Category Archives: (R) Realistic Challenge

13 More Hacking Sites to (Legally) Practice Your InfoSec Skills

 

“The unfortunate reality of the web today is that you’re going to get hacked,” writes Hack Yourself Firsts creator, Troy Hunt (@TroyHunt). And it’s with that inevitability that Troy set out to create a site dedicated to teaching what to look out for when it comes to security vulnerabilities and helping minimize their impacts on web apps.

 

The site is aimed towards developers but is suitable for anyone looking to gain some attack techniques – purely for positive purposes, of course. With 50 vulnerabilities to hunt for, you could get lost trying to exploit them all – but that’s all the fun.

 

The site goes along with Troy’s “Hack Yourself First: How to go on the Cyber-Offense” course offered on Pluralsight, offering detailed walk-throughs of exploiting various vulnerabilities, from XSS to cookies to cross-site attacks, but is also available to the general public.

 

Juice Shop

 

This intentionally insecure JavaScript Web Application was created by Björn Kimminich (@bkimminich) and is great for anyone coding or testing JavaScript that doesn’t understand all its security issuesto watch out for. With both local and containerized environments available, Juice Shop is perfect for a fun challenge to offer in your organization.

 

Juice Shop is available to play and download here and flip through Björn’s SlideShare on the app to get an overview of what the app is and how it was made.

 

 

This platform is innovative, as it not only hosts vulnerable apps but also allows others to contribute their own vulnerable apps. Powered by eLearnSecurity, Hack.me “aims to be the largest collection of ‘runnable’ vulnerable web applications, code samples and CMS’s online.”

 

Check out Hack.me here.

 

 

This OWASP open-source project offers ten realistic scenarios full of known vulnerabilities (especially, of course, the OWASP Top Ten) for those trying to practice their attack skills. Hackademic is great for educational purposes in classrooms and in the workplace, and developers are encouraged to contribute new scenarios and vulnerabilities.

 

Download Hackademic here.

 

 

Hack This Site is more than just a website; it’s a platform for education and a community for security enthusiasts. Hack This Site is a great stopping point for security professionals and developers alike, as it offers varying levels and topics to delve into as you practice hacking.

 

 

hackthissite

 

 

Whether you want to try a wargame based on mobile app vulnerabilities, JavaScript issues, or test your forensic skills, Hack This Site has you covered. In addition, the site streams news, and offers lectures, videos, and more – and accepts submissions, if you’re interested in writing something or submitting a lecture you’ve given.

 

Access Hack This Site here and read more about it here.

 

 

As “one of the oldest challenge sites still around,” you can rest assured that Try2Hack is an oldie but a goodie. The game runs on levels, and there’s no skipping ahead to advanced levels, so more experienced hackers can get a nice ego boost or refresher course in the beginner levels. For newbies, there is an active IRC channel where you can ask for help from others or just chat, and a GitHub repo for walkthroughs if you don’t get help in the forum.

 

Try your hand at Try2Hack here.

 

 

A multiplayer hacking simulation game, SlaveHack allows players to play either defense or offense, with scenarios for both. The goal of the game is to manage your software and hardware and make the computers you hack or defend your ‘slaves’ – hence the name. SlaveHack doesn’t actually require hacking skills, but we included it because it can help security people to see their systems as malicious hackers would see it, hopefully offering a glimpse into real-world ways to secure your systems and applications. The SlaveHack forum helps players connect with each other and is available when you get stuck.

 

Check out SlaveHack here.

 

Deemed ‘the Hacker’s Playground,’ HackThis!! offers various levels and areas of study when practicing your hacking skills. Similar to Hack This Site, HackThis!! is also a good place to go for security-related news, presentations and to connect with like-minded folk in their forum.

 

hack this sqli

 

For newbies, sites like HackThis!! are especially helpful for quickly getting up to speed on hacking techniques, major vulnerabilities, and the scope of the security industry. But with over 50 levels (and new ones added on a regular basis), the site offers something for everyone. HackThis!! even holds CTF competitions every once in awhile, so that’s something to keep your eye out for if virtual CTF’s are your thing!

 

Hack This is available online and is also downloadable for local machines here.

 

 

This web app hacking game, created by @albinowax, has a focus on “realism and difficulty,” and offers a few levels as an online version and more advanced levels as a downloadable full version. Players even get to play the Blackhat hacker scenario, “hired to track down another hacker by any means possible.”

 

Check out the demo version with beginner levels and the downloadable advanced version here.

 

 

Peruggia is yet another legal project dedicated to helping teach developers and security professionals more about common attacks aimed at web apps. Created as an image gallery, the downloadable project contains lots of different types of vulnerabilities, all primed to teach developers, security newbies, and anyone else interested in learning how to find and mitigate security issues in their code.

 

Download Peruggia here.

 

 

Designed for both pentesting tool testing as well as learning manual code review and how to look out for exploitable vulnerabilities, this web app was created by Simon Bennetts (@psiinon). Full of OWASP Top 10 vulnerabilities like XSS, SQL injection, CSRF, Insecure Object References and more, the project also offers various hacking challenges for those trying to make a game out of it for themselves.

Hacking Challenges BodgeIt

Various challenges to complete in BodgeIt

Start finding security bugs in the BodgeIt Store here. In addition, the InfoSec Institute offers a few tutorials for how to setup and manual test the vulnerable web app for the hacking challenges.

 

 

Offered by Bonsai Security, Moth is “a VMware image with a set of vulnerable Web Applications and scripts.” The team designed it as a way to test AppSec tools, but it’s also a great way to practice your exploit skills and see which vulnerabilities you can pick apart.

 

Check out more about Moth here.

 

 

Last but certainly not least, the EnigmaGroup offers another challenge site with a community forum built around it. Built for anyone looking to improve their security savvy, EnigmaGroup offers a wide array of vulnerabilities, starting with the OWASP Top 10. “Are you more of a hands-on learner, than one that can learn from just reading out of a book,” the site asks. If so, EnigmaGroup is another top destination for those learning how to “know your enemy” – in order to defeat the enemy.

 

Get started with EnigmaGroup here – after reading the FAQ section here that will help you begin smoothly.

 

Want something fun to do at work that even your boss would allow? Set up a Game of Hacks Challenge, and order the Secure Developer Awareness kit that includes detailed instructions for how to start a Challenge, cool t-shirts for the winners, and a few other goodies tossed in for good measure. Best yet – it’s totally free! Check out theSecureDevKit site for more info.

Encryption Challenge

Description: Encryption Challenge consist of 1 negative number 1 neutral number and all others are positive numbers.
Difficulty:
unknown

 

05171606.05161220.16'12.1810161118.0510.132005.1605.241313.22101220.100405;.05171606.05161220.1612.1810161118.0510.0605241121.0409.241121.0617100405;.16.22072422142021.05171606!.

 

 

JavaScript Challenge – Find Password

$('#challengeForm').submit(function()
{          
    var keys = new Array("0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "A", "B", "C", "D", "E", "F", "G", "H", "I", "J", "K", "L", "M", "N", "O", "P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "Z","a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z");
    var P = "";
    for (var i=0; i < Pass.length; i++)
        P += " "+keys.indexOf(Pass.charAt(i));
    
    if(P == " 17 4 59 0 53 28")
    {
        jQuery.get("/content/Challenges/Solve.php?ID=39&Password="+$('#password').val(),function(data) {
            alert("Well Done!");
            document.location.reload(true);
        });
    }
    else
        jQuery('.loginerror').slideDown();
        
    return false;
});

Find The Password From Above Challenge & Submit Your Answer Below

 

String Manipulation Challenge – Difficulty (Medium)

 

This level is about string manipulation.
In this challenge, you will be given a string. Take all the numbers from the string and classify them as composite numbers or prime numbers. You should assume all numbers are one digit, and neither number 1 nor number 0 counts. Find the sum of every composite number, then find the sum of every prime number. Multiply these sums together. Then, take the first 25 non-numeric characters of the given string and increment their ASCII value by one (for example, # becomes $). Take these 25 characters and concatenate the product to them. This is your answer.
Your answer should look like this: oc{lujxdpb%jvqrt{luruudtx140224

 

 

 

6xcyna#r3jtl33gjgdq0oi#dz1ju$ww9i@#nyrz44jcj6dii7vh87f$6rjidebauux$9g467wwq28k9cv2oc@qtpvpi?94rgh4dlnncf2jj76jofmmv7xssqlnfysv9dndbnjlgfobaqldy#jhbep8gtf?bxcpdptbepjm05ouu83b0#vv5bt$@myh4w7vw0jd5g5jkmwvyl#u7e7ke7vyfdbxy5z@7qthl#nom9e?dcks#4y7auc10$jhyo41wrli9czmnknp154j0rgooxfigyvud2ro15#90vatic4wnyr2xhj1?2rv47#6rn3lubxcact$j#vvrhrrfjweg86ps3e#fk07wbfufbg3e8ewydjcocz7oc3$8bv4@j78#0rl7n4uf3cbyrc37o8hq3oe4btri0zivwum4ft0$nw3d#9hk9qiqgj7x#0vxiine15vsxqkh1kuk4w33fi0jymnc4z00rv0m1f$5@nl$noxj4w2?m579tln97d46w$gai29gfynldo16rv4g@vdjdunubuo$3j20e13m@5wc5584#t40pv4?a14$eg?1#?cttvnk#0yh?1ou7301?uby1b77fiyitu$inzgyix1a@#zp#y021nd?eu0k1wt$i#rtw

 

Fix a corrupted file – Challenge 2 (Amateur)

This level is about a corrupted file.

Someone, using the windows command line ftp client, downloaded a bz2 compressed png-file which contained an important password.
But he forgot something to take into consideration, and so the file got corrupted.
Get this file  HERE , reconstruct it and send the password as answer.

 

Submit Your Answers Below

The Stairs of Death

Three people are standing on some stairs. They are each wearing a hat. They are only allowed to face forwards, so they cannot see the color of their own hat, only the color of the hat of the one or two people in front of them (depending in which position they are). The hats they are wearing have been chosen from a pile of two red hats and two blue hats. All three men will be shot in one minute unless one of them shouts out (correctly!) the colour of their own hat. Who shouts out and how do they know the color of their hat? (Work out the answer for the most difficult situation!