What is it?

Inspired by HackThisSite.org and ProjectEuler.net, HackThe.Company CTF is a list of real life hacking events that occurred, with all the information/news articles behind those attacks, and then a challenge where you duplicate the real-life hack that occurred yourself and capture a flag.

Do I need hacking/programming knowledge?

No! To get started, you simply have to think logically. Many of the best real-life hacks were pulled off with simple tricks that a 6th grader could duplicate. The key to the challenges is reconnaissance - can you read the articles about the real life hacks and extract the relevant information necessary for you to duplicate it? As you progress through the challenges, you will gain hacking and programming knowledge.

Do I need to purchase hacking software to complete the challenges?

No! For the majority of the challenges, the sole thing you need is a web browser. Some of the challenges will require the use of certain free tools (e.g. Git, or an email account). Some of the more difficult challenges may require you to write code (Python or PHP) to complete them in a timely manner. None of the challenges require a paid resource - they are all possible to complete for free. Also, please don't DOS me with automatic scanning tools like DirBuster (you'll find no flags that way).

I cannot find the flag on challenge number X. Is that challenge broken?

No - 99% of the time you wonder this, you just need to keep digging. However, due to the nature of these challenges... there are a few challenges that allow hackers some level of access to a server, such that they can temporarily destroy it (and prevent others from finding that flag if they chose). Each server is completely rebuilt from scratch every hour, so if you think that happened to you, try again at the new hour mark.

Do you have any hints on solving challenges?

Reconnaissance is key. Read all the information about the real-life hack that occurred, the news articles will often include subtle details about how it was achieved. And then in the CTF target, fully examine everything in scope - including view source of any web applications.

I solved a challenge in a super sketch way. Is there a better way to do it?

Once you solve a challenge, you'll unlock access to a guide on one non-sketchy way of solving it. Eventually we plan on adding discussion forums for each challenge as well, where you can discuss solutions with others who have solved a particular challenge.

Why does this site exist?

Look at this Stackoverflow question and answer. A user asked "I was told doing X with code was dangerous. Please give one example of this danger." They were told in response "Doing X is HIGHLY dangerous, you should NEVER do X, it's a gaping security hole."

This... matches my experience, working in a number of startups. Many of my colleagues have had ideas of what is secure and not secure based off armchair programmer comments in Stackoverflow or Hackernews, but don't actually know WHY. I've seen this too when selling B2B and dealing with client companies security questionnaires from their security officers. People have checklists (either in Excel or mentally) of things that are 'secure' and 'not secure', but completely lack a knowledge of WHY.

If you want to build an earthquake-resistant structure, too many people approach the problem by just making the structure as stiff and strong as possible. Imagine instead analyzing the largest possible earthquake of a certain probability you want to defend against, adding your own observations from past earthquakes, running some computer simulations, and then comparing the various options and trade-offs available to you on how to build your structure. You can either treat the earthquake as an unknown, and prepare as best you can... or you can BE the earthquake, and know what it's capable of. Know what the earthquake could do, if you leave a /.git/ directory exposed on your website. Know what an earthquake can do with a sequentially numbered resource available via a url without authentication. Know what an earthquake... can do. That is this site's purpose - to aid professional developers in knowing what an earthquake can do.

Go to the Challenges!