Vulnerable VM Design

The vulnerable virtual machine (VM) was designed and implemented as part of the Ethical Hacking exam at Sapienza University. The purpose of this project is to provide a realistic and challenging environment for penetration testing practice. The VM is based on Ubuntu Server 20.04 LTS 64-bit and exposes several services, some of which contain hidden vulnerabilities that can be exploited to gain local access. Additionally, the VM offers multiple ways for a local user to escalate privileges and obtain root access.

The VM provides three distinct paths (easy, medium, hard) to obtain local access and escalate privileges to root. Each path requires the attacker to first gain local access and then escalate privileges to root, offering challenges for different skill levels.

The vulnerabilities introduced in this VM are designed to be realistic and could be found in real-world systems. This approach ensures that the skills gained from practicing with this VM are applicable in real penetration testing scenarios.

Download the VM

The VM is available for download from Google Drive. Click the link below to download the VM: 

Download Vulnerable VM.

For a detailed design and exploitation guide, refer to the VM Design Report:

VM Design Report.

Usage Instructions

1. Setup:

   1. Import the VM into VirtualBox virtualization software.

   2. Ensure the network settings allow for connectivity to the exposed services.

2. Penetration Testing:

   1. Begin by enumerating the services running on the VM.

   2. Identify and exploit vulnerabilities to gain local access.

   3. Once local access is obtained, escalate privileges to root using the various provided paths.

3. Learning Outcomes:

   1. Understand the importance of securing exposed services.

   2. Practice identifying and exploiting common vulnerabilities.

   3. Gain experience in privilege escalation techniques.

Penetration Testing

The objective of this phase was to identify and exploit vulnerabilities within an assigned vulnerable virtual machine (VM), gaining a deeper understanding of real-world attack scenarios and methodologies.

Using penetration testing techniques, we successfully uncovered multiple vulnerabilities and gained access to the system. Key achievements included:

• Discovering and exploiting known vulnerabilities (CVEs) and misconfigurations.

• Gaining initial access through command injection and brute-force techniques.

• Performing a custom buffer overflow exploit to compromise a vulnerable binary.

• Achieving root-level access through privilege escalation techniques.

• Implementing persistence mechanisms to maintain long-term control over the system.

• Ensuring operational stealth by meticulously cleaning traces of activity.

For technical details and command outputs, refer to the Penetration Testing Report:

Penetration Testing Report.

See More on LinkedIn

For a high-level overview, along with access to the reports and the vulnerable VM, visit my LinkedIn post.