Instructions

The boot2root is a Debian virtual machine and has been fully tested using VMWare Workstation 12. The network interface of the virtual machine will take it's IP settings from DHCP.

Level

Beginner to Intermediate.

Description

Cyberry are eagerly anticipating the release of their new "Berrypedia" website, a life-long project which offers knowledge and insight into all things Berry!

Challenge

The challenge is to get root. Rooting this box will require a wide variety of skills and techniques, and you may find that there is more than one way to achieve this. Whilst the boot2root itself can technically be completed offline, you will almost certainly require some form of internet access (Search engine) at your disposal to move forward past some of the challenges. If you get completely stuck please tweet us @cyberrysec for a hint.

We really look forward to reading the walkthroughs on vulnhub of how you achieved root :-)

Difficulty: Beginner/Intermediate

About: This is the VM used in the online qualifications phase of the CTF-USF 2017 (Capture the Flag - Suceava University) contest which addresses to universities students. The VM was created by Oana Stoian (@gusu_oana) and Teodor Lupan (@theologu) from Safetech Innovations, the technical partner of the contest.

Instructions: The CTF is a virtual machine and has been tested in Virtual Box. The network interface of the virtual machine will take it's IP settings from DHCP.

Flags: There are 5 flags that should be discovered in form of: Country_name Flag: [md5 hash]. In CTF platform of the CTF-USV competition there was a hint available for each flag, but accessing it would imply a penalty. If you need any of those hints to solve the challenge, send me a message on Twitter @gusu_oana and I will be glad to help. The countries that should be tracked for flags are: Croatia, France, Italy, Laos, Phillippines

Name: Gemini Inc v1

Date release: 2018-01-09

Author: 9emin1

Series: Gemini Inc

Description:

I have decided to create vulnerable machines that replicate the vulnerabilities and difficulties I’ve personally encountered during my last year (2017) of penetration testing.

Some of the vulnerabilities require the “Think out of the box (fun)” mentality and some are just plain annoyance difficulties that require some form of automation to ease the testing.

GeminiInc v1 has been created that replicate an issue that I’ve encountered which was really interesting and fun to tackle, I hope it will be fun for you guys as well.

Adding a little made-up background story to make it more interesting...

Introduction:

Gemini Inc has contacted you to perform a penetration testing on one of their internal system. This system has a web application that is meant for employees to export their profile to a PDF. Identify any vulnerabilities possible with the goal of complete system compromise with root privilege. To demonstrate the level of access obtained, please provide the content of flag.txt located in the root directory as proof.

Tweet me your writeup @ https://twitter.com/sec_9emin1

File Information:

Filename: Gemini-Pentest-v1.zip

File size: 3283684247

SHA 1: 47ca8fb27b9a4b59aa6c85b8b1fe4df564c19a1e

Virtual Machine:

Format: Virtual Machine (VMWare)

Operating System: Debian

Networking:

DHCP Service : Enabled

IP Address: Automatically Assigned

More information can be obtained from my blog post on this vulnerable machine: https://scriptkidd1e.wordpress.com/

Intended solution will be provided some time after this has been published: https://scriptkidd1e.wordpress.com/geminiinc-v1-vm-walkthrough/

The VM has been tested on the following platform and is working:

• Mac OSX VMWare Fusion
• Windows 10 VMWare Player
• Windows 10 VMWare Workstation

It should work with any virtual machine player as well. It will be able to obtain an I.P Address with DHCP so no additional configuration is required. Simply import the downloaded VM and you are good to go.

THE ARM IoT EXPLOIT LABORATORY - Damn Vulnerable ARM Router (DVAR)

DVAR is an emulated Linux based ARM router running a vulnerable web server that you can sharpen your ARM stack overflow skills with.

DVAR runs in the tinysploitARM VMWare VM under a fully emulated QEMU ARM router image.

Simply extract the ZIP file and launch the VM via tinysploitARM.vmx. After starting up, the VM's IP address and default URL shall be displayed on the console. Using your host computer's browser, navigate to the URL and follow the instructions and clues. The virtual network adapter is set to NAT mode.

Your goal is to write a working stack overflow exploit for the web server running on the DVAR tinysploitARM target.

SHA256: 1f2bdd9ae4e44443dbb4bf9062300f1991c47f609426a1d679b8dcd17abb384c

DVAR started as an optional preparatory exercise for the ARM IoT Exploit Lab.

UPCOMING ARM IoT EXPLOIT LABORATORY TRAINING

RECON Brussels 2018 (4 day) January 29-Feb 1 https://recon.cx/2018/brussels/training/trainingexploitlab.html

Offensivecon Berlin 2018 (4 day) February 12-15 https://www.offensivecon.org/trainings/2018/the-arm-iot-exploit-laboratory-saumil-shah.html

Cansecwest Vancouver 2018 (4 day) March 10-13 https://cansecwest.com/dojos/2018/exploitlab.html

SyScan360 Singapore 2018 (4 day) March 18-21 https://www.coseinc.com/syscan360/index.php/syscan360/details/SYS1842#regBox

Helpful material

If you are new to the world of ARM exploitation, I highly recommend Azeria's excellent tutorials on ARM Assembly, ARM Shellcode and the basics of ARM exploitation.

https://azeria-labs.com/ Twitter: @Fox0x01

And these are three general purpose concepts oriented tutorials that every systems enthusiast must know:

Operating Systems - A Primer: http://www.slideshare.net/saumilshah/operating-systems-a-primer

How Functions Work: http://www.slideshare.net/saumilshah/how-functions-work-7776073

Introduction to Debuggers: http://www.slideshare.net/saumilshah/introduction-to-debuggers

EXPLOIT LABORATORY BLOG:

http://blog.exploitlab.net/

Saumil Shah @therealsaumil

You have been hired to do a penetration test on the W1R3S.inc individual server and report all findings. They have asked you to gain root access and find the flag (located in /root directory).

Difficulty to get a low privileged shell: Beginner/Intermediate

Difficulty to get privilege escalation: Beginner/Intermediate

About: This is a vulnerable Ubuntu box giving you somewhat of a real world scenario and reminds me of the OSCP labs.

If you need any hints, pointers or have questions feel free to email me: specterinthewires at gmail dot com

Virtual Machine: VMware Workstation

Difficulty:

Beginner

Description:

Mr. Derp and Uncle Stinky are two system administrators who are starting their own company, DerpNStink. Instead of hiring qualified professionals to build up their IT landscape, they decided to hack together their own system which is almost ready to go live...

Instructions:

This is a boot2root Ubuntu based virtual machine. It was tested on VMware Fusion and VMware Workstation12 using DHCP settings for its network interface. It was designed to model some of the earlier machines I encountered during my OSCP labs also with a few minor curve-balls but nothing too fancy. Stick to your classic hacking methodology and enumerate all the things!

Your goal is to remotely attack the VM and find all 4 flags eventually leading you to full root access. Don't forget to #tryharder

Example: flag1(AB0BFD73DAAEC7912DCDCA1BA0BA3D05). Do not waste time decrypting the hash in the flag as it has no value in the challenge other than an identifier.

Contact

Hit me up if you enjoy this VM! Twitter: @securekomodo Email: hackerbryan@protonmail.com

It was a part of HackTheBox platform.

VM Name:

BlackMarket

VM Description:

BlackMarket VM presented at Brisbane SecTalks BNE0x1B (28th Session) which is focused on students and other InfoSec Professional. This VM has total 6 flag and one r00t flag. Each Flag leads to another Flag and flag format is flag{blahblah}.

Shoutout to @RobertWinkel and @dooktwit for hosting at SecTalk Brisbane

If you get stuck in rabbit hole and need hints hit me up on twitter. Have fun!

VM Difficulty Level:

Beginner/Intermediate

What will you learn?

Learn about how to enumerate your target and join dots in order to pwn this VM.

VM Tested:

VMware Player VirtualBox

Networking:

DHCP Enabled

Author:

AcEb0mb3R Twitter: @Acebomber911

Box Info: Tested on VirtualBox using DHCP Host-only & Bridged Adapter types.

File Type: OVA

Background:

Pinky is creating his very own website! He has began setting up services and some simple web applications

Description:

A realistic Boot2Root box. Gain access to the system and read the root.txt.

Difficulty to get user: Easy/Intermediate

Difficulty to get root: Easy/Intermediate

If you need a hint or have a question contact me on twitter: @Pink_P4nther

VM Name: JIS-CTF : VulnUpload

Difficulty: Beginner

Description: There are five flags on this machine. Try to find them. It takes 1.5 hour on average to find all flags.

Difficulty: Beginner/Intermediate

Bob is my first CTF VM that I have ever made so be easy on me if it's not perfect.

The Milburg Highschool Server has just been attacked, the IT staff have taken down their windows server and are now setting up a linux server running Debian. Could there a few weak points in the new unfinished server?

Your Goal is to get the flag in /

Hints: Remember to look for hidden info/files

Description: A realistic Boot2Root. Gain access to the system and read the /root/root.txt

Note: Only works in VMware

Network: Bridged/DHCP

Questions: Tweeeeeeter @Pink_P4nther

File: OVF

Difficulty to get entry: easy/intermediate

Difficulty to get root: intermediate/hard

Note From VulnHub: Wordpress will not render correctly. You will need to alter your host file with the IP shown on the console: echo 192.168.x.x pinkydb | sudo tee -a /etc/hosts

Boot2root challenges aim to create a safe environment where you can perform real-world penetration testing on an (intentionally) vulnerable target.

This workshop will provide you with a custom-made VM where the goal is to obtain root level access on it.

This is a great chance for people who want to get into pentesting but don’t know where to start. *

If this sounds intimidating, don’t worry! During the workshop, we’ll be discussing various methodologies, common pitfalls and useful tools at every step of our pentest.

Requirements:

• Laptop capable of running two VMs and has a USB port.
• At least 20GB of free space.
• VirtualBox pre-installed.
• Kali VM
• Some familiarity with CLI.

Trollcave is a vulnerable VM, in the tradition of Vulnhub and infosec wargames in general. You start with a virtual machine which you know nothing about – no usernames, no passwords, just what you can see on the network. In this instance, you'll see a simple community blogging website with a bunch of users. From this initial point, you enumerate the machine's running services and general characteristics and devise ways to gain complete control over it by finding and exploiting vulnerabilities and misconfigurations.

Your first goal is to abuse the services on the machine to gain unauthorised shell access. Your ultimate goal is to read a text file in the root user's home directory root/flag.txt).

This VM is designed to be holistic and fairly down to earth. I wanted to simulate a real attack on a real website rather than just presenting a puzzle box of disparate elements, and I wanted to avoid the more esoteric vulnerable VMisms, like when you have to do signal processing on an MP3 you found to discover a port-knocking sequence. Of course there are always tradeoffs between what's realistic and what's optimally fun/challenging, but I've tried to keep the challenges grounded.

Because this is a VM that you're downloading, importing and booting, one way to achieve this goal would be to mount the VM's hard disk. I haven't encrypted the disk or done anything to prevent this, so if you want to take that route, go ahead. I'm also not offering a prize or anything for completing this VM, so know that it will be entirely pointless.

Because this is a VM running a real operating system with real services, there may be ways to get to root that I did not intend. Ideally, this should be part of the fun, but if they make the box entirely trivial I'd like to know about and fix them – within reason. As of this release, I've installed all the updates available for Ubuntu Server 16.04 LTS, but I cannot and will not attempt to patch this VM against every new Linux kernel exploit that comes out in the future. So there's a hint – you don't have to use a kernel exploit to root this box.

What you will need is a good HTTP intercepting proxy – I recommend Burpsuite– and a couple of network tools like nmap and nc. You'll also need some virtualisation software – VirtualBox will be easiest for most people, but KVM and VMWare should also be able to import the .ova file after a bit of fiddling. Once you've imported the VM, put it on the same network as your attacking system (preferably don't give it internet access) and start hacking!

You can grab the .ova file here (929MB) (updated 2018-03-19). Let me know what you think.

If you want to keep your hacking studies, please try out this machine!

Jarbas 1.0 – A tribute to a nostalgic Brazilian search engine in the end of 90’s.

Objective: Get root shell!

Name : Android4

OS : Android v4.4

Description : This is my Second booT2Root CTF VM..I hope you enjoy it. if you run into any issue you can find me on Twitter: @touhidshaikh22

Flag : /data/root/ (in this Directory)

Level: Beginner.

Contact: Touhid M.Shaikh aka Agent22 touhidshaikh22@gmaill.com<- Feel Free to write mail

Website: http://www.touhidshaikh.com

Try harder!: If you are confused or frustrated don't forget that enumeration is the key!

Feedback: This is my Second boot2root - CTF VM. please give me feedback ( touhidshaikh22@gmail.com )

Tested:
This VM was tested with: Virtual Box 5.X

Walkthrough : https://www.youtube.com/channel/UC7lxfIwNnSIE7ei9O2K8ZKw (Walkthrough playlist)

Networking:
DHCP service: Enabled IP address: Automatically assign

Name: Gemini Inc v2

Date release: 2018-07-10

Author: 9emin1

Series: Gemini Inc

Description: I have decided to create vulnerable machines that replicate the vulnerabilities and difficulties I’ve personally encountered during my last year (2017) of penetration testing.

Some of the vulnerabilities require the “Think out of the box (fun)” mentality and some are just plain annoyance difficulties that require some form of automation to ease the testing.

GeminiInc v2 has been created that replicate a few issues that I’ve encountered which was really interesting and fun to tackle, I hope it will be fun for you guys as well.

Adding a little made-up background story to make it more interesting…

Introduction: Gemini Inc has contacted you to perform a penetration testing on one of their internal system. This system has a web application that is meant for employees to export their profile to a PDF. Identify any vulnerabilities possible with the goal of complete system compromise with root privilege. To demonstrate the level of access obtained, please provide the content of flag.txt located in the root directory as proof.

Tweet me your writeup @ https://twitter.com/sec_9emin1

File Information:

• Filename: Gemini-Pentest-v2.zip
• File size: 2239959453
• SHA 1: 5f210dd9a52a701bab262a9def88009b1ca46300

Virtual Machine:

• Format: Virtual Machine (VMWare)
• Operating System: Debian

Networking:

• DHCP Service : Enabled
• IP Address: Automatically Assigned

More information can be obtained from my blog post on this vulnerable machine: https://scriptkidd1e.wordpress.com/

Intended solution will be provided some time after this has been published: https://scriptkidd1e.wordpress.com/geminiinc-v2-virtual-machine-walkthrough/

The VM has been tested on the following platform and is working:

• Mac OSX VMWare Fusion
• Windows 10 VMWare Player
• Windows 10 VMWare Workstation

It should work with any virtual machine player as well. It will be able to obtain an I.P Address with DHCP so no additional configuration is required. Simply import the downloaded VM and you are good to go.

Name: MinUv1

Date Release: 2018-07-10

Author: 8bitsec

Description: This boot2root is an Ubuntu Based virtual machine and has been tested using VirtualBox. The network interface of the virtual machine will take it's IP settings from DHCP. Your goal is to capture the flag on /root.

Note: Tested on VirtualBox

Network: Host-Only/DHCP (should work on bridged)

File: OVA

Difficulty: easy/intermediate

Filename: MinUv1.ova.7z

File Size: 540MB

MD5: cc3d58173a8e9ed3f7606c8d12140a68

SHA1: 8409ceb3cd959085c0249eb676af2f384da85466

Format: Virtual Machine (Virtualbox - OVA)

Operating System: Linux

DHCP service: Enabled

IP address: Automatically assign

I recently got done creating an OSCP type vulnerable machine that's themed after the great James Bond film (and even better n64 game) GoldenEye. The goal is to get root and capture the secret GoldenEye codes - flag.txt.

I'd rate it as Intermediate, it has a good variety of techniques needed to get root - no exploit development/buffer overflows. After completing the OSCP I think this would be a great one to practice on, plus there's a hint of CTF flavor.

I've created and validated on VMware and VirtualBox. You won't need any extra tools other than what's on Kali by default. Will need to be setup as Host-Only, and on VMware you may need to click "retry" if prompted, upon initially starting it up because of formatting.

N/A