-injections and cracking hashes to a simulated terminal. You only need to start the VM, a webserver will come up and you can connect with your browser. In fact you never have to leave the browser.

Goal

Teach some basic well known techniques and attacks. Spark some curiosity, make the user look at the source code and try to figure out what's going on behind the scenes. The main goal is to give a nice welcoming intro to the scene and hopefully also teach something about ethics and responsibility.

Change log

v1.0.1 - 2016-01-15: https://twitter.com/CouchSofa/status/688129147848138752 v1.0.0 - 2015-10-27: https://twitter.com/CouchSofa/status/659148660152909824

more...
PRIMER: 1.0.1
15 Jan 2016
 by 
Arne Rick
ellipsis

About:

Name: Fristileaks 1.3
Author: Ar0xA
Series: Fristileaks
Style: Enumeration/Follow the breadcrumbs
Goal: get root (uid 0) and read the flag file
Tester(s): dqi, barrebas
Difficulty: Basic

Description:

A small VM made for a Dutch informal hacker meetup called Fristileaks. Meant to be broken in a few hours without requiring debuggers, reverse engineering, etc..
more...
FristiLeaks: 1.3
14 Dec 2015
 by 
Ar0xA
ellipsis

NETinVM

A tool for teaching and learning about systems, networks and security

Authors: Carlos Perez & David Perez Date: 2016-11-03

Introduction

NETinVM is a VMware virtual machine image that provides the user with a complete computer network. For this reason, NETinVM can be used for learning about operating systems, computer networks and system and network security.

In addition, since NETinVM is a VMware image, it can be used for demonstrations (i.e. in classrooms) that can be reproduced by students either in a laboratory or on their own laptop and thus, at home, at the library... For these reasons we present NETinVM as an educational tool.

Description of NETinVM

NETinVM is a VMware virtual machine image that contains, ready to run, a series of User-mode Linux (UML) virtual machines. When started, the UML virtual machines create a whole computer network; hence the name NETinVM, an acronym for NETwork in Virtual Machine. This virtual network has been called 'example.net' and has fully qualified domain names defined for the systems: 'base.example.net', 'fw.example.net', etc.

All of the virtual machines use the Linux operating system. The VMware virtual machine is called 'base' and it runs openSUSE 13.2. User-mode Linux machines use Debian 6.0 and they have different names depending on their network location, because they are grouped into three different subnets: corporate, perimeter and external. The subnetworks are named 'int' (for internal network), 'dmz' (for DMZ or demilitarized zone, usually used as a synonym for perimeter network) and 'ext' (for external network).

One of the UML machines, 'fw', interconnects the three networks ('int, 'dmz' and 'ext'), allowing for communication and packet filtering. The rest of the UML machines have only one network interface, connected to the network they are named after:

int<X> + UMLs connected to the internal network. can take values from 'a' to 'f', both inclusive. These machines only offer SSH service by default.

dmz<X> + UMLs connected to the perimeter network (DMZ). They are supposed to be bastion nodes. Two preconfigured bastion nodes are provided, each one with its appropriate alias: + 'dmza' is aliased as 'www.example.net' and it offers HTTP and HTTPS services. + 'dmzb' is aliased as 'ftp.example.net' and it offers FTP.

ext<X> + UMLs connected to the external network (ie: Internet). Because a picture paints a thousand words, or so they say, the following figure shows NETinVM with all of the virtual machines running inside.

General view of NETinVM in VMware. The document example-net.pdf offers a detailed view.

All of the elements referenced before are shown in the image with their IP and ethernet addresses. The following rules have been used for assigning addresses:

  • IP addresses are of the form 10.5.., where is either 0 ('ext'), 1 ('dmz') or 2 ('int'), and is either 10 for 'exta', 'dmza' or 'inta', 11 for 'b' and so on up to 15 for 'f'.
  • Network masks are 24 bits (255.255.255.0).
  • Ethernet addresses are CA:FE:00:00:0:0, where is either 0, 1 or 2 (following the same domain rule as IP addressing) and is either a, b, c, d, e or f.
  • The interfaces of 'fw' use 254 for IP and FE for ethernet.
  • The interfaces of 'base' use 1 for IP and 01 for ethernet.

In addition to the computers and networks already described, the figure also shows the real computer where NETinVM runs ('REAL COMPUTER') and VMware Player's typical network interface ('vmnet8'), which optionally interconnects NETinVM's networks with the external word.

When they boot, all UML virtual machines get their network configuration from 'base', which provides DHCP and DNS services to the three NETinVM networks through its interfaces 'tap0', 'tap1' and 'tap2'.

Routing works as follows:

  • The default gateway for the internal and perimeter networks (machines 'int' and 'dmz') is 'fw' (more specifically, the IP address of 'fw' in the corresponding internal or perimeter subnet).
  • The default gateway for 'fw' is 'base' (its external network address). 'base' (its external network address) is also the default gateway for machines in the external network ('ext'), but they are configured to use 'fw' (external network address) as the gateway for accessing machines in the perimeter and internal networks.
  • 'fw' applies NAT (SNAT, Masquerading) to all network traffic coming into it from the internal and perimeter networks and going out through its interface in the external network. So, these packets get to the external network with a source IP address of 10.5.0.254 (fw's IP address in the external network)
  • Thus, IP traffic exchanged among the three networks goes through 'fw', while traffic going out from NETinVM to the external world goes through 'fw' if (and only if) it comes from the internal or perimeter networks. All traffic going to the real world (outside NETinVM) exits through 'base' which, as 'fw' does, applies IP forwarding and NAT to this outgoing traffic.

Communication between 'base' and any UML machine, in both directions, is direct, without going through 'fw'. (When the communication is started from a UML machine, the IP address of the interface of 'base' in the corresponding network must be used.) This configuration permits access from 'base' to all UML machines using SSH independently of the packet filtering configuration at 'fw'.

As an additional consideration, please note that the SNAT configuration in 'fw' described above is necessary for responses to outgoing connections to the Internet originating from the internal or perimeter networks to come back through 'fw'. Otherwise they would be routed directly from 'base' to the UML machine through 'tap1' or 'tap2' without traversing 'fw'.

more...
NETinVM: November 3, 2016
3 Nov 2016
 by 
Carlos Perez & David Perez
ellipsis 
Title: The Wall
File: thewall.ova
md5sum: a5e6ebde160239bce605cca8e1cf207d
Size: 299.4MB
Hypervisor: Created with VMWare Fusion.  Tested with vmware (fusion) and virtualbox.
Author:  @xerubus
Test Bunnies:  Rasta Mouse and TheColonial
Difficulty: Intermediate

This boot2root box is exclusive to VulnHub. If you have a crack at the challenge, please consider supporting VulnHub for the great work they do for our offsec community.

Description

In 1965, one of the most influential bands of our times was formed.. Pink Floyd. This boot2root box has been created to celebrate 50 years of Pink Floyd's contribution to the music industry, with each challenge giving the attacker an introduction to each member of the Floyd.

You challenge is simple... set your controls for the heart of the sun, get root, and grab the flag! Rock on!

Notes

  • DHCP (Automatically assigned)
  • IMPORTANT: The vm IS working as intended if you receive a successful DHCP lease as seen in the boot up sequence.
  • 'thewall' vm must be on the same subnet as the attacking machine AND the attacking machine should ideally be a vm on the same network as 'thewall'. If you choose to use a physical box as the attacking machine, 'thewall' must exist on the same network via a bridged interface.
more...
The Wall: 1
27 Nov 2015
 by 
Xerubus
ellipsis

I created this machine to help others learn some basic CTF hacking strategies and some tools. I aimed this machine to be very similar in difficulty to those I was breaking on the OSCP.

This is a boot-to-root machine will not require any guest interaction.

There are two designed methods for privilege escalation.

  • 23/09/2015 == v1.0.1
  • 22/09/2015 == v1.0

If you are having issues with VirtualBox, try the following:

  • Downloaded LordOfTheRoot_1.0.1.ova (confirmed file hash)
  • Downloaded and installed VMWare ovftool.
  • Converted the OVA to OVF using ovftool.

  • Modified the OVF using text editor, and did the following:

    replaced all references to "ElementName" with "Caption" replaced the single reference to "vmware.sata.ahci" with "AHCI"

  • Saved the OVF. +Deleted the .mf (Manifest) file. If you don't you get an error when importing, saying the SHA doesn't match for the OVF (I also tried modifying the hash, but no luck).

  • Try import the OVF file, and it should work fine.

Source: https://twitter.com/dooktwit/status/646840273482330112

more...
Lord Of The Root: 1.0.1
23 Sep 2015
 by 
KookSec
ellipsis

The Challenge:

You are looking for two flags. Using discovered pointers in various elements of the running web application you can deduce the first flag (a downloadable file) which is required to find the second flag (a text file). Look, read and maybe even listen. You will need to use basic web application recon skills as well as some forensics to find both flags.

Level: Intermediate

Description:

The virtual machine comes in an OVA format, and is a generic 32 bit CentOS Linux build with a single available service (HTTP) where the challenge resides. Feel free to enable bridged networking to have the VM automatically be assigned a DHCP address. This VM has been tested in VMware Workstation 12 Player (choose "Retry" if needed), and VirtualBox 4.3.

SHA1: f60f497f3f8fda0d0aeccfc84dad8e19ad164f55 Challenge.ova

Twitter: @SpyderSec

more...
SpyderSec: Challenge
4 Sep 2015
 by 
SpyderSec
ellipsis

Codename: NB0x01

Download: ly0n.me/nullbyte/NullByte.ova.zip

Objetcive: Get to /root/proof.txt and follow the instructions.

Level: Basic to intermediate.

Description: Boot2root, box will get IP from dhcp, works fine with virtualbox&vmware.

Hints: Use your lateral thinking skills, maybe you’ll need to write some code.

more...
NullByte: 1
1 Aug 2015
 by 
ly0n
ellipsis

Darknet has a bit of everything, a sauce with a touch of makeup and frustration that I hope will lead hours of fun for migraines and who dares to conquer his chambers.

As the target gets used will read the file contents /root/flag.txt obviously once climbed the privileges necessary to accomplish the task.

The image can be mounted with VirtualBox . The machine has DHCP active list so once automatically assign an IP network, the next step will be to identify the target and discover the / the service / s to start the game. Good luck !. If you want to send in pdf format solucionarios can do so at the following address: s3csignal [at] gmail [dot] com

more...
Darknet: 1.0
2 May 2015
 by 
q3rv0
ellipsis

Our resident ROP ninja barrebas recently gave the team a bootcamp on Return Oriented Programming. The presentation was followed by a demo walkthrough on writing a ROP exploit on a vulnerable application. Since the presentation was well received, he’s decided to make the slides available to everyone. You can view them at https://speakerdeck.com/barrebas/rop-primer.

We hope you enjoy it!

Username: root
Password: toor

Username: level0
Password: warmup

ROP Primer
----------

This VM is meant as a small introduction to 32-bit return-oriented-programming on Linux. It contains three vulnerable binaries, that must be exploited using ROP.

The machine is built and tested in VirtualBox 4.3.20. It's an Ubuntu 32 bit VM, with ASLR disabled. Useful tools like gdb-peda are installed. A description of the levels, including instructions, can be found on the webserver.

A big shout-out to my team mates of the Vulnhub CTF Team!

@barrebas, March 2015 & June 2015

rop-primer-v0.2.ova:
---------------
MD5:  840c75497f54578497a6e44df2f96047
SHA1: 2cb14d78fd1ff7b5a7895447969fde8ca9c06ef3
more...
ROP Primer: 0.2
13 Jun 2015
 by 
Bas
ellipsis 
Sokar

Filename:  sokar.ova
MD5:  75f5c48e65fa81dc81ef3b58b7ee6bab
SHA1:  5f4aca536898bf962bfcfd2aaccb66fda1ab790a
Author:  Rasta Mouse
Testers:  Barrebas & TheColonial

=====
Notes
=====
DHCP (Automatically Assigned)

    Special note to VMWare users - you must manually set the
    NIC MAC address to 08:00:27:F2:40:DB

Get root, then the flag!
more...
Sokar: 1
30 Jan 2015
 by 
Rasta Mouse
ellipsis
  • Objective: gain shell access for each level. Then reach root.
  • Note: figure out what the blips are, where they are, and how to decode each one.
more...
The Frequency: 1
7 Jan 2015
 by 
strata
ellipsis
This website uses 'cookies' to give you the best, most relevant experience. Using this website means you're happy with this. You can find out more about the cookies used by clicking this link (or by clicking the 'Privacy Policy' link at the top of any page).