single series all timeline

Moth is a downloadable VMWare image based on Ubuntu. It was set up to test the functionality of w3af and it includes various web application vulnerabilities. Most howto's use Moth as an example for a web page under test.


Moth is a VMware image with a set of vulnerable Web Applications and scripts, that you may use for:

Testing Web Application Security Scanners

Testing Static Code Analysis tools (SCA)

Giving an introductory course to Web Application Security

The motivation for creating this tool came after reading \"anantasec-report.pdf\" which is included in the release file which you are free to download. The main objective of this tool is to give the community a ready to use testbed for web application security tools. For almost every web application vulnerability that exists in the wild, there is a test script available in moth.

There are three different ways to access the web applications and vulnerable scripts included in moth:


Through mod_security

Through PHP-IDS (only if the web application is written in PHP)

Both mod_security and PHP-IDS have their default configurations and they show a log of the offending request when one is found. This is very useful for testing web application scanners, and teaching students how web application firewalls work. The beauty is that a user may access the same vulnerable script using the three methods; which helps a lot in the learning process.



About hackxor

Hackxor is a webapp hacking game where players must locate and exploit vulnerabilities to progress through the story. Think WebGoat but with a plot and a focus on realism&difficulty. Contains XSS, CSRF, SQLi, ReDoS, DOR, command injection, etc


  • Client attack simulation using HtmlUnit; no alert('xss') here.
  • Smooth difficulty gradient from moderately easy to fiendishly tricky.
  • Realistic vulnerabilities modelled from Google, Mozilla, etc (No rot13!)
  • Open ended play; progress by any means possible.

Download & install instructions

  • Download the full version of hackxor (700mb)
  • Install VMWare Player (This involves creating a free account with vmware)
  • Extract hackxor1.7z, run the image using VMware player.
  • Work out what the IP of hackxor is ((try|| logging into the VM with username:root pass:hackxor and typing ifconfig)
  • Configure your hosts file (/etc/hosts on linux) to redirect the following domains to the IP of hackxor: wraithmail, wraithbox, cloaknet, GGHB, hub71, utrack.
  • Browse to http://wraithmail:8080 and login with username:algo password:smurf

If you can't edit the hosts file for some reason, you could use the 'Override hostname resolution' option in Burp proxy

Troubleshooting the installation:

  • If http://wraithmail:8080 loads everything is probably working.
  • First: Try 'nmap wraithmail' in a shell to see if port 8080 is open. If it is open, contact me! Otherwise:
  • Second: Try nmap . If that succeeds, fix your hosts file. Otherwise:
  • Third: If you really can't get any network contact with the VM, check the VM settings in the VM manager
  • (this does not involve logging into the virtual machine). Make sure it is set to NAT. If that doesn't fix it:
  • Fourth: Try changing the VM network setting to 'Bridged'. This will mean other people on the LAN can access it.
  • Fifth: If all else fails, contact me on twitter.

The scene

You play a professional blackhat hacker hired to track down another hacker by any means possible. Start by checking your email on wraithmail, and see how far down the rabbit hole you can get. The key websites in this game are http://wraithmail:8080 http://cloaknet:8080 http://gghb:8080 and http://hub71:8080 so if you don't feel like tracking down your target you may hack them in any order. Each website will be properly introduced through the plot.

Changes since 1.0

  • Fixed a potential-lose bug in hub71

Changes since the beta

  • Made cloaknet (second level) harder/better/more realistic
  • Added stealth ranking system
  • Fixed 2 unintentional XSS vulns in rentnet(hub71)
  • Enhanced rentnet(hub71) session security (You'll see)
  • Added online demo (first 2 levels)
  • Improved names/other fluff
  • Added clear ending
  • Made VM IP static-ish for easier installation
  • Made VM only accessible from the host machine by default
  • Linked sites together better
  • Added anti-bruteforce protection
  • Removed numerous bits of test code
  • Removed a few obscenities
  • Fixed some inaccuracies&minor bugs



Welcome, welcome! The time has come to select one courageous young hacker for the honor of representing District 12 in the 74th annual Hacker Games! And congratulations, for you have been selected as tribute!

Hacking games and CTF’s are a lot of fun; who doesn’t like pitting your skills against the gamemakers and having a free pass to break into things?

But watch out, as you will find out, some games are more dangerous than others. I have talked about counterattacks here before, and this system has implemented a number of aggressive anti-hacker measures.

In fact, this VM is downright evil. I am probably legally obligated to tell you that it will try to hack you. So if a calculator or message declaring your pwnedness pops up or shows up on your desktop, you asked for it. But don’t worry, it won’t steal your docs or rm you, it will just demonstrate compromise for the game.

To save precious bandwidth, this has been implemented in a minimal tinycore-based VM, and will require VirtualBox to run. But vbox is free – you can download it here:

Unfortunately, I didn’t have the time to add nearly all the things I wanted to, so there are really just a few challenges, a couple of counterhacks, and about 10 memes to conquer. Depending on your skill level, you could pwn (or be pwned) in just a few minutes or in a few hours. So hack it before it hacks you!

No sponsors are necessary, so don’t light yourself on fire. Simply download the evil VM here:, start it, and open up http://localhost:3000/ to begin. Now, you can totally cheat since you own the VM, but see if you can beat the challenges without cheating. Then you can go ahead and cheat, which should also be fun – you’re probably comfortable with many physical access attacks involving the hard disk, but this system doesn’t use a hard disk. So enjoy and remember…

May the odds be ever in your favor!