Where To Start
I've had quite a few people new to CTFs and Boot2Roots contact me wanting to know some information about what to do after they've downloaded a VM.
Below is an FAQ that I've created.
Frequently Asked Questions
No. You have to treat these challenges as if they are a remote server out there somewhere on the internet. The point of these challenges is that you need to find your own way in and then begin to escalate your privileges.
Through a process of enumeration and discovery. You start by identifying information about the system, such as the IP address of the target, the ports that are open, and from there, you determine what services are listening on those ports. After you have this information, you can start to explore those services and try and determine if there are any vulnerabilities. After that, you need to see if you can exploit those vulnerabilities.
Sure. I recommend watching some "walkthrough" videos on YouTube so that you can see how it's done.
Sure. This is a link to a template that I use when doing these kinds of challenges. I mainly use it for keeping notes, but it also has a list of commands that I regularly use. I also recommend keeping a knowledgebase where you can add information/tips/techniques etc. For this, you could use OneNote or something like CherryTree.
I try to make them as "realistic" as possible, but obviously, I also have to make them vulnerable, so there are some limitations. I actually started creating my own vulnerable VMs because there was a lack of realistic VMs out there. I also use some of my own experiences working in IT as a basis for my VMs. This is why you won't see "brainfuck" code in my VMs. It isn't realistic.
Real world stuff, like misconfigurations, web based vulnerabilities, vulnerable installs, password reuse etc.
No. In fact, I love seeing how people approach these challenges. Also, keep in mind that when a VM is released, it's essentially a snapshot at the time it is released. It's entirely likely that a new vulnerability will make an appearance, and this has actually happened (like the exim vulnerabilities).
No, it's not broken. Each VM release is tested on both VirtualBox and VMware before being released, and every release is tested by myself first, and then by other people. If you can't find the IP address, or can't see the VM, please check that you are using the same VirtualBox/VMware network configuration on your attacking VM, as well as the vulnerable VM. All my VMs are created using bridged mode and they all use DHCP. So, if there is a problem, it's likely to be with the network configuration.
No. WordPress stores a lot of it's site configuration in it's database. This presents a problem for people that create vulnerable VMs with WordPress, but there is a workaround, that just involves adding an entry to your /etc/hosts file on your attacking machine. If you hover your mouse above the site name, it'll read something like http://dc-2. So, the fix is to add the IP address of the vulnerable VM and dc-2 to your /etc/hosts file, and then refresh the web page.
I have a YouTube channel that includes walkthroughs of some of my VMs, as well as VMs from other creators.