Now this is a box to test your ability to stay focused.  There are a few things going on that can distract you which could cause you to overlook the smaller, more important, details.  I can't say this with all of the boxes but I stayed on the right path from start to finish.  

According to the notes, there are two ways to get a low privilege shell and three ways to root.  I found two ways to a low privilege shell and suspect there's actually a third.  I know of two ways to get root and I'll have to read a walkthrough to see the third avenue.  

There's so much going on with this box for post exploitation and I want to play around a bit more but I have to move on.  

If I were just starting out and I fumbled around on this box, I would go back to this box again in three to six months when I'd forgotten as much as I could and give it another go.  

Read more: Vulnhub Stapler: 1 Walkthrough

Let me start off by saying that I broke from my plan of rooting the must-do boxes because I was up on Vulnhub and noticed new boxes.  I downloaded a few of them and there was one that I really wanted to do because it sounded interesting.  Technically, it's two boxes, one sitting off the second NIC of another.  I couldn't get the public facing box to grab an address and with limited time, I decided to go after a self-described "beginner" box.  Honestly, I wouldn't have written it up except that I learned a couple of things along the way -- things not to do and why.

Read more: Vulnhub Toppo: 1 Walkthrough

The second of two, SickOs: 1.2 promises to be, and is, different than it's predecessor.  If anything, I learned that I'm becoming frustrated with my setup.  If you've noticed, a lot of the time, I'm pushing my shells across port 53.  That's partly by design and partly out of necessity.  First, if you think about it, port 53 is DNS and there should be a lot of DNS traffic floating around on your network.  While a reverse shell doesn't LOOK like a DNS query upon close inspection, perhaps it goes unnoticed among the noise.  Second, I like to use port 443 for basically the same reason, it gets lost in the noise.  But I had to enable SSL on my C2 server because there were exploits I needed to pass across HTTPS.  Enabling and disabling Apache was becoming annoying which is why I switched over to 53 and you'll see why that's a problem in a moment.

Read more: Vulnhub SickOs: 1.2 Walkthrough

Referring to my list of must-do boxes, Brainpan is described as "intermediate" in terms of level of difficulty and I would say that's a fair assessment.  Not because it's significantly harder than the previous boxes, it is not.  It's actually fairly straightforward and easy to root.  However, it requires a couple of skills that you might not possess if you're on the new-ish side of hacking vulnerable boxes.  The two skills required are basic scripting in some language and buffer overflow.

I love buffer overflow.  With other methods of exploitation, there's always this feeling of ambiguity but with buffer overflow, I have a defined path, I follow the path, and it leads to what I want.  

I don't want to talk too much because if ever there was a spoiler, this would be it.

Read more: Vulnhub Brainpan: 1 Walkthrough

While I sort through some issues with my hypervisor and some older boxes which won't run on it, I'm working on the newer releases on vulnhub.  I spotted billu: box 2 and I think I recall doing the first box by this author sometime ago.  I don't remember the original nor do I have any notes so I can't give you any information as to whether it's similar, harder, or if there's any relationship at all.  

I spent some time trying to work out a manual way of getting my low priv shell but eventually went with Metasploit.  But I'm getting ahead of myself --

Read more: Vulnhub billu: b0x 2 Walkthrough

Continuing on with the list of must-do boot2root boxes, next up on the list is Pegasus. 

I'm curious as to how this box ended up on the list following the others because the jump in difficulty increased significantly.  Don't get me wrong, I liked it.  

There are times when I learn a new command, tool, or whatever, and I add that to my enumeration process.  This box was one of those times.  But I don't want to get ahead of myself.

Read more: Vulnhub Pegasus: 1 Walkthrough