Thursday, January 12, 2012


Now that I do not not have the lovely lab at offsec, I find myself constantly searching for good vulnerable or "boot to root" images to test my skills against. I have found all kinds but I seem to enjoy the ones that are more like a pen test. Meaning I need to scan the machines, ID services, exploit a weakness, get a shell, elevate privs, get root. So far I have found a couple that I like (in no particular order)...

Err... well, I don't actually know the name for this Vulnimage. A co-worker put this up in our VM lab and said go for it, but it was an enjoyable experience. I liked it mainly because it has a bunch of elements to it. There are multiple vectors for an initial attack so you get to practice both website based attacks as well as service based buffer overflow attacks. Once you gain root there is another little nugget that I really enjoyed, a vulnerable custom program running as root and listening. This I have to say was the most fun and educational part of this image. The opportunity to take someone else's program and fuzz and exploit it from scratch. I needed to learn the basics of a linux command line debugger (gdb) to get the information I was used to seeing on the screen for Immunity. It took some time, a chat with a colleague, and a fist full of Google but I finally was able to get the information I needed out of gdb and and write a custom exploit. Definitely a good practice machine for my skill level. Had things I knew and things I needed to learn

The next one I came a crossed was Hackademic.RTB1. Another good machine here and looks to be a promising series, hats off to mr.p0rn for putting this stuff together. Again web based entry, takes some research and the use of tools to get shell and root. Fairly straight forward but fun to explore. No custom apps here but still worth the time to pop.

On the Hackademic note, The RTB1 machine is wonderful and realistic (hell I know several people/companies running vulnerable version of the webapp used), but.... When I tried RTB2 I felt it was more.... I don't know... lacking? non-realistic? classroom-ish?, I don't know if those words are accurate but I ended up not being a fan. I did like the introduction to PK but I cant help but think this one wasn't really a hacking challenge as much as a thinking challenge. I would have like to see a real DB powering the login and a little more hunting/digging/cracking for the sequence needed to get a shell. ... ... ... Actually looking over my notes, I now know what this feels like... it felt like a simple forensic investigation. Something where you were trying to find/decode hidden info. I guess in that aspect it just bumped up a notch in my list. :-)

I tired to keep spoilers to a minimum and make one recommendation to you if you are going to do any vulnimage, Try to do it yourself before researching anything. With these when you even Google a small question you are going to end up with results to posts where you are given a walkthrough for the whole task. I think this sort of takes the fun out. On the flip side if you are looking for walkthroughs go check out g0tmi1k's blog There is a ton of useful stuff here above and beyond just walkthroughs.

No comments:

Post a Comment