____  __.                     __              ____  __.                     __      ____
|    |/ _| ____   ____   ____ |  | __         |    |/ _| ____   ____   ____ |  | __ /_   |
|      <  /    \ /  _ \_/ ___\|  |/ /  ______ |      <  /    \ /  _ \_/ ___\|  |/ /  |   |
|    |  \|   |  (  <_> )  \___|    <  /_____/ |    |  \|   |  (  <_> )  \___|    <   |   |
|____|__ \___|  /\____/ \___  >__|_ \         |____|__ \___|  /\____/ \___  >__|_ \  |___|
        \/    \/            \/     \/                 \/    \/            \/     \/

Pretty much thought of a pretty neat idea I hadn't seen done before with a VM, and I wanted to turn it into reality!

Your job is to escalate to root, and find the flag.

Since I've gotten a few PM's, remember: There is a difference between "Port Unreachable" and "Host Unreachable". DHCP is not broken ;)

Gotta give a huge shoutout to c0ne for helping to creating the binary challenge, and rasta_mouse and recrudesce for testing :)

Also, gotta thank barrebas who was able to find a way to make things easier... but of course that is fixed with this update! ;)

MD5 -- 3b6839a28b4be64bd71598aa374ef4a6 knock-knock-1-1.ova

SHA1 -- 0ec29d8baad9997fc250bda65a307e0f674e4180 knock-knock-1-1.ova

Feel free to hit me up in #vulnhub on freenode -- zer0w1re

Kvasir 1

Filename: kvasir1.ova

MD5: e987e8bbe319db072246ab749912ea91

SHA1: 029a59188cd3375fa50a5115db561f8a8ef69d4a

Author: Rasta Mouse

Testers: Barrebas & OJ

Notes to the Player

As part of the challenge, Kvasir utilises LXC to provide kernel isolation. When the host VM boots, it takes can take a little bit of time before the containers become available.

It is therefore advised to wait 30-60 seconds after the login prompt is presented, before attacking the VM.

A few other pointers:

• Not every LXC is ‘rootable’
• No SSH brute-forcing is required

The next machine in the Tr0ll series of VMs. This one is a step up in difficulty from the original Tr0ll but the time required to solve is approximately the same, and make no mistake, trolls are still present! :)

Difficulty is beginner++ to intermediate.

The VM should pull a valid IP from DHCP. This VM has been verified to work on VMware workstation 5, VMware player 5, VMware Fusion, and Virtual box. Virtual box users may need to enable the additional network card for it to pull a valid IP address.

Special thanks to @Eagle11, @superkojiman and @leonjza for suffering through the testing and the members of #overflowsec on freenode for giving me ideas.

If you have issues with the machine, feel free to contact me at @Maleus21 or maleus overflowsecurity.com.

-Maleus

www.overflowsecurity.com

----------------
bee-box - README
----------------

bee-box is a custom Linux VM pre-installed with bWAPP.

With bee-box you have the opportunity to explore all bWAPP vulnerabilities!
bee-box gives you several ways to hack and deface the bWAPP website.
It's even possible to hack the bee-box to get root access...

This project is part of the ITSEC GAMES project. ITSEC GAMES are a fun approach to IT security education.
IT security, ethical hacking, training and fun... all mixed together.
You can find more about the ITSEC GAMES and bWAPP projects on our blog.

We offer a 2-day comprehensive web security course 'Attacking & Defending Web Apps with bWAPP'.
This course can be scheduled on demand, at your location!
More info: http://goo.gl/ASuPa1 (pdf)

Enjoy!

Cheers

Malik Mesellem
Twitter: @MME_IT

-----------------------
bee-box - Release notes
-----------------------

v1.6
****

Release date: 2/11/2014

bWAPP version: 2.2

New features:

- Vulnerable Drupal installation (Drupageddon)

Bug fixes: /

Modifications: /


v1.5
****

Release date: 27/09/2014

bWAPP version: 2.1

New features:

- CGI support (Shellshock ready)

Bug fixes: /

Modifications: /


v1.4
****

Release date: 12/05/2014

bWAPP version: 2.0

New features:

- Lighttpd web server installed, running on port TCP/9080 and TCP/9443
- PHP SQLite module installed
- SQLiteManager 1.2.4 installed
- Vulnerable bWAPP movie network service (BOF)

Bug fixes: /

Modifications: /


v1.3
****

Release date: 19/04/2014

bWAPP version: 1.9+

New features:

- Nginx web server installed, running on port TCP/8080 and TCP/8443
- Nginx web server configured with a vulnerable OpenSSL version (heartbleed vulnerability)
- Insecure distcc (a fast, free distributed C/C++ compiler)
- Insecure NTP configuration
- Insecure SNMP configuration
- Insecure VNC configuration

Bug fixes:

- bWAPP update script checks for Internet connectivity

Modifications: /


v1.2
****

Release date: 22/12/2013

bWAPP version: 1.8

New features:

- Apache modules enabled: rewrite, include, headers, dav, action
- Apache server-status directive enabled
- Insecure anonymous FTP configuration
- Insecure WebDAV configuration
- Server-Side Includes configuration
- Vulnerable PHP CGI configuration

Bug fixes: /

Modifications:

- MySQL listening on 0.0.0.0
- New bWAPP update script


v1.1
****

Release date: 12/09/2013

bWAPP version: 1.5

New features:

- bWAPP update script

Bug fixes: /

Modifications: /


v1.0
****

Release date: 15/07/2013

bWAPP version: 1.4

New features: /

Bug fixes: /

Modifications: /

-----------------
bee-box - INSTALL
-----------------

bee-box is a custom Linux VM pre-installed with bWAPP.

With bee-box you have the opportunity to explore all bWAPP vulnerabilities!
bee-box gives you several ways to hack and deface the bWAPP website.
It's even possible to hack the bee-box to get root access...


Requirements
////////////

*/ Windows, Linux or Mac OS
*/ VMware Player, Workstation, Fusion or Oracle VirtualBox


Installation steps
//////////////////

No! I will not explain how to install VMware or VirtualBox...

*/ Extract the compressed file.

*/ Double click on the VM configuration file (bee-box.vmx), or import the VM into the VMware software.

*/ Start the VM. It will login automatically.

*/ Check the IP address of the VM.

*/ Go to the bWAPP login page. If you browse the bWAPP root directory you will be redirected.

    example: http://[IP]/bWAPP/
    example: http://[IP]/bWAPP/login.php

*/ Login with the default bWAPP credentials, or make a new user.

    default credentials: bee/bug

*/ You are ready to explore and exploit the bee!


Notes
/////

*/ Linux credentials:

    bee/bug
    root/bug

*/ MySQL credentials:

    root/bug

*/ Modify the Postfix settings (relayhost,...) to your environment.

    config file: /etc/postfix/main.cf

*/ bee-box gives you several ways to deface the bWAPP website.
   It's even possible to hack the bee-box to get root access...

   Have fun!

*/ Take a snapshot of the VM before hacking the bee-box.
   There is also a backup of the bWAPP website (/var/www/bWAPP_BAK).

*/ To reinstall the bWAPP database, delete the database with phpmyadmin (http://[IP]/phpmyadmin/).
   Afterwards, browse to the following page: https://[IP]/bWAPP/install.php

*/ Don't upgrade the Linux operating system, you will lose all fun :)


This project is part of the ITSEC GAMES project. ITSEC GAMES are a fun approach to IT security education.
IT security, ethical hacking, training and fun... all mixed together.
You can find more about the ITSEC GAMES and bWAPP projects on our blog.

We offer a 2-day comprehensive web security course 'Attacking & Defending Web Apps with bWAPP'.
This course can be scheduled on demand, at your location!
More info: http://goo.gl/ASuPa1 (pdf)

Enjoy!

Cheers

Malik Mesellem
Twitter: @MME_IT

Underc0de Weekend is a weekly challenge we (underc0de) are doing. The goal is to be the first to resolve it, to earn points and prizes (http://underc0de.org/underweekend.php).

Enjoy

Pegasus

         .-.
   %%%%,/   :-.
   % `%%%, /   `\   _,
   |' )`%%|      '-' /            Filename:   pegasus.ova
   \_/\  %%%/`-.___.'             MD5:        5046e330ff42e9adee0a42b63694cbfe
    __/  %%%"--"""-.%,            SHA1:       f18b7437ca3c96f76a2e1b06f569186b63567dd5
  /`__|  %%         \%%           Difficulty: Intermediate
  \\  \   /   |     /'%,          Author:     Knaps
   \]  | /----'.   < `%,          Tester:     Mulitia
       ||       `>> >
       ||       ///`
       /(      //(

Welcome to my first boot2root VM! Inspired by various CTF events I took part in and by couple cool concepts I learnt in the last couple months.

Rules of engagement are simple - find a way in, escalate your privileges all the way up to the root and get the flag!

As with all VMs like this, think outside the box, don't jump to conclusions too early and "read between the lines" :)

The VM has been tested on VMWare and VirtualBox, just import it, ensure the network is set as "Host Only" and run it. It should pick up the IP address automatically.

Enjoy! :)

• Objective: gain shell access and root the box.
• Hardness: intermediate-> advanced.
• Note: The box doesn't respond to ping, so be sure to check the DHCP lease.

-=Pandora's Box =-
               ___
             (((((\\
              6_6 ((,
          __ -\_ __\--.
       ,-',\\` '//,\_  \
      |.----&----. \ `. \
      (__,___,__(_  \   |
  _____|        | |__`--'____
       |________|,'        hjw

Filename: pandoras_b0x.ova
MD5: bf3eb20ca837edccc7edbf627e095bbd
SHA1: 52652bb5f886f1253ff43a21536bc4fe09bdd201
Author: c0ne
Testers: Barrebas / Jelle
Difficulty: Medium

About:
Pandora's box is a Boot2Root VM focused on binary exploitation and
reverse engineering. You have to complete all levels to r00t the box.
Some levels come with a readme file which you should read.

Usage:
Import, boot and wait 60 seconds for everything to start up before
scanning it.

Shootout:
Major thanks to Barrebas and Jelle for testing the VM and challenges
and the feedback.


c0ne

• Objective: gain shell access for each level. Then reach root.
• Note: figure out what the blips are, where they are, and how to decode each one.

Sokar

Filename:  sokar.ova
MD5:  75f5c48e65fa81dc81ef3b58b7ee6bab
SHA1:  5f4aca536898bf962bfcfd2aaccb66fda1ab790a
Author:  Rasta Mouse
Testers:  Barrebas & TheColonial

=====
Notes
=====
DHCP (Automatically Assigned)

    Special note to VMWare users - you must manually set the
    NIC MAC address to 08:00:27:F2:40:DB

Get root, then the flag!

The goal of this challenge is to break into the machine via the web and find the secret hidden in a sensitive file. If you can find the secret, send me an email for verification. :)

There are a couple of different ways that you can go with this one. Good luck!

Simply download and import the OVA file into virtualbox!

ZORZ is another VM that will challenge your webapp skills. There are 3 separate challenges (web pages) on this machine. It should be pretty straight forward. I have explained as much as I can in the readme file:

Welcome to the ZorZ VM Challenge

This machine will probably test your web app skills once again. There are 3 different pages that should be focused on (you will see!) If you solve one or all three pages, please send me an email and quick write up on how you solved each challenge. Your goal is to successfully upload a webshell or malicious file to the server. If you can execute system commands on this box, thats good enough!!! I hope you have fun!

admin@top-hat-sec.com

Our resident ROP ninja barrebas recently gave the team a bootcamp on Return Oriented Programming. The presentation was followed by a demo walkthrough on writing a ROP exploit on a vulnerable application. Since the presentation was well received, he’s decided to make the slides available to everyone. You can view them at https://speakerdeck.com/barrebas/rop-primer.

We hope you enjoy it!

New VM challenge that should be fun for people trying to get into packet analysis!

There are several steps to this box. I created it with virtualbox. The VM is built on:

Ubuntu 14.04 32 bit

If you beat the box then please shoot me an email! Have fun guys!

P.S. I got the word "Fart Knocker" from watching beavis and butthead back in the day. Otherwise you kids might not understand :)

This exercise covers the exploitation of a session injection in the Play framework. This issue can be used to tamper with the content of the session while bypassing the signing mechanism

Darknet has a bit of everything, a sauce with a touch of makeup and frustration that I hope will lead hours of fun for migraines and who dares to conquer his chambers.

As the target gets used will read the file contents /root/flag.txt obviously once climbed the privileges necessary to accomplish the task.

The image can be mounted with VirtualBox . The machine has DHCP active list so once automatically assign an IP network, the next step will be to identify the target and discover the / the service / s to start the game. Good luck !. If you want to send in pdf format solucionarios can do so at the following address: s3csignal [at] gmail [dot] com

Welcome to the challenge.

This VM is designed to try and entertain the more advanced information security enthusiast. This doesn't exclude beginners however and I'm sure that a few of you could meet the challenge. There is no 'one' focus on the machine, a range of skills such as web exploitation, password cracking, exploit development, binary examination and most of all logical thinking is required to crack the box in the intended way - but who knows there might be some short cuts!

A few of the skills needed can be seen in some posts on http://netsec.ws. Otherwise enjoy the experience - remember that although vulnerabilities might not jump out at you straight away you may need to try some variations on the normal to get past the protections in place!

Feel free to discuss the experience on the #vulnhub irc channel on irc.freenode.net. If you want any hints feel free to PM my nick on there (Peleus). You won't get any, but I'll feel all warm and fuzzy inside knowing you're suffering.

Enjoy.

Difficulty

Beginner

Details

This exercise covers the exploitation of a session injection in the Play framework

What you will learn?

• Session injection
• Play framework
• Play's cookies

____   ___  ____  ___  __ ____   ___  ____     ____     ____
`MM(   )P' 6MMMMb `MM 6MM `MM(   )P' 6MMMMb   6MMMMb\  6MMMMb
 `MM` ,P  6M'  `Mb MM69 "  `MM` ,P  6M'  `Mb MM'    ` MM'  `Mb
  `MM,P   MM    MM MM'      `MM,P   MM    MM YM.           ,MM
   `MM.   MMMMMMMM MM        `MM.   MMMMMMMM  YMMMMb      ,MM'
   d`MM.  MM       MM        d`MM.  MM            `Mb   ,M'
  d' `MM. YM    d9 MM       d' `MM. YM    d9 L    ,MM ,M'
_d_  _)MM_ YMMMM9 _MM_    _d_  _)MM_ YMMMM9  MYMMMM9  MMMMMMMM



                Welcome.

                Before you lies the mainframe of XERXES.
                Compromise the subsystems and gain access to /root/flag.txt

                                XERXES wishes you
                                 a pleasant stay.



                @barrebas


                Shoutout & Thanks
                -----------------
                Many thanks to
                        TheColonial (@TheColonial) & rasta_mouse (@_RastaMouse)
                for testing!


                File information
                ----------------
                xerxes2.vmdk:

                md5   : 724d4be6ecd126d4591f487d1710f7af
                sha1  : 7978e6dde9e589c5ea90561502b297a8e08147a4

Morning Catch is a VMware virtual machine, similar to Metasploitable, to demonstrate and teach about targeted client-side attacks and post-exploitation.

On this virtual machine, you will find: a website for a fictitious seafood company, self-contained email infrastructure to receive phishes, and two desktop environments. One desktop environment is a vulnerable Linux client-side attack surface. The other is a vulnerable Windows client-side attack surface.

Morning Catch uses a bleeding edge version of WINE to run a few vulnerable Windows applications AND experiment with post-exploitation tools in a fun and freely re-distributable environment.

Login Screen

Your use of Morning Catch starts with the login screen.

Boyd Jenius is the Systems Administrator and his password is ‘password’. Login as Boyd to get to the vulnerable Linux desktop.

Richard Bourne is Morning Catch’s CEO and his password is also ‘password’. Login as Richard to get to the vulnerable Windows desktop.

You can also RDP into the Morning Catch environment.

Windows Desktop

Richard’s desktop includes the Windows’ versions of Firefox, Thunderbird, Java, and putty. Open up Thunderbird to check Richard’s email.

You can send a phish to him too. This VM includes a mail server to receive email for users at the morningcatch.ph domain. Open up a terminal and find out the IP address of the VM. Make sure you relay messages through this server. Use [email protected] as the address.

Are you looking for some attacks to try? Here are a few staples:

Spin up a malicious Java Applet and visit it as Richard. The Firefox add-on attack exploit in the Metasploit Framework is a great candidate. Or, generate an executable with your payload and run it as Richard. I’m sure he won’t mind. Morning Catch’s WINE environment runs post-exploitation payloads, to include Windows Meterpreter and Beacon, without too much trouble.

Linux Desktop

Boyd’s desktop is the vulnerable Linux attack surface. Boyd has the Linux versions of Firefox, Java, and Thunderbird. Boyd also has an SSH key for the Metasploitable 2 virtual machine. Try to ssh to Metasploitable 2 as root and see what happens.

Webmail

Morning Catch also includes RoundCube webmail for all of its users. Use this as a target to clone and harvest passwords from.

Hopes and Dreams

Morning Catch isn’t a replacement for a vulnerable Windows lab. It’s a safe and freely redistributable target to experiment with phishing and client-side attacks. It’s my hope that this environment will help more people experiment with and understand these attacks better.

Are you in Las Vegas for BlackHat USA or DEF CON? Stop by the Black Hat Arsenal on Wednesday at 10am for a demo of this new environment and a Morning Catch sticker. I’m also giving away DVDs with a revised Cobalt Strike pen testing lab that uses Morning Catch. Find me at the Cobalt Strike kiosk in the Innovation City portion of the Black Hat USA Exhibitor Hall. I will also give away these DVDs at the Cobalt Strike table in the DEF CON vendor area.