Contents:

• hackxor
• play the online demo
• download&install the full game
• the scene
• changelog
• hints&tips
• client attack simulation
• credits

About hacxkor

Hackxor is a webapp hacking game where players must locate and exploit vulnerabilities to progress through the story. Think WebGoat but with a plot and a focus on realism&difficulty. Contains XSS, CSRF, SQLi, ReDoS, DOR, command injection, etc

Features:

• Client attack simulation using HtmlUnit; no alert('xss') here.
• Smooth difficulty gradient from moderately easy to fiendishly tricky.
• Realistic vulnerabilities modelled from Google, Mozilla, etc (No rot13!)
• Open ended play; progress by any means possible.

Play the online demo

The first two levels can be played online here. Since this is kindly being hosted by SourceForge, there are a couple of common sense rules:

• No automated scanners or bruteforce tools (nmap, BURP scanner, skipfish, etc)
• Only exploit http://hackxor.sourceforge.net/* (Other sites on the same IP are not fair game)

Start at wraithmail and login with algo:smurf
If you just want an SQLi challenge, see if you extract usernames&passwords from the second level

Download&install instructions

• Download the full version of hackxor (700mb)
• Install VMWare Player. If you'd rather use VirtualBox, see Michael Coate's helpful instructions
• Extract hackxor1.7z, run the image using VMware player.
• Work out what the IP of hackxor is ((try 172.16.93.129)|| logging into the VM with username:root pass:hackxor and typing ifconfig)
• Configure your hosts file (/etc/hosts on linux) to redirect the following domains to the IP of hackxor: wraithmail, wraithbox, cloaknet, GGHB, hub71, utrack.
• Browse to http://wraithmail:8080 and login with username:algo password:smurf

If you can't edit the hosts file for some reason, you could use the 'Override hostname resolution' option in Burp proxy
Troubleshooting the installation:

• If http://wraithmail:8080 loads everything is probably working.
• First: Try 'nmap wraithmail' in a shell to see if port 8080 is open. If it is open, contact me! Otherwise:
• Second: Try nmap <theipofhackxor>. If that succeeds, fix your hosts file. Otherwise:
• Third: If you really can't get any network contact with the VM, check the VM settings in the VM manager
• (this does not involve logging into the virtual machine). Make sure it is set to NAT. If that doesn't fix it:
• Fourth: Try changing the VM network setting to 'Bridged'. This will mean other people on the LAN can access it.
• Fifth: If all else fails, contact me on twitter or give up and use the OWASP Broken Web Apps VM

The scene

You play a professional blackhat hacker hired to track down another hacker by any means possible. Start by checking your email on wraithmail, and see how far down the rabbit hole you can get. The key websites in this game are http://wraithmail:8080 http://cloaknet:8080 http://gghb:8080 and http://hub71:8080 so if you don't feel like tracking down your target you may hack them in any order. Each website will be properly introduced through the plot.

Changes in 1.2 (2016 edition!)

• Fixed two unintentional vulnerabilities spotted by jgor
• Fixed a bug where changing your phone number on hub71 made the second half of the level impossible

Changes since 1.0

• Fixed a potential-lose bug in hub71

Changes since the beta

• Made cloaknet (second level) harder/better/more realistic
• Added stealth ranking system
• Fixed 2 unintentional XSS vulns in rentnet(hub71)
• Enhanced rentnet(hub71) session security (You'll see)
• Added online demo (first 2 levels)
• Improved names/other fluff
• Added clear ending
• Made VM IP static-ish for easier installation
• Made VM only accessible from the host machine by default
• Linked sites together better
• Added anti-bruteforce protection
• Removed numerous bits of test code
• Removed a few obscenities
• Fixed some inaccuracies&minor bugs

Hints&tips

Try some other vulnerable webapps

Read some cryptic spoiler-free hints (Last updated 11th May)

Client Attack Simulation with HtmlUnit

This means you can exploit CSRF and XSS on hapless in-game users by sending them malicious messages. Since messages can contain javascript there is no need to social them into pressing a link. This is easily the best technical innovation of hackxor and it was pretty easy to code, so I've posted some details about how to implement it yourself at skeletonscribe

Credits

By albinowax
Thanks to:
jgor sla.ckers
null
everything2
sourceforge
everyone who codes vulnerable software