About hacxkor

Hackxor is a webapp hacking game where players must locate and exploit vulnerabilities to progress through the story. Think WebGoat but with a plot and a focus on realism&difficulty. Contains XSS, CSRF, SQLi, ReDoS, DOR, command injection, etc

For more information see the hackxor homepage. The first two levels can be played online there.

The scene

You play a professional blackhat hacker hired to track down another hacker by any means possible. Start by checking your email on wraithmail, and see how far down the rabbit hole you can get. The key websites in this game are http://wraithmail http://cloaknet http://gghb and http://hub71 so if you don't feel like tracking down your target you may hack them in any order. Each website will be properly introduced through the plot.

Setup instructions

  1. Note the IP of this host (it will be displayed on the console when the VM boots).
  2. Configure your hosts file (/etc/hosts on Linux, C:\Windows\System32\drivers\etc\hosts on Windows) to redirect the following domains to the IP of hackxor: wraithmail, wraithbox, cloaknet, GGHB, hub71, utrack. For example, the line in the hosts file will look like: owaspbwa cloaknet gghb hub71 utrack wraithbox wraithmail

  3. Browse to http://wraithmail and login with username:algo password:smurf
If you can't edit the hosts file for some reason, you could use the 'Override hostname resolution' option in Burp proxy


Try some other vulnerable webapps

Read some cryptic spoiler-free hints (Last updated 11th May)


By albino (Contact via twitter or )
Thanks to:
everyone who codes vulnerable software