Covfefe is my Debian 9 based B2R VM, originally created as a CTF for SecTalks_BNE. It has three flags.

It is intended for beginners and requires enumeration then [spoiler]!

C0m80 Boot2Root

https://3mrgnc3.ninja/2017/09/c0m80/

About

This is my third public Boot2Root, This one is intended to be quite difficult compared to the last two.

But again, that being said, it will depend on you how hard it is :D

The theme with this one is all about 'enumeration, enumeration, enumeration', lateral thinking, and how to "combine" vulnerabilities in order to exploit a system.

Important Note

Once you have an IP insert it into your attack system /etc/hosts like this:

[dhcp-ip-address] C0m80.ctf

This VM will probably be different to other challenges you may have come across. With C0m80 You will be required to log in locally in the VirtualBox console window at some point. This, I know, may 'rile' some of the purists out there that say you should be able to compromise a boot2root fully remotely over a network. I agree to that in principle, and in this case I had intended to allow vnc or xrdp access. Alas, due to compatibility problems I had to make a compromise in this area in order to get the challenge published sooner rather than later.

It should be obvious at what point you need to log in. So when that time comes just pretend you are using remote desktop. ;D

Sorry, I hope you can forgive me.

Difficulty Rating

[Difficult] but depends on you really

Goal

There is only one goal here. Become God on the system and read the root flag.

I Hope You Enjoy It.

Download Link

https://3mrgnc3.ninja/files/C0m80_3mrgnc3_v1.0.ova

Details

• File: C0m80_3mrgnc3-v1.0.ova
• OS: WondawsXP ;D
• VM Type: VirtualBox
• IP Address: DHCP
• Size: 2.7 GB

Walkthroughs

Please leave feedback and comments below. Including any info on walkthroughs anyone wishes to publish, or bugs people find in the VM Image.

Alternatively email me at 3mrgnc3 at techie dot com

Dolev

One of the VMs used in the online CTF hosted back in September 2016 by Defcon Toronto, slightly modified to suit boot2root challenges.

Difficulty: Easy

Information: Overall 7 flags to collect, id 0 is the final step.

Details:

• File: Galahad.zip (ovf)
• Date: September 2016
• VM Type: Tested on VMware Workstation
• Notes: If the VM was able to obtain a DHCP you will likely see the IP in the VM login prompt.
• Networking: DHCP
• Checksum[SHA256]: c42839feadc8077380e167af9639cfcf9ebe3ffed083c98aee1e7d453022af5d

For any issues you can shoot an email to: dolev at dc416.com or DM me @dolevfarhi

d8888b. d8888b.  .d88b.  d888888b d88888b db    db .d8888.
88  `8D 88  `8D .8P  Y8. `~~88~~' 88'     88    88 88'  YP
88oodD' 88oobY' 88    88    88    88ooooo 88    88 `8bo.
88~~~   88`8b   88    88    88    88~~~~~ 88    88   `Y8b.
88      88 `88. `8b  d8'    88    88.     88b  d88 db   8D
88      88   YD  `Y88P'     YP    Y88888P ~Y8888P' `8888Y'

"A bacterium found in the intestines of animals and in the soil."

          Corporate Malware Validator.

An IT Company implemented a new malware analysis tool for their employees to scan potentially malicious files. This PoC could be a make or break for the company.

It is your task to find the bacterium.

Goal: Get root, and get flag... This VM was written in a manner that does not require wget http://exploit; gcc exploit.

NB: VMWare might complain about the .ovf specification. If this does come accross your path, click the retry button and all should be well.

MMMLAGOS is a vulnerable ponzing scheme with lot of vulnerabilities , the flags are high tech stenography Flag to be puzzled by player to solve critical challenge

twitter : @silexsecure

D0Not5top Boot2Root

This is my second public Boot2Root, It’s intended to be a little more difficult that the last one I made. That being said, it will depend on you how hard it is :D It's filled with a few little things to make the player smile.

Again there are a few “Red Herrings”, and enumeration is key.

DIFFICULTY ?????

CAPTURE THE FLAGS
There are 7 flags to collect, designed to get progressively more difficult to obtain

DETAILS

• File: D0Not5top_3mrgnc3_v1.2.ova
• OS: ?????
• VM Type: VirtualBox
• IP Address: DHCP
• Size: 700 MB

SUPPORT Any support issues can be directed to [email protected]

For a while now I've been maintaining a VM I with several vulnerable web apps already deployed:

• bWAPP
• Mutillidae (nowasp)
• Web for Pentester I (from pentesterlab.com)
• DVWA
• Django.nV
• Google Gruyere
• OWASP Juice Shop

The VM has Burp Suite free, chromium with a few extensions (including a proxy switcher) and sqlmap. The browser home page contains links to some exercises and walkthroughs.

User credentials:

root // password
tux // password

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

Welcome to

  ___           _            ___          _
 |   \ ___ _ _ | |_____ _  _|   \ ___  __| |_____ _ _
 | |) / _ \ ' \| / / -_) || | |) / _ \/ _| / / -_) '_|
 |___/\___/_||_|_\_\___|\_, |___/\___/\__|_\_\___|_|
                        |__/
                             Made with <3 v.1.0 - 2017

This is my first boot2root - CTF VM. I hope you enjoy it. if you run into any issue you can find me on Twitter: @dhn_ or feel free to write me a mail to:

• Email: [email protected]
• GPG key: 0x2641123C
• GPG fingerprint: 4E3444A11BB780F84B58E8ABA8DD99472641123C

Level: I think the level of this boot2root challange is hard or intermediate.

Try harder!: If you are confused or frustrated don't forget that enumeration is the key!

Thanks: Special thanks to @1nternaut for the awesome CTF VM name!

Feedback: This is my first boot2root - CTF VM, please give me feedback on how to improve!

Tested: This VM was tested with:

• VMware Workstation 12 Pro
• VMware Workstation 12 Player
• VMware vSphere Hypervisor (ESXi) 6.5

Networking: DHCP service: Enabled

IP address: Automatically assign

SHA-1:

77439cb457a03d554bec78303dc42e5d3074ff85  DonkeyDocker-disk1.vmdk
d3193cca484f7f1b36c20116f49e9025bf60889c  DonkeyDocker.mf
7013d6a7c151332c99c0e96d34b812e0e7ce3d57  DonkeyDocker.ovf

Looking forward to the write-ups!

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

iQIcBAEBCgAGBQJY2snaAAoJEKjdmUcmQRI8fG0QAK9eCaBggC4+aRD2SrY5ZFtI
/5Lyi8fdGCrtIDhLIoAoM/HHX68GH6pPzWt2VesW1zCM0pnO+hAaQSzl5+C4e39g
IYIUx9WMojxrrDgvvZ0NxosYMTFyyXCudCpGZXo2fjW3xnZ9v1n/Yid0H23gXKyo
gLzMEVuCh4/Bh1YNx5Jc6X03rZg6nhWEaLzShDOsUu0d4bYD6ZL7Cnr1W7HFmoEn
oV3OOOEj79VG2EeIc4nNzyVnp1I+C3BjngAV0w6bQdepbWZvy/pyzdk8HEB4Xc56
MkKidbVx9oTh38tro//VzDCTwfGHyt+V3RhXpIQvvFOboG/CpvQFxMpSIn25tGNY
2rADxHJ40KG85MWey4lP2jzpbJDH5LYYMIej8w8iz1+DN9czXSRDVVdY3aAGaghe
NaWwqdktT0j0j2/6w2kiRR60LOaRK+u1rNckm6qBrlEQ+M3Pv7yD4A9rR8K4FVF8
2PyRrtltI8RkucJP0JjHWtl4Sry4dPA5EDtuUWQIO5mYjeJlQ9yg7TPGne4/hWSx
Gibj9XfiwwvpZ9qTJu2W91rt3P+xm6ic2QVCJ8oNRgwi0jGP4nhryg4I1yyaRpeR
ANbof9vxkEct1fuDODgXTIwQ1uGtG2X3khHiKxt5wcymCZ1v8CwQ0+vyiK/sbOsS
TyJq5lfMNJWrdsMNowNm
=Oo5M
-----END PGP SIGNATURE-----

+---------------------------------------------------------+
|                     Name: Moria                         |
|                       IP: Through DHCP                  |
|               Difficulty: Not easy!                     |
|                     Goal: Get root                      |
+---------------------------------------------------------+
|                                                         |
| DESCRIPTION:                                            |
| Moria is NOT a beginner-oriented Boot2Root VM, it will  |
| require good enum skills and a lot of persistence.      |
|                                                         |
| VM has been tested on both VMware and VirtualBox, and   |
| gets its IP through DHCP, make sure you're on the same  |
| network.                                                |
|                                                         |
| Special thanks to @seriousblank for helping me create it|
| and @johnm and @cola for helping me test it.            |
|                                                         |
|     Link: dropbox.com/s/r3btdcmwjigk62d/Moria1.1.rar    |
|     Size: 1.56GB                                        |
|      MD5: 2789bca41a7b8f5cc48e92c635eb83cb              |
|     SHA1: e3bddd4133320ae42ff65aec41b9f6516d33bb89      |
|                                                         |
| CONTACT:                                                |
| You can find me on NetSecFocus slack, twitter at        |
| @abatchy17 or occasionally on #vulnhub for questions.   |
|                                                         |
| PS: No Lord of The Rings knowledge is required ;)       |
|                                                         |
| -Abatchy                                                |
+---------------------------------------------------------+

Level

Intermediate.

Description

Welcome to Super Mario Host!

This VM is meant to be a simulation of a real world case scenario.

The goal is to find the 2 flags within the VM. Root is not enough (sorry!)

The VM can be exploited in various ways, but remember that Enumeration is the key.

The level of the challenge is Intermediate.

Thanks to vdbaan, kltdwd, mrb3n and GKNSB for testing.

Welcome to another boot2root / CTF this one is called Analougepond. The VM is set to grab a DHCP lease on boot. I've tried to mix things up a little on this one, and have used the feedback from #vulnhub to make this VM a little more challenging (I hope).

Since you're not a Teuchter, I'll offer some hints to you:

Remember TCP is not the only protocol on the Internet My challenges are never finished with root. I make you work for the flags. The intended route is NOT to use forensics or 0-days, I will not complain either way.

To consider this VM complete, you need to have obtained:

• Troll Flag: where you normally look for them
• Flag 1: You have it when you book Jennifer tickets to Paris on Pan Am.
• Flag 2: It will include a final challenge to confirm you hit the jackpot.
• Have root everywhere (this will make sense once you're in the VM)
• User passwords
• 2 VNC passwords

Best of luck! If you get stuck, eat some EXTRABACON

NB: Please allow 5-10 minutes or so from powering on the VM for background tasks to run before proceeding to attack.

Changelog

• v0.1b - Initial Version
• v01.c - Fixes for flags based on feedback from mrB3n
• v0.1d - Fixes based on shortcut to intended route
• v0.2a - Fixes and clean up of disks for smaller OVA export
• v0.2b - Small edit to remove copy of flag in wrong folder

SHA1SUM: D75AA2405E2DFB30C1470358EFD0767A10CF1EB1 analoguepond-0.2b.ova

Many thanks to mrB3n, Rand0mByteZ and kevinnz for testing this CTF.

A special thank you to g0tmi1k for hosting all these challenges and offering advice. A tip of the hat to mrb3n for his recent assistence.

    ______            _____ __                         __
   / ____/      __   / ___// /____  __________  __  __/ /
  / __/ | | /| / /   \__ \/ //_/ / / /_  /_  / / / / / /
 / /___ | |/ |/ /   ___/ / ,< / /_/ / / /_/ /_/ /_/ /_/
/_____/ |__/|__/   /____/_/|_|\__,_/ /___/___/\__, (_)
                                             /____/

Welcome to 'Ew Skuzzy!' - my first CTF VM.

Level: Intermediate.