This exercise explains how you can, from a blind SQL injection, gain access to the administration console. Then in the administration console, how you can run commands on the system.

What you will learn?

Blind SQL injection exploitation using time-based exploitation Gaining code execution using a PHP webshell




This exercise is a set of the most common web vulnerabilities:

What you will learn?

  • SQL injections
  • Authentication issues
  • Captcha issues
  • Authorization issues
  • Mass Assignment attacks
  • Randomness Issues
  • MongoDB injections




This exercise explains how you can tamper with an encrypted cookies to access another user's account.

What you will learn?

  • Weakness in ECB encryption
  • Cookie tampering




This exercise explains how you can use a Cross-Site Scripting vulnerability to get access to an administrator's cookies. Then how you can use his/her session to gain access to the administration to find a SQL injection and gain code execution using it.

What you will learn?

  • Cross-Site Scripting exploitation
  • MySQL injection with FILE privilege

A free open-source self-contained training environment for Web Application Security penetration testing. Tools + Targets = Dojo


Various web application security testing tools and vulnerable web applications were added to a clean install of Ubuntu v10.04.2, which is patched with the appropriate updates and VM additions for easy use.


The Web Security Dojo is for learning and practicing web app security testing techniques. It is ideal for self-teaching and skill assessment, as well as training classes and conferences since it does not need a network connection. The Dojo contains everything needed to get started – tools, targets, and documentation.


Download Web Security Dojo from http://sourceforge.net/projects/websecuritydojo/files/ .


To install Dojo you first install and run VirtualBox 3.2 or later, then “Import Appliance” using the Dojo’s OVF file. We have PDF or YouTube for instructions for Virtualbox. As of version 1.0 a VMware version is also provided, as well as video install instructions


Sponsored by Maven Security Consulting Inc (performing web app security testing & training since 1996). Also, could be you! Web Security Dojo is an open source and fully transparent project, with public build scripts and bug trackers on Sourceforge .


Look for Dojo videos on our YouTube channel at http://www.youtube.com/user/MavenSecurity Hack your way to fame and glory 1 with our security challenges posted at Reddit (http://www.reddit.com/r/WebSecChallenges/). [1. Fame and glory not included; void where prohibited by law]

The Main Sequence images were used as the Ruxcon 2012 CTF challenge. They covered a variety of situations such as:

  • Penetration tool usage - such as Metasploit and SQLmap
  • Binary analysis and reverse engineering
  • Basic cryptographic analysis
  • Packet capture analysis
  • Client side Windows exploitation
  • Linux exploitation and privilege escalation
  • Network protocol implementation / experimentation
  • Web site hacking
  • Password cracking

For more information, see here: http://exploit-exercises.com/mainsequence/setup

Vulnerable VM with some focus on NoSQL

This vulnerable VM is meant to act as a practice virtual machine for security researchers to start looking at identifying and exploiting vulnerabilities in NoSQL, PHP and the underlying OS (Debian).

Note from VulnHub

100% works with VMware player6, workstation 10 & fusion 6.

May have issues with ViritualBox If this is the case, try this 'fix': http://download.vulnhub.com/kioptrix/kiop2014_fix.zip - Step by Step screenshots for Virtualbox 4.3 & VMware Workstation 9)

About the VM

As usual, this vulnerable machine is targeted at the beginner. It's not meant for the seasoned pentester or security geek that's been at this sort of stuff for 10 years. Everyone needs a place to start and all I want to do is help in that regard.

Also, before powering on the VM I suggest you remove the network card and re-add it. For some oddball reason it doesn't get its IP (well I do kinda know why but don't want to give any details away). So just add the VM to your virtualization software, remove and then add a network card. Set it to bridge mode and you should be good to go.

This was created using ESX 5.0 and tested on Fusion, but shouldn't be much of a problem on other platforms.

Kioptrix VM 2014 download 825Megs

MD5 (kiop2014.tar.bz2) = 1f802308f7f9f52a7a0d973fbda22c0a

SHA1 (kiop2014.tar.bz2) = 116eb311b91b28731855575a9157043666230432

Waist line 32"

p.s.: Don't forget to read my disclaimer...

Infernal: Hades v1.0.1.

Hades is a new boot2root challenge pitched at the advanced hobbyist. Solving this challenge will require skills in reverse engineering, sploit development and sound computer architecture understanding. If you've never heard of an opaque predicate, you're going to have a hard time of it!

I strongly suggest you don't start this the week before exams, important meetings, deadlines of any sort, marriages, etc.

The aim of this challenge is for you to incrementally increase your access to the box until you can escalate to root. The /root/flag.txt contains, amongst other things, a public PGP key which you can use to demonstrate victory - the private key has been given to the VulnHub.com admins.

Enjoy, Lok_Sigma


  1. I have verified this challenge is completable using 'Kali 3.7-trunk-686-pae' (Kali Linux 1.0.5 x86) as my attack platform with VMware Fusion 5.
  2. It's meant to be hard.
  3. EDB is your friend.
  4. Hades will get an IP address by DHCP.


By using this virtual machine, you agree that in no event will I be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of or in connection with the use of this software. If something bad happens, it's not my fault. Use at your own risk!

Welcome to VulnOS !

This is my first vulnerable target I made because I want to give back something to the community. Big up for the community that made things possible!!!

Your goal is to get root and find all the vulnerabilities inside the OS ! It is a ubuntu server 10.04 LTS (that's been made very buggy!!!!) DO NOT USE This Box in a production environment!!!!!!! It's a VM thas has been made with Virtualbox 4.3.8 - so it's in the .vdi format.

Networking :

This box has been made with bridged networking and uses DHCP to get an IP address (was when I built it). So it is best to share the attack OS and the TARGET BOX to IP-Range OF

Maybe you could set it up with m0n0wall and setup static IP-addresses.

If you cannot find the target's IP ADRERSS, contact me @ blakrat1 AT gmail DOT com I will give you the root user and password to login....

Hope you find this useful !!!