I've just released a public beta of hackxor at http://sourceforge.net/projects/hackxor
Hackxor is a webapp hacking game where players must locate and exploit vulnerabilities to progress through the story. Think WebGoat/DVWA but with a plot and a focus on realism&difficulty. Contains XSS, CSRF, SQLi, ReDoS, DOR, command injection, and many other vulnerabilities. Hackxor uses HTMLUnit to simulate victims loading emails you've sent them, so you need carefully crafted XSS payloads; not an alert('xss') in sight. The second half of the game is much much more difficult than webgoat/DVWA, and should even make the pros pause to think.
This is a beta. Unless you want to try it out and give some feedback, you might as well wait for the final release. It is complete in terms of the exploits and how they fit together, but the websites need polish. The final release will be in
Feedback feedback feedback
I'd like to know if you think any of the sites are too hard/easy, or illogical.
Please tell me if you find a way of gaining a shell on the server without using the final website (utrack). Any such vulnerability is intentional and needs to be fixed. People who report such vulnerabilities will appear in the credits (heh).
Install VMWare player.
Open the image in hackxor using VMware player.
Work out what the IP of hackxor is (try logging in with username:root pass:hackxor1 and typing ifconfig)
Configure your hosts file (/etc/hosts on linux) to redirect the following domains to the IP of hackxor: wraithmail, wraithbox, cloaknet, GGHB, rentnet, utrack.
Browse to wraithmail:8080 and login with username:algo password:smurf
You are free to use any webapp hacking technique, except bruteforcing passwords. This is simply because I haven't written the anti-password guessing code yet. The final version will have no rules.
I'll post updates on twitter
I have started the download, this should be fun.
It is high time I learned something new.
Any hint to get started?ReplyDelete
I'm not an expert and I'm stuck right at the beginning :-)
Thanks for this hacking game, I have a lot of exercise to do.
The attack log you're provided with has several useful pieces of information in it. Try looking up information on HTTP request headers, particularly the Referrer header.ReplyDelete
An hint document or walkthrough would be nice, I realized that this game is too hard for me but I still want to learn something.ReplyDelete
Thank you albino
I will release a hint document with the final version of hackxor (in a month or two). No walkthroughs :)ReplyDelete
If you haven't already tried it I recommend the OWASP ; broken web apps collection
It's similar to hackxor but much easier to learn from.
Thank you, I will give it a try while waiting for your hint document ;-)ReplyDelete
Hackxor. HACKXOR? Will the sequel be called Chainxor?ReplyDelete
I was thinking dinoxorReplyDelete