About hackxor

Hackxor is a webapp hacking game where players must locate and exploit vulnerabilities to progress through the story. Think WebGoat but with a plot and a focus on realism&difficulty. Contains XSS, CSRF, SQLi, ReDoS, DOR, command injection, etc


  • Client attack simulation using HtmlUnit; no alert('xss') here.
  • Smooth difficulty gradient from moderately easy to fiendishly tricky.
  • Realistic vulnerabilities modelled from Google, Mozilla, etc (No rot13!)
  • Open ended play; progress by any means possible.

Download & install instructions

  • Download the full version of hackxor (700mb)
  • Install VMWare Player (This involves creating a free account with vmware)
  • Extract hackxor1.7z, run the image using VMware player.
  • Work out what the IP of hackxor is ((try|| logging into the VM with username:root pass:hackxor and typing ifconfig)
  • Configure your hosts file (/etc/hosts on linux) to redirect the following domains to the IP of hackxor: wraithmail, wraithbox, cloaknet, GGHB, hub71, utrack.
  • Browse to http://wraithmail:8080 and login with username:algo password:smurf

If you can't edit the hosts file for some reason, you could use the 'Override hostname resolution' option in Burp proxy

Troubleshooting the installation:

  • If http://wraithmail:8080 loads everything is probably working.
  • First: Try 'nmap wraithmail' in a shell to see if port 8080 is open. If it is open, contact me! Otherwise:
  • Second: Try nmap . If that succeeds, fix your hosts file. Otherwise:
  • Third: If you really can't get any network contact with the VM, check the VM settings in the VM manager
  • (this does not involve logging into the virtual machine). Make sure it is set to NAT. If that doesn't fix it:
  • Fourth: Try changing the VM network setting to 'Bridged'. This will mean other people on the LAN can access it.
  • Fifth: If all else fails, contact me on twitter.

The scene

You play a professional blackhat hacker hired to track down another hacker by any means possible. Start by checking your email on wraithmail, and see how far down the rabbit hole you can get. The key websites in this game are http://wraithmail:8080 http://cloaknet:8080 http://gghb:8080 and http://hub71:8080 so if you don't feel like tracking down your target you may hack them in any order. Each website will be properly introduced through the plot.

Changes since 1.0

  • Fixed a potential-lose bug in hub71

Changes since the beta

  • Made cloaknet (second level) harder/better/more realistic
  • Added stealth ranking system
  • Fixed 2 unintentional XSS vulns in rentnet(hub71)
  • Enhanced rentnet(hub71) session security (You'll see)
  • Added online demo (first 2 levels)
  • Improved names/other fluff
  • Added clear ending
  • Made VM IP static-ish for easier installation
  • Made VM only accessible from the host machine by default
  • Linked sites together better
  • Added anti-bruteforce protection
  • Removed numerous bits of test code
  • Removed a few obscenities
  • Fixed some inaccuracies&minor bugs

Source: http://hackxor.sourceforge.net/cgi-bin/index.pl

This is the second realistic hackademic challenge (root this box) by mr.pr0n

Download the target and get root.

After all, try to read the contents of the file 'key.txt' in the root directory.


Source: https://ghostinthelab.wordpress.com/2011/09/06/hackademic-rtb2-%E2%80%93-root-this-box/

This is the first realistic hackademic challenge (root this box) by mr.pr0n

Download the target and get root.

After all, try to read the contents of the file 'key.txt' in the root directory.


Source: http://ghostinthelab.wordpress.com/2011/09/06/hackademic-rtb1-root-this-box/

Name: Game Over Category: Web Pentest Learning Platform File Type: VM image/iso

Author: Jovin Lobo Mentor: Murtuja Bharmal

Download URL: http://sourceforge.net/projects/null-gameover/files

Default Credentials: [username:root / password:gameover]


Project GameOver was started with the objective of training and educating newbies about the basics of web security and educate them about the common web attacks and help them understand how they work. It is collection of various vulnerable web applications, designed for the purpose of learning web penetration testing.

GameOver has been broken down into two sections. Section 1 consists of special web applications that are designed especially to teach the basics of Web Security. This seciton will cover:

  • XSS
  • CSRF
  • RFI & LFI
  • BruteForce Authentication
  • Directory/Path traversal
  • Command execution
  • SQL injection

Section 2 is a collection of dileberately insecure Web applications. This section provides a legal platform to test your skills and to try and exploit the vulnerabilities and sharpen your skills before you pentest live sites. We would advice newbies to try and exploit these web applications. These applications provide real life environments and will boost their confidence.

Source: http://null.co.in/2012/06/14/gameover-web-pentest-learning-platform/


Fusion is the next step from the protostar setup, and covers more advanced styles of exploitation, and covers a variety of anti-exploitation mechanisms such as: + Address Space Layout Randomisation + Position Independent Executables + Non-executable Memory + Source Code Fortification (_DFORTIFY_SOURCE=) + Stack Smashing Protection (ProPolice / SSP)

In addition to the above, there are a variety of other challenges and things to explore, such as: + Cryptographic issues + Timing attacks + Variety of network protocols (such as Protocol Buffers and Sun RPC) + At the end of Fusion, the participant will have a through understanding of exploit prevention strategies, associated weaknesses, various cryptographic weaknesses, numerous heap implementations.

Getting started

Have a look at the levels available on the side bar, and pick which ones interest you the most. If in doubt, begin at the start. You can log into the virtual machine with the username of "fusion" (without quotes), and password "godmode" (again, without quotes).

To get root for debugging purposes, do "sudo -s" with the password of "godmode".

Source: http://exploit-exercises.com/fusion


The network is configured to obtain an IP address via DHCP by default. Although if you want to further configure the virtual machine you can login as user root and password toor. The apache web server is configured to run on port 8880.


The challenge includes an image hosting web service that has various design vulnerabilities. You must enumerate the various web service features and find an exploitable vulnerability in order to read system hidden files. The web application is 100% custom so do not try to search google for relative PoC exploit code.

FINAL GOAL: Reveal the hidden message for a date arrange that Bob sent to Alice.

Source: https://bechtsoudis.com/work-stuff/challenges/drunk-admin-web-hacking-challenge/



The scenario for this LiveCD is that you have been given an assignment to test a company's 192.168.2.xxx network to identify any vulnerabilities or exploits. The systems within this network are not critical systems and recent backups have been created and tested, so any damage you might cause is of little concern. The organization has had multiple system administrators manage the network over the last couple of years, and they are unsure of the competency previous (or current) staff2


PenTest Lab Disk 2.100: This LiveCD is configured with an IP address of - no additional configuration is necessary.

Pentest Machine:

Your second system will use the BackTrack (v.2) LiveCD as provided by remote-exploit.org. A copy of the LiveCD can be downloaded from remote-exploit.org. This disk is configured to obtain an IP address through DHCP - thus no additional configuration is required. All tools necessary to exploit Disk 2.100 can be found on the BackTrack Disk. No additional installations will be necessary.

Router Configuration:

The PenTest Lab system and the PenTest machine must connect to a router that has been configured with the following values:

  • DHCP Server: active
  • Pool Starting Addr.:

LAN TCP/IP: + IP Address: + IP Subnet Mask:

Source: http://forums.hackingdojo.com/viewtopic.php?f=18&t=91

--Level 2

Where to get the current PenTest Lab Level 2 disks:

Disk 2.100 version 1.1: http://heorot.net/instruction/tutorials/iso/de-ice.net-2.100-1.1.iso

Where to find the hash values of the disks:


Where to get the BackTrack disk:

http://remote-exploit.org/backtrack_download.html Warning: BackTrack v. 3 beta is known to NOT work. Please use version 2

Where to get the network configuration information:

Network configuration: 192.168.2.xxx = http://forums.heorot.net/viewtopic.php?f=18&t=91

Source: http://forums.hackingdojo.com/viewtopic.php?f=18&t=16

Where to get the current Hackerdemia PenTest Tool Tutorial disk: http://heorot.net/instruction/tutorials/iso/hackerdemia-1.1.0.iso

The MD5 Hash Values of Each Disk: 09e960360714df7879679dee72ce5733 ==> hackerdemia-1.1.0.iso

How to start the disk: Boot the LiveCD on a system within your pentest lab, which needs to be configured to be in the 192.168.xxx.xxx range. Connect to using a web browser (preferably in BackTrack or your favorite pentest platform)

You will be presented with a web page, which is your tutorials. All hands-on examples were created with the Hackerdemia disk as the target, so your results should exactly match those found in the tutorials.

Where to get the BackTrack disk: http://remote-exploit.org/backtrack_download.html

Network configuration: The LiveCD configures itself to an IP address of by default. If you want to change it, simply log in as: username: root password: toor

...and change the ifconfig information (If you don't know what I'm talking about, go to: http://en.wikipedia.org/wiki/Ifconfig)

Source: http://forums.hackingdojo.com/

De-ICE are Penetration LiveCD images available from http://forum.heorot.net and provide scenarios where students can test their penetration testing skills and tools in a legal environment.

Courtesy of student Cody M.

De-ICE are Penetration LiveCD images available from http://forum.heorot.net and provide scenarios where students can test their penetration testing skills and tools in a legal environment.

Courtesy of student Chadwick B.