writeup

VulnOS: 2

published on

Your assignment is to pentest a company website, get root of the system and read the final flag.

Read More...

BNE0x03 - Simple

published on

Simple CTF

Simple CTF is a boot2root that focuses on the basics of web based hacking. /root/flag.txt is your ultimate goal.

Hints

  • Get a user shell by uploading a reverse shell and executing it.
  • A proxy may help you to upload the file you want, rather than the file that the server expects.
  • There are 3 known privesc exploits that work. Some people have had trouble executing one of them unless it was over a reverse shell using a netcat listener.

Read More...

BNE0x02 - Fuku

published on

Fuku CTF

Fuku (pronounced “far queue”) CTF is designed to fuck with people.

There are a few flag.txt files to grab. The final one is in the /root/ directory. However, the ultimate goal is to get a root shell.

Scenario

“Bull was pissed when you broke into his Minotaur box. He has taken precautions with another website that he is hosting, implementing IDS, whitelisting, and obfuscation techniques. He is now taunting hackers to try and hack him, believing himself to be safe. It is up to you to put him in his place.”

Hints

Some scripting will probably be needed to find a useful port. If the machine seems to go down after a while, it probably hasn’t. This CTF isn’t called Fuku for nothing!

Read More...

BNE0x00 - Minotaur

published on

Minotaur CTF

Minotaur is a boot2root CTF. There are a few flag.txt files around to grab. /root/flag.txt is your ultimate goal.

Hints

  • This CTF has a couple of fairly heavy password cracking challenges, and some red herrings.
  • One password you will need is not on rockyou.txt or any other wordlist you may have out there. So you need to think of a way to generate it yourself.

Read More...

The Wall: 1

published on

In 1965, one of the most influential bands of our times was formed.. Pink Floyd. This boot2root box has been created to celebrate 50 years of Pink Floyd’s contribution to the music industry, with each challenge giving the attacker an introduction to each member of the Floyd.

You challenge is simple… set your controls for the heart of the sun, get root, and grab the flag! Rock on!

Read More...

/dev/random: Pipe

published on

Pipe was a VM created by Sagi- for ZaCon. It’s quite a short VM, presumably to fit confortably in a con session - but it’s fun nonetheless!

Read More...

Brainpan: 3 - Part 1

published on

As with the rest of the series, the focus of brainpan3 is on binary explotation. The challenges in this VM are certainly a step-up in terms of difficultly compared to brainpan’s 1 & 2, and require you to bypass many common protection mechanisms. On-and-off, it took me about 2 months to solve :s

Read More...

Flick II: The Flickening

published on

After the success of Flick: I, @leonjza decided that VulnHub needed a fresh dose of pain and suffering. Flick: II is a vulnerable machine with a mobile twist - it requires the attacker to wrestle with a custom Android application to breach the VM. I was more than complimentary about it on Twitter - it’s definitely worth checking out.

Read More...

NullByte 0x01

published on

NullByte is a hacking challenge created by ly0n, pitched at a beginner-intermediate level. The objective is to grab the flag.

Read More...

ROP Primer: Level 0

published on

This VM is meant as a small introduction to 32-bit return-oriented-programming on Linux. It contains three vulnerable binaries, that must be exploited using ROP. There are three levels in total (0 to 2).

Read More...

The Darkside of Darknet

published on

It was coming up to the date of my SANS GWAPT exam when Darknet landed, which meant I couldn’t spend much time on it. Since passing that exam, Darknet became my new evening activity.

Read More...

TopHatSec: ZorZ

published on

This VM contains 3 web application challenges, which focus on file upload and filter bypass.

Read More...

TopHatSec: Freshly

published on

The goal of this challenge is to break into the machine via the web and find the secret hidden in a sensitive file.

Read More...

Pandora's Box: 1 - Level 1

published on

After completing Level 0, I echo’d my public key into authorized_keys to allow for easy access. So the first thing to do is check out level1’s home directory.

Read More...

Underdist: 3

published on

Underdist: 3 was a weekend challenge being run by the Underc0de group. I didn’t take part in the event, but the VM found its way onto VulnHub. On a quiet Saturday evening, I thought I’d give it a go (because that’s how rock-n-roll I am).

Read More...

Pegasus: 1

published on

Pegasus 1 is the first VM written by Knapsy, which he describes as being pitched at ‘intermediate’ difficulty. It’s certainly a tricky VM, which I tore my hair out solving!

Read More...

Persistence: 1

published on

Sagi- (the father of the /dev/random series) and superkojiman (the mastermind behind the brainpan series) have teamed up to create a new vulnerable virtual machine! The content of the creation was filled with a mixture of what they have seen in their day jobs, and dreaming up evil and cunning ideas. The end result is a mischievous challenge, which was crying out to headline VulnHub’s next competition.

Read More...

Tr0ll: 1

published on

Tr0ll is a boot2root, from Maleus. It was inspired by the constant trolling of the machines within the OSCP labs. The goal is simple, gain root and get Proof.txt from the /root directory. Not for the easily frustrated! Fair warning, there be trolls ahead!

Read More...

Xerxes: 2

published on

Before you lies the mainframe of XERXES. Compromise the subsystems and gain access to /root/flag.txt. Xerxes2 is the next installment of barrebas’ xerxes series of boot2roots. This time around I had the pleasure of testing the VM before its public release, which I must say was an honour.

Read More...

Flick: 1

published on

Completing “flick” will require some sound thinking, good enumeration skills & time!

The objective is to find and read the flag that lives in /root/. As a bonus, can you get root command execution?

Good Luck! @leonjza

Read More...

Hell: 1 - Part 1

published on

Hell is the latest installment of evil hosted on VulnHub, and is the devil child of Peleus. To say it’s a difficult and lengthy challenge will not prepare you for the torture…

This VM is designed to try and entertain the more advanced information security enthusiast. This doesn’t exclude beginners however and I’m sure that a few of you could meet the challenge. There is no ‘one’ focus on the machine, a range of skills such as web exploitation, password cracking, exploit development, binary examination and most of all logical thinking is required to crack the box in the intended way - but who knows there might be some short cuts!

Read More...

Hell: 1 - Part 2

published on

Bazza

With this private key, I was able to SSH in as another user, Bazza. Within his home directory are two binary files with some interesting permissions.

Read More...

SkyTower: 1

published on

SkyTower is a boot2root challenge hosted at VulnHub. The goal is to reach /root/flag.txt.

Read More...

The Infernal: Hades - Part 1

published on

Hades is a new boot2root challenge pitched at the advanced hobbyist. Solving this challenge will require skills in reverse engineering, exploit development and understanding of computer architecture. The aim of this challenge is to incrementally increase access to the box until you can escalate to root. The /root/flag.txt file is the final goal.

Let’s mosey…

Read More...

Brainpan: 2 - Part 1

published on

Following the popularity of Brainpan 1, Brainpan 2 was released as a competition on VulnHub. I didn’t take part, but since the VM remains on VulnHub, I had a go at it retrospectively. The goal is to gain root access and obtain /root/flag.txt.

Read More...

Brainpan: 1 - Part 1

published on

Brainpan is a brilliant series of VMs created by superkojiman - the goal is to gain root access. These challenges are quite long and involved as they’re not strictly at beginner level :), so I’ve split the solution into multiple parts.

Read More...

SecOS 1

published on

SecOS is a series of vulnerable VMs created by PaulSec - launched as part of his talk at BSides London 2014 (which I attended) and focus around CSRF vulnerabilities. Paul is also the author of the CSRF Toolkit, which can be used to attack the SecOS VMs.

Read More...

Scream - Method 1 (Short/Easy)

published on

Scream is a vulnerable VM running Windows XP SP2, created with the Scream VulnInjector from VulnHub.

Whilst doing this challenge, I found two methods of gaining SYSTEM. The first was very straight-forward and rather short, which is why I also chose to publish the longer / harder method.

Read More...

Xerxes: 1

published on

Xerxes is a great VM challenge, created by barrebas. It’s quite a devilish challenge, I found - especially getting the inital foothold. The goal is to obtain root and access the flag.

Read More...

Kioptrix 2014

published on

After a 2 year (hiatus?) since the last Kioptrix VM challenge, loneferret has released Kioptrix 2014. This is still an ‘entry level’ challenge, though it does have some interesting spins typical of loneferret’s style of VM challenges. The goal of the challenge is to obtain the flag.

Read More...

De-ICE S1.140

published on

This is a walkthrough of how I completed the De-ICE S1.140 challenge. The final goal for this challenge is undocumented.

Read More...

Kioptrix Level 1.2

published on

This is a walkthough of how I completed the Kioptrix Level 1.2. The goal of this challenge is to collect the flag.

Read More...

Kioptrix Level 1.3

published on

This is a walkthrough of how I completed the Kioptrix Level 1.3 challenge. The goal is to find the flag.

Read More...

Kioptrix Level 1.1

published on

This is a walkthrough of how I completed Kioptrix Level 1.2. The goal of the challenge is to obtain the flag.

Read More...

Kioptrix Level 1

published on

This is a walkthrough of how I completed Kioptrix Level 1. The goal is to obtain the flag.

Read More...

De-ICE S2.100

published on

This is how I solved the De-ICE S2.100 challenge. The goal is to obtain salary information for the team of employees.

Read More...

De-ICE S1.120

published on

This is a walkthrough of how I completed the De-ICE S1.230 challenge. The goal is to access various internal documents.

Read More...

De-ICE S1.100

published on

This is a walkthrough of how I completed the De-ICE S1.100 challenge. The end goal is to obtain the CEO’s salary information.

Read More...