HackThisSite.org, commonly referred to as HTS, is an online hacking and security website founded by Jeremy Hammond, with the site being maintained by members of the community after his departure. It aims to provide users with a way to learn and practice basic and advanced "hacking" skills through a series of challenges in a safe and legal environment. The organization has a user base of over 1,800,000, though the actual number of active members is believed to be much lower. The most users online at the same time was 1,995 on February 5, 2012 at 2:46:10 AM CST.
HackThisSite involves a small, loose team of developers and moderators who maintain its website, IRC server, and related projects. It produces an e-zine which it releases at various hacker conventions and through its hackbloc portal. Hard copies of the zine are published by Microcosm and Quimbys. It also has a short news/blog section run by developers.
- 1 IRC and forums
- 2 Mission challenges
- 3 Root This Box
- 4 Controversy
- 5 See also
- 6 References
- 7 External links
IRC and forums
HackThisSite is known for its IRC network, where many users converse on a plethora of topics ranging from current events to technical issues with programming and Unix-based operating systems. Mostly, the HackThisSite IRC network serves as a social gathering of like-minded people to discuss anything. Although there are many channels on the IRC network, the main channel, #hackthissite, has a +R flag which requires users to register their nick before they may join the channel. This requirement helps reduce botnets in the main channel, because they would have to register every nick.
HackThisSite currently has one main set of forums, because of the recent split from its former sister site CriticalSecurity.Net. The Hackbloc Forums also had many HackThisSite users involved then, however they were recently taken down. Before the split, the CriticalSecurity.net forums had most HTS discussion, specifically related to help with the challenges on the site as well as basic hacking questions. The Hackbloc forums were more for focused hacktivist discussion as well as a place for people to discuss news and plan future projects. Many people criticize the forums as being too 'newbish' compared to IRC, most likely because many new users visit the forums to ask for help with the challenges. HackThisSite is taking steps to try to attract more qualified users to its forums.
Members contribute original texts to the articles area of the site. This area is broken down into different sections on a range of topics. Some of these sections include Ethics, HTS Challenge Tutorials, and Political Activism. The topics covered in these articles range widely in complexity. Topics range from walkthroughs for the missions provided by HackThisSite, to articles regarding advanced techniques in a plethora of programming languages.
HackThisSite is also host to a series of "missions" aimed at simulating real world hacks. These range from ten basic missions where one attempts to exploit relatively simple server-side scripting errors, to difficult programming and application cracking missions. The missions work on a system of points where users are awarded scores based on their completion of missions. In general, the missions become steadily more difficult as the user advances through a particular mission category.
Basic and realistic challenges
The Web hacking challenges includes eleven Basic Web Challenges. Each challenge consists of an authentication page with a password entry box, plus other files which are to be exploited or attacked in order to gain the correct password. Successful authentication to the main challenge page will advance the user to the next challenge. These challenges are typically considered simple and are used as an introduction to hacking. There are sixteen Realistic Missions which attempt to mimic real, moderate to difficult hacking, in real life situations. Each mission is a complete web site featuring multiple pages and scripts. Users must successfully exploit one or more of the web sites pages to gain access to required data or to produce changes.
A Programming Challenges section also exists. This section currently consists of twelve challenges charging the user to write a program which will perform a specified function within a certain number of seconds after activation. These programming challenges range from simple missions such as parsing the contents, to reverse-engineering an encryption algorithm. These help users develop and practice on-the-go programming skills.
The goal of application challenges is generally to extract a key from an application, usually involving some form of reverse-engineering. But other challenges involve program manipulation.
More recently, HTS came out with logic challenges which as moo, HTS's official bot, proclaims "they're not meant as a challenge to overcome like the rest of HTS challenges, they're meant to be overcome by you, and you alone, from solving." In April 2009 the logic challenges were disabled and all points earned from them were removed. One reason cited was concern that the answers could be easily found elsewhere on the internet.
Also of recent creation are the "extended basic" missions. These are designed to be code review missions where you learn how to read code and look for flaws.
A set of 10 easter eggs hidden around HTS were known as the "HTS missions". One of these "missions" was the fake Admin Panel, for example. Developers later decided to remove HTS easter eggs: some allowed XSS and SQL exploits and many members submitted false bug reports because of them.
Root This Box
HackThisSite also runs a series of live hacking challenges called RootThisBox where individuals and teams can configure their systems to be used as target boxes. Players can then attempt to gain access to these boxes and defend them from other hackers, similar to past 'king of the hill' styled hacking competitions. The project is currently being rebuilt.
There has been criticism that HackThisSite's self-description as a "hacker training ground" encourages people to break the law. Many people related to the site state that although some of the skills taught can be used for illegal activities, HackThisSite does not participate in or support such activities. Despite this, several individual members have been arrested and convicted for illegal activity (most notably Jeremy Hammond, founder of HackThisSite).
In November 2004 the (now defunct) HackThisSite-based HowDark Security Group notified the phpBB Group, makers of the phpBB bulletin software, of a serious vulnerability in the product. The vulnerability was kept under wraps while it was brought to the attention of the phpBB admins, who after reviewing, proceeded to downplay its risks. Unhappy with the Groups' failure to take action, HowDark then published the bug on the bugtraq mailing-list. Malicious users found and exploited the vulnerability which led to the takedown of several phpBB-based bulletin boards and websites. Only then did the admins take notice and release a fix. Slowness to patch the vulnerability by end-users led to an implementation of the exploit in the Perl/Santy worm (read full article) which defaced upwards of 40,000 websites and bulletin boards within a few hours of its release.
Protest Warrior incident
On March 17, 2005 Jeremy Hammond, the founder of HackThisSite, was arrested following an FBI investigation into an alleged hacking of conservative political activist group Protest Warrior. His apartment was raided by the Chicago FBI, and all electronic equipment was seized. The federal government claimed that a select group of HackThisSite hackers gained access to the Protest Warrior user database, procured user credit-card information and conspired to run scripts that would automatically wire money to a slew of non-profit organizations. The plot was uncovered when a hacker said to have been disgruntled with the progress of the activities turned informant.
Administrators, developers, and moderators on HackThisSite are arranged in a democratic but highly anarchical fashion. While this structure appears to work at most times, when disputes arise, loyalties tend to become very confusing. Subsequently, HackThisSite has a long history of administrators, developers, and moderators turning darkside and severely impairing or completely taking down the site. In one incident, and the last major attack to occur, several blackhat dissidents gained root-level access to the website and proceeded to "rm -rf" the entire site. This led to HTS being down for months.
- Luman, Stuart. Chicago Magazine, July 2007. "The Hacktivist"
- HackThiSite Users Online
- "Hackthissite.org". Retrieved 2009-04-20.
- HackThisSite Stego Missions
- HackThisSite Founder Sent to do Time
- "SQL Injection in phpBT (bug.php) add project". Security Focus (bugtraq archive). Retrieved 2006-11-28.
- "phpBB Code EXEC (v2.0.10)". Security Focus (bugtraq archive). Retrieved 2006-11-28.
- "SQL Injection in phpBT (bug.php)". Security Focus (bugtraq archive). Retrieved 2006-11-28.
- "howdark.com "exploits"". phpBB Group. Retrieved 2006-11-28.
- SecurityFocus Notice
- PhpBB Fic
- "howdark.com exploits - follow up". phpBB Group. Retrieved 2006-11-28.
- "phpBB 2.0.11 released - Critical update". phpBB Group. Retrieved 2006-11-28.
- Hacker Activist Jeremy Hammond Raided by Chicago FBI and Threatened with False Felony Charges Archived 2009-10-12 at the Wayback Machine.
- The Hacktivist
- "Forums Upgrade 2.1.3 - Take 2, Redone". CriticalSecurity.NET. Retrieved 2006-11-27.
- "Rollback, Database restoration". CriticalSecurity.NET. Retrieved 2006-11-27.