Post

Get hacking on HackMyVM

After passing the OSCP exam I had some time over and I decided to share my knowledge by creating some vulnerable machines. One of my first vulnerable machines is Apaches, a boot2root machine. I contacted Vulnhub more then a year ago about this machine. I’ve tried several times to contact them and share my machine. Waiting for any response even after passing the OSCP exam I heard nothing from them.

HackMyVM

Image Then searching for alternative I found HackMyVM. A website with all kind of vulnerable machines shared to the community for free. It was a pleasure to see that they got machines released frequently. I noticed I could upload my vulnerable machine to this website. Something I really wanted, so I started contacting sML. A friendly person who was happy to talk to me and told me how they wanted the flags so they could use them on the website. So, with some help, I’ve shared my first machine here. With this experience I decided to develop my other ideas and post them here to contribute to the community.

Machines

At the time of writing, there are more than 200 vulnerable machines available. Although most machines have a Linux OS, there are also a number of Windows machines shared for hacking. Depending on the vulnerable machines, it could be a machine for VMware or Oracle Virtualbox or both. This is clearly indicated per vulnerable machine. I haven’t had much time to hack machines on this platform yet, but I will spend more time on this in the near future and possibly even create new machines again. The machines now available on the platform can be classified as easy, medium and hard. These values are often objective of course. Furthermore, the machines differ considerably between a CTF machine and a more realistic environment. This does not alter the fact that the machines shared here can still be educational. New machines are frequently shared and neatly announced on the website and on Twitter.

Challenges

Just like on Hack The Box, there are challenges available to captures flags. Each flag is worth 10 points and contributes to your ranking on HackMyVM. The challenges have different categories available from OSINT, web, crypto to reverse engineering. There are a number of simple challenges that can be solved this way, but there are also some real brain teasers that I have no idea yet what exactly to do with them. On the moment there are more then 50 challenges available.

Rankings

I previously mentioned that flags had to be captured and that I had to adjust this for Apaches. This has to do with the ranking on the leaderboard. For every flag you capture from a machine, points can be earned that will help you move up a level on the leaderboard. The ranking system is not new, this is also something that is present at Hack The Box. An advantage of HackMyVM is that it is completely free and you can therefore also download older machines.

How does the points system work? Actually quite simple. There are three difficulty levels (easy, medium, hard), and the harder the machine, the more points you can earn. In addition to hacking the vulnerable machines, you can also earn points by writing a writeup for a vulnerable machine, but you can also get points for every machine you have shared on HackMyVM. The table below provides an overview of the points you can earn if several people have already completely hacked the machine.

LevelUserRootWriteupContribute
Easy35110
Medium46112
Hard57114

If a vulnerable machine has just been shared online, you have the chance to earn more points. There are three different difficulty levels in which you can earn points. However, now you also get a difference in points whether you captured a user or root flag first. In short, you could say that the faster you capture a flag, the more points you get. The table below shows how the points are distributed among the first, second and third hacker.

levelFirst RootSecond RootThird RootFirst UserSecond UserThird User
Easy876654
Medium987765
Hard1098876

This of course helps with leveling up on the leader board, but as mentioned earlier, you can also earn points with challenges. Here you get points for solving (capturing a flag) or for creating a new challenge.

Then there are three different leaderboards. One shows the ranking per month, another one per year and the last one shows the ranking of all time. Furthermore, it is clearly visible where you stand on each leader board. This makes it fun to get as many points as possible to rank.

Updates

Although the platform is not as well known as Vulnhub and has been around for a while, the platform is still in full development. I regularly contacted sML on Discord to share ideas. Small improvements are quickly picked up and implemented. Ideas and improvement proposals can be shared on the website itself. But this can also be done on Discord. There is also a kind of roadmap that is being worked on on Discord. The platform is continuously improved and can only get better with input from the community.

Conclusions

Although HackMyVM is less known, it has good elements of both Hack The Box and Vulnhub. Vulnerable machines can simply be downloaded and used in your own pentest lab. Ranking in the leader board is also a nice addition and makes it attractive to keep hacking. There is also an active community on Discord that is willing to help you if you get stuck. So what are you waiting for? Get hacking on HackMyVM and join us in Discord!

This post is licensed under CC BY 4.0 by the author.