foreword Tr0ll2 is a successor in a boot2root series by @Maleus21 hosted over at VulnHub. Having been able to pwn Tr0ll1, I gave this one a shot too. Here is my experience taming the troll, again. ...

persist we must! Persistence! A new boot2root hosted @VulnHub, authored by @superkojiman and sagi- definitely got the attention from the community it deserves! Persistence was actually part of a writeup competition launched on September the 7th, and ran up until October th 5th. This is my experience while trying to complete the challenge. Persistence, once again, challenged me to learn about things that would normally have me just go “meh, next”. As expected, this post is also a very big spoiler if you have not completed it yourself yet, so be warned! ...

EDIT This guide has been updated to accomodate a few changes (see here) Recently I have had to get Oracle support sorted in my Kali Linux install. I will try not to rant about the reasons why it doesn’t just work out of the box and just get the steps written down quickly. Typically, when you try to use a module such as oracle_login, metasploit may error out with: msf auxiliary(oracle_login) > run [-] Failed to load the OCI library: cannot load such file -- oci8 [-] See http://www.metasploit.com/redmine/projects/framework/wiki/OracleUsage for installation instructions [*] Auxiliary module execution completed msf auxiliary(oracle_login) > run The link provided seems a little out of date, so here is an updated guide. ...

foreword Having recently started the road to OSCP, @Maleus21 released Tr0ll on @VulnHub. I figured since the description was Difficulty: Beginner ; Type: boot2root, I could give it a smash in a evening as a bit of distraction. ...

foreword Xerxes2 is a successor in a boot2root series by @barrebas hosted by @VulnHub. If you haven’t done it yet, close this article now and go learn by doing it! Xerxes2, like most other boot2root type CTF’s, has once again forced me to learn a whole lot more than I thought possible. In total it took me about 3 or 4 days on and off to complete. The goal was as usual, read /root/flag.txt. This is the path I took to read the flag and gain root command execution. Enjoy! ...

TL;DR I made a CTF! You should try it! Find it on Vulnhub foreword So, security CTF’s are fun. A lot of fun. And can be one heck of a time sink! Checking my laptops time and realizing its 3am on a week night is normal when I get pulled into one. The frustration, the trolls, the tremendous amounts of learning is all part of the experience of a successful CTF in my opinion. ...

##foreword Lets start by saying that this is probably one of the toughest boot2root’s I have tried thus far. Even though I have managed to get /root/flag.txt, I am yet to actually root this beast. I believe I have arguably come quite far and there is only one hurdle left, however, almost 3 days later I have learnt a TON of stuff, and am satisfied to start jotting the experience down. Obviously, should I finally get root, I’ll update here and reflect. This is also a relatively long post as there were a ton of things to do. Give yourself some time if you plan on reading the whole post :) ...

foreword Recently, at a local Security Conference, @telspacesystems ran a CTF. It was a classic ‘read /root/flag.txt’ CTF hosted on a wireless network. Sadly the wifi sucked, a lot, and due to this and a flat battery I was not able to attempt this CTF properly at the con. Nonetheless, the VM was released on VulnHub, and was promptly downloaded and loaded into VirtualBox. In summary, this CTF taught me some interesting things about SQL injection where filters are present. More specifically, commas were filtered out and resulted in the need from some creative thinking :) ...

This is not a old technique. Many a person has written about it and many technical methods are available to achieve this. Most notably, a concept of getting TCP type connectivity over DNS tunnels is probably a better idea to opt for should you wish to actually use technology like this. A quick Google even revealed full blown dns-tunneling-as-a-service type offers. this article is not… … about anything particularly new. It is simply my ramblings, and some python code slapped together in literally a day in order for me to learn and get my hands dirty with the concepts. ...

foreword At the time of writing this post, this VM was part of a local security communities (zacon) pre-con challenge. Finding /root/flag.txt would have entered you into a draw for winning a prize :D However, the greater goal of the challenge was to learn something. I set out some time and attempted the challenge. Fortunately, I managed to complete it in time. So, this is the journey I took to solve this. You can now download and try this VM yourself over at VulnHub. Unzip, mount and boot the VM. Once the VM is booted, it should have an IP assigned via DHCP. I think it is interesting to note that I used a very limited set of tools to complete this. No bruteforcers, metasploits, vulnerability scanners and or fancy proxies were used. My toolset consisted out of netcat, nmap and other basic bash commands. There are probably a gazillion ways to do this as lots of this stuff is preference based on how they are approached. However, the basic ideas of the vulnerabilities remain the same. ...