Klaw has stolen some armours from the Avengers Super-Secret Base. Falcon has checked the manifest, following things are unaccountable:

  1. HulkBuster Armour
  2. Spiderman Armour
  3. Ant-Man Armour
  4. Black Panther Armour
  5. Iron Man Armour

Klaw hide all these armours and now it's up to you. Can you use your penetration skills to recover them all?

-Captain Steve Rogers

P.S. Klaw has a habit of dividing his passwords into 3 parts and save them at different locations. So, if you get some combine them to move forward.

Avengers are meant to be Earth’s Mightiest Heroes, but some heroes just aren’t mighty enough without their trusty weapon in hand.

The Goal is to gather all the 5 mightiest weapons:



Visit our website http://hackingarticles.in

Bob’s Missing Cat is a three part CTF where the goal is to find your lost cat.

Bob’s Missing Cat Pt. 1 is an introduction to the world of Linux.

(This CTF is different from most, intended to be played out more like a story.)

Types of Commands learned by the end of Pt. 1: cd, ls, ls -la, pwd, cat, mkdir, mv, nano, chmod, etc.

Please do Bob’s Missing Cat Pt. 1 alongside the BMCInstrictable document.

Download ~ https://download.vulnhub.com/bobsmissingcat/BMCInstructable.docx

DC: 8

DCAU 8 Sep 2019

DC-8 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.

This challenge is a bit of a hybrid between being an actual challenge, and being a "proof of concept" as to whether two-factor authentication installed and configured on Linux can prevent the Linux server from being exploited.

The "proof of concept" portion of this challenge eventuated as a result of a question being asked about two-factor authentication and Linux on Twitter, and also due to a suggestion by @theart42.

The ultimate goal of this challenge is to bypass two-factor authentication, get root and to read the one and only flag.

You probably wouldn't even know that two-factor authentication was installed and configured unless you attempt to login via SSH, but it's definitely there and doing it's job.

Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.

For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won't give you the answer, instead, I'll give you an idea about how to move forward.

Thanos thinks that if he kills half of all life in the universe, he’ll restore balance. To do so, he needs all six Infinity Stones to power his Infinity Gauntlet, which in turn will give him the ability to bend time, space, energy, and the laws of physics and reality. But the Avengers are one step ahead of Thanos this time. Avengers have hidden all the Infinity Stones all over this CTF. Help Thanos to get all the Infinity Stones and restore the balance of the universe.

This machine contains 6 Infinity Stones with Six different flags to test your skills.

  • Space Stone
  • Mind Stone
  • Reality Stone
  • Time Stone
  • Power Stone
  • Soul Stone

Each stone can be found in a different way.


Visit our website http://hackingarticles.in

This is ubuntu 18.04 server which autostarts webgoat on http://<ip address>:8000/WebGoat/

Credentials: - user: webgoat - pass: webgoat

This machine is used to practice on different types of web attacks. Enjoy!

Tempus Fugit is a Latin phrase that roughly translated as “time flies”.

This is an intermediate, real life box.

In Tempus Fugit 2, the idea is still, like in the first vm; to create something “out of the ordinary”.

The vm contains both user and root flags. If you don’t see them, you are not looking in the right place...

Need any hints? Feel free to contact me on Twitter: @4nqr34z


Tested both on Virtualbox and vmware

Health warning: Have driven people to the brink of insanity

Wordy is design for beginners to experience real life Penetration testing. This lab is completely dedicated to Web application testing and there are several vulnerabilities that should be exploited in multiple ways. Therefore, it is not only intended as a root challenge boot, the primary agenda is proactive in exploiting tops listed web application vulnerabilities.

As this is a wordpress based lab, it is designed so that users can practice following vulnerabilities: - LFI - RFI - CSRF - File Upload - SQL

There is a total of 3 flags. Completion is only registered on exploiting all vulnerabilities and flags.

Hint: “Everything is not what it seems to be.”

Visit our website http://hackingarticles.in

Alphonse is into genes and would like to research your DNA. Is his setup secure thought?


  • /root/flag.txt
  • /home/alphonse/flag.txt

Tested with VirtualBox

DHCP enabled

Difficulty: Intermediate


  • Author: strider
  • Testers: Kyubai
  • Difficulty: Intermediate

Mordor CTF is a CTF-Machine with a nice story.

This VM has a small touch of lord of the rings. And tells a story during part 2 of the movies.

In this VM are 9 flags to get.

This I my first VM i've created, I hope you enjoy it.

The goal is to reach the root and readout the file /root/flag.txt

If you found other ways, to reach the goal, let me know :)

What include this VM?

  • Information Gathering
  • Enumerarion
  • Cracking
  • Webexploitation
  • Reverse Engineering
  • Binary Exploitation
  • General Linux skills
  • and more...


  • Debian 10 Buster
  • IPv4 / DHCP Autoassign

For any hints contact me here [strider007 at protonmail dot com]

If you found Bugs or you have problems with the VM, you can contact me also here [strider007 at protonmail dot com]


This VM is completely licensed under Creative Commons v3. except the elements by LOTR.

I do not own the characters and the elements of LOTR. They was used for the fanfiction story during the CTF. I do not earn money with this machine and all the other elements of this machine.

If you use parts of this machine please ensure that you remove all LOTR elements.