Tuesday 1 February 2011

Hackxor hacking game beta

EDIT: the final version of hackxor is out at http://hackxor.sourceforge.net

I've just released a public beta of hackxor at http://sourceforge.net/projects/hackxor

Hackxor is a webapp hacking game where players must locate and exploit vulnerabilities to progress through the story. Think WebGoat/DVWA but with a plot and a focus on realism&difficulty. Contains XSS, CSRF, SQLi, ReDoS, DOR, command injection, and many other vulnerabilities. Hackxor uses HTMLUnit to simulate victims loading emails you've sent them, so you need carefully crafted XSS payloads; not an alert('xss') in sight. The second half of the game is much much more difficult than webgoat/DVWA, and should even make the pros pause to think.

This is a beta. Unless you want to try it out and give some feedback, you might as well wait for the final release. It is complete in terms of the exploits and how they fit together, but the websites need polish. The final release will be in MayApril, and will have a few extra features such as a 'stealth' ranking based on how many triggers you set off, bruteforce prevention, and social engineering attacks on the player. Hopefully it will also be easier to install :)

Feedback feedback feedback
I'd like to know if you think any of the sites are too hard/easy, or illogical.
Please tell me if you find a way of gaining a shell on the server without using the final website (utrack). Any such vulnerability is intentional and needs to be fixed. People who report such vulnerabilities will appear in the credits (heh).

Download hackxor
Install VMWare player.
Open the image in hackxor using VMware player.
Work out what the IP of hackxor is (try logging in with username:root pass:hackxor1 and typing ifconfig)
Configure your hosts file (/etc/hosts on linux) to redirect the following domains to the IP of hackxor: wraithmail, wraithbox, cloaknet, GGHB, rentnet, utrack.
Browse to wraithmail:8080 and login with username:algo password:smurf

Game Rules
You are free to use any webapp hacking technique, except bruteforcing passwords. This is simply because I haven't written the anti-password guessing code yet. The final version will have no rules.

I'll post updates on twitter



  1. Nice !
    I have started the download, this should be fun.
    It is high time I learned something new.
    Thanks albino

  2. Any hint to get started?
    I'm not an expert and I'm stuck right at the beginning :-)

    Thanks for this hacking game, I have a lot of exercise to do.

  3. The attack log you're provided with has several useful pieces of information in it. Try looking up information on HTTP request headers, particularly the Referrer header.

  4. An hint document or walkthrough would be nice, I realized that this game is too hard for me but I still want to learn something.

    Thank you albino

  5. I will release a hint document with the final version of hackxor (in a month or two). No walkthroughs :)

    If you haven't already tried it I recommend the OWASP ; broken web apps collection

    It's similar to hackxor but much easier to learn from.

  6. Thank you, I will give it a try while waiting for your hint document ;-)

  7. Hackxor. HACKXOR? Will the sequel be called Chainxor?