New H.A.S.T.E Hacking Challenge

Hi, from the other side of the wire!

On this post, I want to highlight a new VM that I made to accentuate web application vulnerabilities. This vulnerable-by-design box depicts a hacking company known as H.A.S.T.E, or Hackers Attack Specific Targets Expeditiously, capable of bringing down any domains on their hit list.

I would like to classify this challenge with medium difficulty, requiring some trial and error before a successful takeover can be attained. You don’t have to root this machine to complete the challenge! All you have to do is get some sort of shell on it.

The H.A.S.T.E VM can be downloaded with the link below:

You will need VMWare Player to virtualize the VMX.

If you enjoy web application flaws, you should have fun with this challenge. Let me know how it goes and feedback is always welcomed! Looking forward to solutions.

f1re_w1re, out.

EDIT: I’ve been very pleased with the amount of people attempting to solve this challenge. By far I’ve had 3 successfull researchers. The first was MrMxyzptlk, then Dweezy, and finally Amonsec with the fantatic walkthrough. I will be developing other VM’s that are a bit more complex to challege the security community. Thank you all for playing!


36 thoughts on “New H.A.S.T.E Hacking Challenge

  1. Is it in scope the get root on the machine? i just stick at www-data and try to privesc. will post results, if I crack it.
    thank you , I learned a lot so far

  2. so I have shell on the VM, but can’t find how am supposed to privesc?!
    There don’t seem to be any suid binaries.
    I’ve ran privesc checker and linux enumeration scripts.
    Don’t seem to be any kernal exploits available.
    what am I missing?
    could I get a push in the right direction please?

    • Congrats on getting a shell! Getting root should be very easy since you already did the hard part. Some system files will have the information you need to get root. It’s simpler than you think! There are not SUIDs to exploit or kernel exploits. That should be a really big indicator of what to do!

  3. hello, I have a shell. I tried lateral escalation but unsuccessful. i tried exploit, suid and crontab. I need a hint. Cancella u help me?

  4. Is it actually possible to root this box?
    I’ve got shell [so technically completed the challenge], but your earlier comment seems to indicate it should be possible to privesc to root as well?

  5. There’s a bit of a contradiction here…at first you say:
    “Congrats on getting a shell! Getting root should be very easy since you already did the hard part. Some system files will have the information you need to get root.”

    But later, you indicate getting root is not part of the challenge. Either way, my write up is here, but if your earlier comments are incorrect, perhaps edit them if possible?

    • Hi Gerren, you are correct. I miscalculated a simple aspect of the challenge. Everything that should be done is in the description of the challenge. This is true and accurate. Per the description, only getting a shell is required. Thanks for playing!

      Have a crack at the new CTF I made. It should be fun, challenging, and it touches on several hacking aspects.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s