HackThisSite

Infobox computer underground
group_name = HackThisSite.Org

"HackThisSite.org", commonly referred to as HTS, is a popular online hacking and security website. The organization is currently the largest online hacking community in the world with a userbase of well over 350,000. [cite web | title=HackThisSite! Rankings (Log-in Required) | publisher=HackThisSite.org | url=http://www.hackthissite.org/pages/user/rankings/index.php?start=350000 | accessdate=2008-04-12 ] It aims to provide users and teams with a way to learn and practice basic and advanced "hacking" skills through a series of challenges, in a safe and legal environment. Per its size, many HTS users have begun their own HTS-based local hacker groups.

HackThisSite involves a small, loose team of developers and moderators who maintain its network of websites, IRC server, and related projects. It produces an e-zine which it releases at various hacker conventions and through its [http://www.hackbloc.org/zine hackbloc] portal. Hard copies of the zine are published by [http://www.microcosmpublishing.com/ Microcosm] and [http://www.quimbys.com/ Quimbys] . It also has a short news/blog section run by devs.

IRC and Forums

"HackThisSite" is known for its IRC network where many of its users congregate. Within this network, users converse on a plethora of topics ranging from current-day politics to technical issues with programming and Unix-based operating systems. Mostly, the "HackThisSite" IRC network serves as a social gathering of like-minded people to discuss just about anything. Although there are many channels on the IRC network, the main channel [irc://irc.hackthissite.org/#hackthissite #hackthissite] has a +z flag which requires users to connect using SSL. This requirement is for several reasons, including encouraging people in the how and why to learn to use SSL encrypted communications, as well as being an unofficial 'idiot challenge'. Other official channels include [irc://irc.hackthissite.org/#help #help] , and [irc://irc.hackthissite.org/#rootthisbox #rootthisbox] , for official updates/help on RootThisBox. Because Hackbloc has been inactive for months, its IRC channel has been changed to a current related project, (at [irc://irc.hackthissite.org/#rmyou #rmyou] ).

"HackThisSite" currently has one main set of [http://hackthissite.org/forums forums] , because of the recent split from its ex-sister site [http://criticalsecurity.net/ CriticalSecurity.net] . The [http://hackbloc.org/forums/ Hackbloc Forums] also had many HTS users involved them, however they were recently taken down. Before the split, the "CriticalSecurity.net" forums had most HTS discussion, specifically related to help with the challenges on the site as well as basic hacking questions. The "Hackbloc" forums were more for focused hacktivist discussion as well as a place for people to discuss news and plan future projects. Many people criticize the forums as being too 'newbish' compared to IRC, most likely because many new users visit the forums to ask for help with the challenges. HTS is taking steps to try to attract more qualified users to its forums.

Articles and Text

HTS members contribute original texts to the articles area of the site. This area is broken down into different sections on a range of topics. Some of these sections include Ethics, Tutorials, and Politics.The topics covered in these articles range widely in complexity. Topics range from walkthroughs for the missions provided by HackThisSite, to articles regarding advanced techniques in a plethora of programming languages.

Mission Challenges

"HackThisSite" is also host to a series of "missions" aimed at simulating real world hacks. These range from ten basic missions where one attempts to exploit relatively simple server-side scripting errors, to difficult programming and application cracking missions. The missions works on a system of points where users are awarded scores based on their completion of missions.In general, the missions become steadily more difficult as the user advances through a particular mission category.

Basic and Realistic Challenges

The Web hacking challenges includes ten Basic Web Challenges. Each challenge consists of an authentication page with a password entry box, plus other files which are to be exploited or attacked in order to gain the correct password. Successful authentication to the main challenge page will advance the user to the next challenge. These challenges are typically considered simple and are used as an introduction to hacking.There are sixteen Realistic Missions which attempt to mimic real, moderate to difficult hacking, in real life situations. Each mission is a complete web site featuring multiple pages and scripts. Users must successfully exploit one or more of the web sites pages to gain access to required data or to produce changes.

"HackThisSite-tarun nandwana"

Users are encouraged to find vulnerabilities in HackThisSite and report them as Bug Reports. If the vulnerability is significant, then the user may be included in the HTS 'Hall of Fame'.

Programming Challenges

A Programming Challenges section also exists. This section currently consists of ten challenges charging the user to write a program which will perform a specified function within a certain amount of seconds after activation. These programming challenges range from simple missions such as parsing the contents, to reverse-engineering an encryption algorithm. These help users develop and practice on-the-go programming skills.

Application Challenges

The goal of application challenges is generally to extract a key from an application, usually involving some form of reverse-engineering. But other challenges involve program manipulation.

New Challenges

More recently, HTS came out with logic challenges which as moo, HTS's official bot, proclaims "they're not meant as a challenge to overcome like the rest of HTS challenges, they're meant to be overcome by you, and you alone, from solving." Quoting the logic pages: "Please remember that these are logic missions. There will be few if any hints. Don't ask for them please." As of June 2008 there are 28 Logic challenges.

Also of recent creation are the "extended basic" missions. These are designed to be code review missions where you learn how to read code and look for flaws.

A set of ten easter eggs hidden around HTS were known as the "HTS missions". One of these "missions" was the fake Admin Panel, for example. Developers have recently decided to remove HTS easter eggs: some allowed XSS and SQL exploits and many members submitted false bug reports because of them.

teganography Challenges

Steganography challenges have recently been added. As of September 2008 there are 11 Steganography challenges.

Root This Box

"HackThisSite" also runs a series of live hacking challenges called [http://www.rootthisbox.org RootThisBox.org] where individuals and organizations can configure their systems to be used as target boxes. Players can then attempt to gain access to these boxes and defend them from other hackers, similar to past 'king of the hill' styled hacking competitions. The project was redeveloped recently and is now open to registered users.

Controversy

There has been criticism that HackThisSite's self-description as a "hacker training ground" encourages people to break the law. Many people related to the site state that although some of the skills taught "can" be used for illegal activities, HTS does not participate in or support such activities. Despite this, several individual members have been arrested and convicted for illegal activity (most notably Jeremy Hammond, founder of HackThisSite [ [http://www.hackthissite.org/news/view/354 Hack This Site! ] ] ). However there is little evidence to suggest that HackThisSite was related.

phpBB/HowDark incident

In November 2004 the [defunct] HTS-based "HowDark" Security Group notified the phpBB Group, makers of the popular phpBB bulletin software, of a serious vulnerability [cite web|title=SQL Injection in phpBT (bug.php) add project|publisher=Security Focus (bugtraq archive)|url=http://www.securityfocus.com/archive/1/381029|accessdate=2006-11-28] [cite web|title=phpBB Code EXEC (v2.0.10)|publisher=Security Focus (bugtraq archive)|url=http://www.securityfocus.com/archive/1/380993|accessdate=2006-11-28] [cite web|title=SQL Injection in phpBT (bug.php)|publisher=Security Focus (bugtraq archive)|url=http://www.securityfocus.com/archive/1/380984|accessdate=2006-11-28] in the product. The vulnerability was kept under wraps while it was brought to the attention of the phpBB admins, who after reviewing, proceeded to downplay its risks. [cite web|title=howdark.com "exploits"|publisher=phpBB Group|url=http://www.phpbb.com/phpBB/viewtopic.php?p=1316231|accessdate=2006-11-28] Unhappy with the Groups' failure to take action, "HowDark" then published the bug on the bugtraq mailing-list. Malicious users found and exploited the vulnerability which led to the takedown of several phpBB-based bulletin boards and websites. Only then did the admins take [http://www.securityfocus.com/archive/1/381510 notice] and release a [http://www.phpbb.com/phpBB/viewtopic.php?t=240513 fix] . [cite web|title=howdark.com exploits - follow up|publisher=phpBB Group|url=http://www.phpbb.com/phpBB/viewtopic.php?t=240513|accessdate=2006-11-28] [cite web|title=phpBB 2.0.11 released - Critical update|publisher=phpBB Group|url=http://www.phpbb.com/phpBB/viewtopic.php?t=240636|accessdate=2006-11-28] Slowness to patch the vulnerability by end-users led to an implementation of the [http://www.securiteam.com/unixfocus/6J00O15BPS.html exploit] in the Perl/Santy worm (read [http://isc.sans.org/diary.php?date=2004-12-21 full article] ) which defaced upwards of 40,000 websites and bulletin boards within a few hours of its release.

Protest Warrior Incident

In early 2006 Jeremy Hammond of HackThisSite was arrested following an FBI investigation into an alleged hacking of conservative political activist group Protest Warrior. The federal government claimed that a select group of HTS hackers gained access to the ProtestWarrior user database, procured user credit-card information and conspired to run scripts that would automatically wire money to a slew of non-profit organizations. The plot was uncovered when a hacker said to have been disgruntled with the progress of the activities turned informant. [cite web | title=Austin group complains of hack attack | publisher=The Austin American-Statesman | url=http://www.statesman.com/metrostate/content/metro/stories/07/14hackers.html | accessdate=2007-02-25]

Disputes and Internal Problems

Moderators, Developers, and Ops on HTS and its forums successor [http://www.criticalsecurity.net/ Critical Security.NET] are arranged in a democratic but highly anarchical fashion. While this structure appears to work most times, when disputes arise, loyalties tend to become very confusing. Subsequently, HTS has a "long" history of mods, ops, and devs turning darkside and severely impairing or completely taking down the site. [cite web | title=Forums Upgrade 2.1.3 - Take 2, Redone | publisher=CriticalSecurity.NET | url =http://www.criticalsecurity.net/index.php?showtopic=4050 | accessdate=2006-11-27] [cite web | title=Rollback, Database restoration | publisher=CriticalSecurity.NET | url=http://www.criticalsecurity.net/index.php?s=411612728a9b3bb45160b644808908ae&showtopic=1440&st=0 | accessdate=2006-11-27] In one of the most notorious incidents and the last major attack to occur, several blackhat dissidents gained root-level access to the website and proceeded to "rm -rf" the entire site. This led to HTS being down for months. It was later rebuilt as HTS v3.

ee also

*Hacker (computing)
*Hactivism
*H.O.P.E.
*SecuriTeam

External links

* [http://www.hackthissite.org/pages/info/guide.php HTS Introduction / Organizing Guide]
* [http://www.criticalsecurity.net/ CriticalSecurity.NET]
* [http://www.rootthisbox.org/ RootThisBox]
* [http://skull4skate.atspace.com/ HackThisSite Tutorials]

References