Haboob Team made this virtual machine regarding the published paper "XML External Entity Injection - Explanation and Exploitation" https://www.exploit-db.com/docs/45374 to exploit the vulnerability in a private network. We hope that you enjoy the challenge!

The challenge is right here: http://IP-ADDRESS/xxe


Web Application Exploitation Environment

WebSploit2018 is a collection of vulnerable web applications packed in a virtual environment.

This VM is intended for those who want to:

  • Hack Web Applications in a controlled environment
  • Learn about Web Application security
  • Test automatic vulnerability scanners
  • Test and analyze source code

Unpack the VM and run it in your virtualization software. It gets an IP address via DHCP System Login: user:websploit2018 password:websploit2018

Before attacking this VM remotely, you should edit your Penetration Testing machine's hosts file(IP-websploit2018). Point your browser to http://websploit2018/

Happy WebApp hacking ;)

Node: 1

Rob 7 Aug 2018

Description: Node is a medium level boot2root challenge, originally created for HackTheBox. There are two flags to find (user and root flags) and multiple different technologies to play with. The OVA has been tested on both VMware and Virtual Box.

A new Vibranium market will soon be online in the dark net. Your goal, get your hands on the root file containing the exact location of the mine.

Intermediate level

Flags: There are three flags (flag1.txt, flag2.txt, root.txt)

  • DHCP: Enabled
  • IP Address: Automatically assigned

Hint: Follow your intuitions ... and enumerate!

For any questions, feel free to contact me on Twitter: xMagass

Happy Hacking!

The 2018 BSidesTLV CTF competition brought together over 310 team burning the midnight oil to crack our challenged in a bout that lasted for two weeks! But you can now enjoy the same pain and suffering, using this easy to use, condensed VM that now hosts all our challenges in an easy to digest format. This VM now includes all challenges from the CTF:

  • IAmBrute
  • Shared Directory
  • Redirect me
  • Crypto2
  • c1337Shell
  • IH8emacs
  • Into the rabbit hole
  • PimpMyRide
  • Wtflol
  • Can you bypass the SOP?
  • T.A.R.D.I.S.
  • I'm Pickle Rick!
  • Creative Agency
  • hideinpILainsight
  • DockingStation
  • NoSocket
  • PySandbox-Insane
  • ContactUs
  • GamingStore

In order to access the challenges you need to:

  • run ifconfig eth0 (in the VM)
  • set challenges.bsidestlv.com in hosts file with the VM IP address


  • CTFD User access (Use if you want to play):

    • user:user
  • CTFD Admin access (Use if you want to modify):

    • bsidestlv:bsidestlv
  • Boot2Docker SSH:

    • docker:tcuser

CTFd URL: http://challenges.bsidestlv.com

Would you like to keep hacking in your own lab?

Try this brand new vulnerable machine! "Lampião 1".

Get root!

Level: Easy

Difficulty: Intermediate/Hard

Rotating Fortress has been serveral months in the making and has a unique feature that sets it apart from other vms ;)

Zeus the admin of the server is retiring from Project: Rotating Fortress, but he doesn't want the project to die with his retirment. To find the successor to the project he has created a challenge. Will you be able to get in, rotate the fortress, escape isolation and reach root?

Your Goal is to get root and read /flag.txt

Note: This isn't a short VM and may take several hours to complete.

Frank has a small website and he is a smart developer with a normal security background , he always love to follow patterns , your goal is to discover any critical vulnerabilities and gain access to the system , then you need to gain root access in order to capture the root flag.

This machine was made for Jordan’s Top hacker 2018 CTF , we tried to make it simulate a real world attacks in order to improve your penetration testing skills.

The machine was tested on vmware (player / workstation) and works without any problems , so we recommend to use VMware to run it , Also works fine using virtualbox.

Difficulty: Intermediate , you need to think out of the box and collect all the puzzle pieces in order to get the job done.

The machine is already got DHCP enabled , so you will not have any problems with networking.

Happy Hacking !

Three years have passed since Bulldog Industries suffered several data breaches. In that time they have recovered and re-branded as Bulldog.social, an up and coming social media company. Can you take on this new challenge and get root on their production web server?

This is a Standard Boot-to-Root. Your only goal is to get into the root directory and see the congratulatory message, how you do it is up to you!

Difficulty: Intermediate, there are some things you may have never seen before. Think everything through very carefully :)

Made by Nick Frichette (https://frichetten.com) Twitter: @frichette_n

I'd highly recommend running this on VirtualBox. Additionally DHCP is enabled so you shouldn't have any troubles getting it onto your network. It defaults to bridged mode but feel free to change that if you like.