Want to get started hacking things but don’t want to do anything illegal? Here are some challenges others have made to help you practice some hacking skills. By participating in the challenges you could learn the following skills:
- HTML/JS/CSS manipulation and decoding
- SQL – injections, bugs, limitations
- Linux hacking such as: escalating your privileges, gaining access to things you shouldn’t, stealing data
- Linux CLI such as: tr, nc, tcpdump, strings, base64, xxd, etc.
- Programming in languages such as: python, c, ruby, bash, perl, etc.
- Windows hacking such as: accessing a system you shouldn’t be able to access, dumping memory, stealing user data
- Memory forensics. Looking at crash dumps or memory data and deciphering it
- Disassembling. Running programs through a hexeditor or disassembler to reverse engineer them.
- Steganography – the practice of hiding or extracting messages in files that serve a different purpose
- Encrypting/Decrypting – decrypting and deciphering messages
- Password cracking – using John the ripper
- Wireshark analysis
- Pen testing – trying to exploit vulnerabilities in systems with known problems
- Hacking tools – learn to use metasploit, beef, ida, burpsuite etc.
Are you looking for only ‘programming hacker’ type challenges? Try the Games to Test Your Programming Skills post.
PicoCTF is a great place for anyone to start. It’s a game that has many increasingly difficult challenges with a story behind it. Try to get all the way through it!
This is a great set of challenges that has a wide range of problems to solve. The beginning challenge “Bandit” will challenge your linux CLI skills and shows you ways you can do things you probably shouldn’t be able to in linux as that user. The “Krypton” challenge will show you some basic crypto and have you decode it. The “Natas” challenge is a series of websites that challenges you to hack them and manipulate them to gain access in ways you shouldn’t be able to. Try all 4 of these to see where you niche is in solving challenges.
Similar to some of the OverTheWire challenges, SmashTheStack lets you ssh to their system and solve the puzzles. The problem I had with this is the lack of cleanup done by admins and many files were left by previous participants which can get hairy real fast.
Another hacking challenge site.
This is a Swedish company’s recruitment page. In it, are over a dozen challenges they’ve had throughout the years. Their goal is to find people who can solve these challenges so they can hire them. These challenges are super fun to try.
To help you along or give you an idea of how in depth their challenges are, here’s a walkthrough for Informationssäkerhetsspecialist. https://www.youtube.com/watch?v=tvdETwpTaC8
A great resource listing numerous vulnerable VMs. Such as:
- Metasploitable – a vulnerable VM from Rapid 7 (os hacking)
- Webgoat – a lab from OWASP (website hacking)
Another big list of vulnerable VMs and past CTFs that can be attempted anytime.
Damn Vulnerable Web Application
A web application that you download and get running then try to hack.
Crack Me if You Can
A contest that was previously held at DefCon which has various password hash dumps for you you to try cracking. A great way to learn how to use tools like John the Ripper and other brute forcers.
Malware Hunter Lab
Alien Vault has a nice writeup on how to build a home lab to practice hunting for malware.
https://ringzer0team.com/ An online, Jeopardy style, CTF where you compete with others working on the same puzzles. This CTF doesn’t appear to be timed and is always running.
Embedded Security CTF
Another CTF to try that is not time based.
CTF Field Guide
A helpful website that gives tips on solving CTFs and gets you started with all of this.
Another huge list
Tons of links here to even more challenges, vms, ctfs, etc.
Next steps: CTF
Now that you’re all skilled up on the various hacking skills, it’s time to compete in an CTF. These are live challenges, often a team event, where you are given a specific challenge and time limit. Each team competes to solve the puzzles to score points.
CTFs usually break down into two categories: jeopardy and attack-defense. Jeopardy ones are more geared towards solving pre-defined challenges, while attack-defense puts your team up against another team where you try to get into their system while they try to get into yours.
This website tracks all the upcoming CTFs. Find one and compete. I’m sure you’ll learn a ton of new stuff!
Not quite a challenge that will teach you how to hack, but a funny little game anyways regarding hacking.