- play the online demo
- download&install the full game
- the scene
- client attack simulation
- Client attack simulation using HtmlUnit; no alert('xss') here.
- Smooth difficulty gradient from moderately easy to fiendishly tricky.
- Realistic vulnerabilities modelled from Google, Mozilla, etc (No rot13!)
- Open ended play; progress by any means possible.
- No automated scanners or bruteforce tools (nmap, BURP scanner, skipfish, etc)
- Only exploit http://hackxor.sourceforge.net/* (Other sites on the same IP are not fair game)
If you just want an SQLi challenge, see if you extract usernames&passwords from the second level
- Download the full version of hackxor (700mb)
- Install VMWare Player. If you'd rather use VirtualBox, see Michael Coate's helpful instructions
- Extract hackxor1.7z, run the image using VMware player.
- Work out what the IP of hackxor is ((try 172.16.93.129)|| logging into the VM with username:root pass:hackxor and typing ifconfig)
- Configure your hosts file (/etc/hosts on linux) to redirect the following domains to the IP of hackxor: wraithmail, wraithbox, cloaknet, GGHB, hub71, utrack.
- Browse to http://wraithmail:8080 and login with username:algo password:smurf
Troubleshooting the installation:
- If http://wraithmail:8080 loads everything is probably working.
- First: Try 'nmap wraithmail' in a shell to see if port 8080 is open. If it is open, contact me! Otherwise:
- Second: Try nmap <theipofhackxor>. If that succeeds, fix your hosts file. Otherwise:
- Third: If you really can't get any network contact with the VM, check the VM settings in the VM manager
- (this does not involve logging into the virtual machine). Make sure it is set to NAT. If that doesn't fix it:
- Fourth: Try changing the VM network setting to 'Bridged'. This will mean other people on the LAN can access it.
- Fifth: If all else fails, contact me on twitter or give up and use the OWASP Broken Web Apps VM
- Fixed two unintentional vulnerabilities spotted by jgor
- Fixed a bug where changing your phone number on hub71 made the second half of the level impossible
- Fixed a potential-lose bug in hub71
- Made cloaknet (second level) harder/better/more realistic
- Added stealth ranking system
- Fixed 2 unintentional XSS vulns in rentnet(hub71)
- Enhanced rentnet(hub71) session security (You'll see)
- Added online demo (first 2 levels)
- Improved names/other fluff
- Added clear ending
- Made VM IP static-ish for easier installation
- Made VM only accessible from the host machine by default
- Linked sites together better
- Added anti-bruteforce protection
- Removed numerous bits of test code
- Removed a few obscenities
- Fixed some inaccuracies&minor bugs
Try some other vulnerable webapps
Read some cryptic spoiler-free hints (Last updated 11th May)
everyone who codes vulnerable software