This exercise covers the exploitation of a session injection in the Play framework
What you will learn?
- Session injection
- Play framework
- Play's cookies
Welcome to the challenge.
This VM is designed to try and entertain the more advanced information security enthusiast. This doesn't exclude beginners however and I'm sure that a few of you could meet the challenge. There is no 'one' focus on the machine, a range of skills such as web exploitation, password cracking, exploit development, binary examination and most of all logical thinking is required to crack the box in the intended way - but who knows there might be some short cuts!
A few of the skills needed can be seen in some posts on http://netsec.ws. Otherwise enjoy the experience - remember that although vulnerabilities might not jump out at you straight away you may need to try some variations on the normal to get past the protections in place!
Feel free to discuss the experience on the #vulnhub irc channel on irc.freenode.net. If you want any hints feel free to PM my nick on there (Peleus). You won't get any, but I'll feel all warm and fuzzy inside knowing you're suffering.
Welcome to SkyTower:1
This CTF was designed by Telspace Systems for the CTF at the ITWeb Security Summit and BSidesCPT (Cape Town). The aim is to test intermediate to advanced security enthusiasts in their ability to attack a system using a multi-faceted approach and obtain the "flag".
You will require skills across different facets of system and application vulnerabilities, as well as an understanding of various services and how to attack them. Most of all, your logical thinking and methodical approach to penetration testing will come into play to allow you to successfully attack this system. Try different variations and approaches. You will most likely find that automated tools will not assist you.
We encourage you to try it our for yourself first, give yourself plenty of time and then only revert to the Walkthroughs below.
Infernal: Hades v1.0.1.
Hades is a new boot2root challenge pitched at the advanced hobbyist. Solving this challenge will require skills in reverse engineering, sploit development and sound computer architecture understanding. If you've never heard of an opaque predicate, you're going to have a hard time of it!
I strongly suggest you don't start this the week before exams, important meetings, deadlines of any sort, marriages, etc.
The aim of this challenge is for you to incrementally increase your access to the box until you can escalate to root. The /root/flag.txt contains, amongst other things, a public PGP key which you can use to demonstrate victory - the private key has been given to the VulnHub.com admins.
By using this virtual machine, you agree that in no event will I be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of or in connection with the use of this software. If something bad happens, it's not my fault. Use at your own risk!
I always enjoy creating and releasing vulnerable virtual machines so readers can get a first hand feel of attacking these command and control panels without doing anything illegal. The objective of this vulnerable virtual machine is to get a root shell. The root credentials (for network configuration purposes) are root:password. These credentials are not part of a solution and it is intended that the vulnerable virtual machine be attacked remotely. You can download the LoBOTomy vulnerable virtual machine here.
CySCA2014-in-a-Box is a Virtual Machine that contains most of the challenges faced by players during CySCA2014. It allows players to complete challenges in their own time, to learn and develop their cyber security skills. The VM includes a static version of the scoring panel with all challenges, required files and flags.
To use CySCA2014 in a box virtual machines, players will need to have either Oracle VirtualBox or VMWare Player installed on their machines. Additionally we recommend players have at least 4GB of RAM. If you have less RAM, you can reduce the amount of RAM available to the VM down to 512MB, however it may adversely affect the speed of some of the challenges.
CAUTION The VM contains software that is deliberately vulnerable. We advise that you do not attach it to a critical network. Consider using your virtualisation softwares host-only network functionality.
bee-box - README //////////////// bee-box is a custom Linux VM pre-installed with bWAPP. With bee-box you have the opportunity to explore all bWAPP vulnerabilities! bee-box gives you several ways to hack and deface the bWAPP website. It's even possible to hack the bee-box to get root access... This project is part of the ITSEC GAMES project. ITSEC GAMES are a fun approach to IT security education. IT security, ethical hacking, training and fun... all mixed together. You can find more about the ITSEC GAMES and bWAPP projects on our blog. We offer a 2-day comprehensive web security course 'Attacking & Defending Web Apps with bWAPP'. This course can be scheduled on demand, at your location! More info: http://goo.gl/ASuPa1 (pdf) Enjoy! Cheers Malik Mesellem Twitter: @MME_IT
bee-box - INSTALL ///////////////// bee-box is a custom Linux VM pre-installed with bWAPP. With bee-box you have the opportunity to explore all bWAPP vulnerabilities! bee-box gives you several ways to hack and deface the bWAPP website. It's even possible to hack the bee-box to get root access... Requirements //////////// */ Windows, Linux or Mac OS */ VMware Player, Workstation, Fusion or Oracle VirtualBox Installation steps ////////////////// No! I will not explain how to install VMware or VirtualBox... */ Extract the compressed file. */ Double click on the VM configuration file (bee-box.vmx), or import the VM into the VMware software. */ Start the VM. It will login automatically. */ Check the IP address of the VM. */ Go to the bWAPP login page. If you browse the bWAPP root directory you will be redirected. example: http://[IP]/bWAPP/ example: http://[IP]/bWAPP/login.php */ Login with the default bWAPP credentials, or make a new user. default credentials: bee/bug */ You are ready to explore and exploit the bee! Notes ///// */ Linux credentials: bee/bug root/bug */ MySQL credentials: root/bug */ Modify the Postfix settings (relayhost,...) to your environment. config file: /etc/postfix/main.cf */ bee-box gives you several ways to deface the bWAPP website. It's even possible to hack the bee-box to get root access... Have fun! */ Take a snapshot of the VM before hacking the bee-box. There is also a backup of the bWAPP website (/var/www/bWAPP_BAK). */ To reinstall the bWAPP database, delete the database with phpmyadmin (http://[IP]/phpmyadmin/). Afterwards, browse to the following page: https://[IP]/bWAPP/install.php */ Don't upgrade the Linux operating system, you will lose all fun :) This project is part of the ITSEC GAMES project. ITSEC GAMES are a fun approach to IT security education. IT security, ethical hacking, training and fun... all mixed together. You can find more about the ITSEC GAMES and bWAPP projects on our blog. We offer a 2-day comprehensive web security course 'Attacking & Defending Web Apps with bWAPP'. This course can be scheduled on demand, at your location! More info: http://goo.gl/ASuPa1 (pdf) Enjoy! Cheers Malik Mesellem Twitter: @MME_IT
----------------------- bee-box - Release notes ----------------------- v1.4 **** Release date: 12/05/2014 bWAPP version: 2.0 New features: - Lighttpd web server installed, running on port TCP/9080 and TCP/9443 - PHP SQLite module installed - SQLiteManager 1.2.4 installed - Vulnerable bWAPP movie network service (BOF) Bug fixes: / Modifications: / v1.3 **** Release date: 19/04/2014 bWAPP version: 1.9+ New features: - Nginx web server installed, running on port TCP/8080 and TCP/8443 - Nginx web server configured with a vulnerable OpenSSL version (heartbleed vulnerability) - Insecure distcc (a fast, free distributed C/C++ compiler) - Insecure NTP configuration - Insecure SNMP configuration - Insecure VNC configuration Bug fixes: - bWAPP update script checks for Internet connectivity Modifications: / v1.2 **** Release date: 22/12/2013 bWAPP version: 1.8 New features: - Apache modules enabled: rewrite, include, headers, dav, action - Apache server-status directive enabled - Insecure anonymous FTP configuration - Insecure WebDAV configuration - Server-Side Includes configuration - Vulnerable PHP CGI configuration Bug fixes: / Modifications: - MySQL listening on 0.0.0.0 - New bWAPP update script v1.1 **** Release date: 12/09/2013 bWAPP version: 1.5 New features: - bWAPP update script Bug fixes: / Modifications: / v1.0 **** Release date: 15/07/2013 bWAPP version: 1.4 New features: / Bug fixes: / Modifications: /
Not too tired after BSides London? Still want to solve challenges? Here is the VM I told about during my talk where you'll have to practice some of your skills to retrieve the precious flag located here: /root/flag.txt. This VM is an entry-level boot2root and is web based.
This VM is the first of a series which I'm currently creating where there will be links between all of them. Basically, each machine in the series will rely/depend on each other, so keep the flags for the next VMs.
This has been tested on VirtualBox and gets its IP from the DHCP server. Moreover, if you find yourself bruteforcing, you're doing something wrong. It is not needed and it wasn't designed to be done this way. Instead, focus on exploiting web bugs!
If you have any questions, feel free to ask me on Twitter @PaulWebSec or throw me a mail: paulwebsec(at)gmail(dot)com
This exercise covers the exploitation of CVE-2008-1760. This vulnerability allows an attacker to gain access to unaccessible pages using crafted requests. This is a common trick that a lot of testers miss.