HackThisSite

Last updated
HackThisSite.org
Formation2003
Purpose Hacking/media
Location
Origin
 Chicago, Illinois
Founders
 xec96
The_Anarchist
spiffomatic64
randomcola
Products
HackThisZine e-zine
AffiliationsHackbloc
Website www.hackthissite.org

HackThisSite.org, commonly referred to as HTS, is an online hacking and security website founded by Jeremy Hammond. The site is maintained by members of the community after he left the organization. [1] It aims to provide users with a way to learn and practice basic and advanced "hacking" skills through a series of challenges in a safe and legal environment. The organization has a user base of over a million, [2] though the number of active members is believed to be much lower. The most users online at the same time was 19,950 on February 5, 2018 at 2:46 a.m. CT . [2]

Contents

HackThisSite involves a small, loose team of developers and moderators who maintain its website, IRC server, and related projects. It produces an e-zine which it releases at various hacker conventions and through its hackbloc portal. Hard copies of the magazine are published by Microcosm and Quimbys. It also has a short news/blog section run by developers.

IRC and forums

HackThisSite is known for its IRC network, where many users converse on a plethora of topics ranging from current events to technical issues with programming and Unix-based operating systems. Mostly, the HackThisSite IRC network serves as a social gathering of like-minded people to discuss anything. Although there are many channels on the IRC network, the main channel, #hackthissite, has a +R flag which requires users to register their nick before they may join the channel. This requirement helps reduce botnets in the main channel, because they would have to register every nick.

Following the split[ citation needed ] from its former sister site CriticalSecurity.Net, HackThisSite retained one main set of forums. The Hackbloc forums also had many HackThisSite users involved, but they were taken down. Before the split, the CriticalSecurity.net forums had most HTS discussion, specifically related to help with the challenges on the site as well as basic hacking questions. The Hackbloc forums were more for focused hacktivist discussion as well as a place for people to discuss news and plan future projects. Many people[ who? ] criticize the forums as being too beginner-focused compared to IRC, most likely because many new users visit the forums to ask for help with the challenges. HackThisSite is taking steps to try to attract more qualified users to its forums. Members contribute original texts to the articles area of the site. This area is broken down into different sections on a range of topics. Some of these sections include Ethics, HTS Challenge Tutorials, and Political Activism. The topics covered in these articles range widely in complexity. Topics range from walkthroughs for the missions provided by HackThisSite, to articles regarding advanced techniques in a plethora of programming languages.

Mission challenges

HackThisSite is also host to a series of "missions" aimed at simulating real world hacks. These range from ten basic missions where one attempts to exploit relatively simple server-side scripting errors, to difficult programming and application cracking missions. The missions work on a system of points where users are awarded scores based on their completion of missions. In general, the missions become steadily more difficult as the user advances through a particular mission category.

Basic and realistic challenges

The Web hacking challenges includes eleven Basic Web Challenges. Each challenge consists of an authentication page with a password entry box, plus other files which are to be exploited or attacked in order to gain the correct password. Successful authentication to the main challenge page will advance the user to the next challenge. These challenges are typically considered simple and are used as an introduction to hacking. There are sixteen Realistic Missions which attempt to mimic real, moderate to difficult hacking, in real life situations. Each mission is a complete web site featuring multiple pages and scripts. Users must successfully exploit one or more of the web sites pages to gain access to required data or to produce changes.

Programming missions

A Programming Challenges section also exists. This section currently consists of twelve challenges charging the user to write a program which will perform a specified function within a certain number of seconds after activation. These programming challenges range from simple missions such as parsing the contents, to reverse-engineering an encryption algorithm. These help users develop and practice on-the-go programming skills.

Application missions

The goal of application challenges is generally to extract a key from an application, which usually involves some form of reverse-engineering. Other challenges involve program manipulation.

New missions

More recently, HTS came out with logic challenges, which moo, HTS's official bot, proclaimed were "not meant as a challenge to overcome like the rest of HTS challenges." Instead, the logic challenges were meant to be overcome by the participant alone from solving. In April 2009, they were disabled and all points earned from logic challenges were removed. Reasons included concern that the answers could have been easily found elsewhere on the internet. [3]

Likewise, the "extended basic" missions are of recent creation. These are designed to be code review missions where partakers learn how to read code and search for flaws.

A set of 10 easter eggs hidden around HTS were known as the "HTS missions." For example, one of these "missions" was the fake Admin Panel. Developers later decided to remove HTS easter eggs, as some allowed XSS and SQL exploits and many members submitted false bug reports as a result.

Steganography missions

Steganography missions are also available on the website. The goal in these missions is to extract the hidden message from the media file provided. There are 17 steganography missions available. [4]

Controversy

There has been criticism that HackThisSite's self-description as a "hacker training ground" encourages people to break the law. Many people related to the site state that although some of the skills taught can be used for illegal activities, HackThisSite does not participate in or support such activities. Despite this, several individual members have been arrested and convicted for illegal activity (most notably Jeremy Hammond, founder of HackThisSite). [5]

phpBB/HowDark incident

In November 2004 the (now defunct) HackThisSite-based HowDark Security Group notified the phpBB Group, makers of the phpBB bulletin software, of a serious vulnerability [6] [7] [8] in the product. The vulnerability was kept under wraps while it was brought to the attention of the phpBB admins, who after reviewing, proceeded to downplay its risks. [9] Unhappy with the Groups' failure to take action, HowDark then published the bug on the bugtraq mailing-list. Malicious users found and exploited the vulnerability which led to the takedown of several phpBB-based bulletin boards and websites. Only then did the admins take notice [10] and release a fix. [11] [12] [13] Slowness to patch the vulnerability by end-users led to an implementation of the exploit in the Perl/Santy worm (read full article) which defaced upwards of 40,000 websites and bulletin boards within a few hours of its release.

Protest Warrior incident

On March 17, 2005, Jeremy Hammond, the founder of HackThisSite, was arrested following an FBI investigation into an alleged hacking of conservative political activist group Protest Warrior. His apartment was raided by the Chicago FBI, and all electronic equipment was seized. The federal government claimed that a select group of HackThisSite hackers gained access to the Protest Warrior user database, procured user credit-card information and conspired to run scripts that would automatically wire money to a slew of non-profit organizations. The plot was uncovered when a hacker said to have been disgruntled with the progress of the activities turned informant. [14] [15]

Internal problems

Administrators, developers, and moderators on HackThisSite are arranged in a democratic but highly anarchical fashion. This structure appears to work at most times. When disputes arise, however, loyalties tend to become very confusing. Therefore, HackThisSite has had a long history of administrators, developers, and moderators turning darkside or severely impairing or completely taking down the site. [16] [17] In the last major attack to occur, several blackhat dissidents gained root-level access to the website and proceeded to "rm -rf" the entire site. Subsequently, HTS was down for months as a result.

See also

Related Research Articles

Defensive programming is a form of defensive design intended to develop programs that are capable of detecting potential security abnormalities and make predetermined responses. It ensures the continuing function of a piece of software under unforeseen circumstances. Defensive programming practices are often used where high availability, safety, or security is needed.

<span class="mw-page-title-main">Drupal</span> Web content management system

Drupal is a free and open-source web content management system (CMS) written in PHP and distributed under the GNU General Public License. Drupal provides an open-source back-end framework for at least 14% of the top 10,000 websites worldwide and 1.2% of the top 10 million websites—ranging from personal blogs to corporate, political, and government sites. Drupal can also be used for knowledge management and for business collaboration.

phpBB Free and open-source Internet forum package written in PHP

phpBB is an Internet forum package written in the PHP scripting language. The name "phpBB" is an abbreviation of PHP Bulletin Board. Available under the GNU General Public License, phpBB is free and open-source.

<span class="mw-page-title-main">Crash (computing)</span> When a computer program stops functioning properly and self-terminates

In computing, a crash, or system crash, occurs when a computer program such as a software application or an operating system stops functioning properly and exits. On some operating systems or individual applications, a crash reporting service will report the crash and any details relating to it, usually to the developer(s) of the application. If the program is a critical part of the operating system, the entire system may crash or hang, often resulting in a kernel panic or fatal system error.

<span class="mw-page-title-main">SQL injection</span> Computer hacking technique

In computing, SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

Uncontrolled format string is a type of code injection vulnerability discovered around 1989 that can be used in security exploits. Originally thought harmless, format string exploits can be used to crash a program or to execute harmful code. The problem stems from the use of unchecked user input as the format string parameter in certain C functions that perform formatting, such as printf . A malicious user may use the %s and %x format tokens, among others, to print data from the call stack or possibly other locations in memory. One may also write arbitrary data to arbitrary locations using the %n format token, which commands printf and similar functions to write the number of bytes formatted to an address stored on the stack.

<span class="mw-page-title-main">Privilege escalation</span> Gaining control of computer privileges beyond what is normally granted

Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.

Elias Levy is a computer scientist. He was the moderator of "Bugtraq", a full disclosure vulnerability mailing list, from May 14, 1996 until October 15, 2001.

Code injection is the exploitation of a computer bug that is caused by processing invalid data. The injection is used by an attacker to introduce code into a vulnerable computer program and change the course of execution. The result of successful code injection can be disastrous, for example, by allowing computer viruses or computer worms to propagate.

Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by a threat actor, such as an attacker, to cross privilege boundaries within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerabilities are also known as the attack surface. Constructs in programming languages that are difficult to use properly can also manifest large numbers of vulnerabilities.

Database security concerns the use of a broad range of information security controls to protect databases against compromises of their confidentiality, integrity and availability. It involves various types or categories of controls, such as technical, procedural or administrative, and physical.

Bugtraq was an electronic mailing list dedicated to issues about computer security. On-topic issues are new discussions about vulnerabilities, vendor security-related announcements, methods of exploitation, and how to fix them. It was a high-volume mailing list, with as many as 776 posts in a month, and almost all new security vulnerabilities were discussed on the list in its early days. The forum provided a vehicle for anyone to disclose and discuss computer vulnerabilities, including security researchers and product vendors. While the service has not been officially terminated, and its archives are still publicly accessible, no new posts have been made since January 2021.

<span class="mw-page-title-main">Antisec Movement</span> Hacking (computer security)

The Anti Security Movement is a movement opposed to the computer security industry. Antisec is against full disclosure of information relating to software vulnerabilities, exploits, exploitation techniques, hacking tools, attacking public outlets and distribution points of that information. The general thought behind this is that the computer security industry uses full disclosure to profit and develop scare-tactics to convince people into buying their firewalls, anti-virus software and auditing services.

A vulnerability database (VDB) is a platform aimed at collecting, maintaining, and disseminating information about discovered computer security vulnerabilities. The database will customarily describe the identified vulnerability, assess the potential impact on affected systems, and any workarounds or updates to mitigate the issue. A VDB will assign a unique identifier to each vulnerability cataloged such as a number or alphanumeric designation. Information in the database can be made available via web pages, exports, or API. A VDB can provide the information for free, for pay, or a combination thereof.

<span class="mw-page-title-main">H. D. Moore</span> American businessman

H. D. Moore is a network security expert, open source programmer, and hacker. He is the founder of the Metasploit Project and was the main developer of the Metasploit Framework, a penetration testing software suite.

Teamp0ison was a computer security research group consisting of 3 to 5 core members. The group gained notoriety in 2011/2012 for its blackhat hacking activities, which included attacks on the United Nations, NASA, NATO, Facebook, Minecraft Pocket Edition Forums, and several other large corporations and government entities. TeaMp0isoN disbanded in 2012 following the arrests of some of its core members, "TriCk", and "MLT".

<span class="mw-page-title-main">MyBB</span> Open-source forum software

MyBB, formerly MyBBoard and originally MyBulletinBoard, is a free and open-source forum software developed by the MyBB Group. It is written in PHP, supports MySQL, PostgreSQL and SQLite as database systems and, in addition, has database failover support. It is available in multiple languages and is licensed under the LGPL. The software allows users to facilitate community driven interaction through a MyBB instance.

<span class="mw-page-title-main">NullCrew</span>

NullCrew was a hacktivist group founded in 2012 that took responsibility for multiple high-profile computer attacks against corporations, educational institutions, and government agencies.

The Java software platform provides a number of features designed for improving the security of Java applications. This includes enforcing runtime constraints through the use of the Java Virtual Machine (JVM), a security manager that sandboxes untrusted code from the rest of the operating system, and a suite of security APIs that Java developers can utilise. Despite this, criticism has been directed at the programming language, and Oracle, due to an increase in malicious programs that revealed security vulnerabilities in the JVM, which were subsequently not properly addressed by Oracle in a timely manner.

A bug bounty program is a deal offered by many websites, organizations, and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities.

References

  1. Luman, Stuart. Chicago Magazine, July 2007. "The Hacktivist"
  2. 1 2 HackThisSite Users Online
  3. "Hackthissite.org" . Retrieved 2009-05-06.
  4. HackThisSite Stego Missions
  5. HackThisSite Founder Sent to do Time
  6. "SQL Injection in phpBT (bug.php) add project". Security Focus (bugtraq archive). Retrieved 2006-11-28.
  7. "phpBB Code EXEC (v2.0.10)". Security Focus (bugtraq archive). Retrieved 2006-11-28.
  8. "SQL Injection in phpBT (bug.php)". Security Focus (bugtraq archive). Retrieved 2006-11-28.
  9. "howdark.com "exploits"". phpBB Group. Retrieved 2006-11-28.
  10. SecurityFocus Notice
  11. PhpBB Fic
  12. "howdark.com exploits - follow up". phpBB Group. Retrieved 2006-11-28.
  13. "phpBB 2.0.11 released - Critical update". phpBB Group. Retrieved 2006-11-28.
  14. Hacker Activist Jeremy Hammond Raided by Chicago FBI and Threatened with False Felony Charges Archived 2009-10-12 at the Wayback Machine
  15. The Hacktivist
  16. "Forums Upgrade 2.1.3 - Take 2, Redone". CriticalSecurity.NET. Retrieved 2006-11-27.
  17. "Rollback, Database restoration". CriticalSecurity.NET. Retrieved 2006-11-27.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.