Hackbox is an open-source, container-based platform that makes it easy to launch vulnerable systems to test your hacking skill!
Users can sign up on Hackbox and choose one of the host-created rooms to try and hack into. They can launch boxes, which spawn Docker containers on the host, which they can then connect to via OpenVPN.
From there, they can send attacks and hack into the box. Their goal is to exfiltrate the flags from the box, which can mean finding hidden services, exploiting systems, or privilege escalating into root.
The server owner just needs to create vulnerable Docker images, and add them to the database for users to be able to hack into them. See hackbox_server/db_setup.js
for an example!
Before starting the setup for hackbox_client
and hackbox_server
, the OpenVPN Docker container system needs to be created first. Make sure the user you run the commands as is root
, or is in the docker
group!
Run the following setup commands to initialize the OpenVPN docker container:
OVPN_DATA="ovpn-data-hackbox"
docker volume create --name $OVPN_DATA
docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp://vpn.example.com
docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn touch /etc/openvpn/vars
docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn ovpn_initpki
Make sure to change vpn.example.com
to either a domain name or IP which resolves to your server. Make sure to remember the password you used to create the Certificate Authority, as you will need to set it in hackbox_server
's .env
file. You can also change OVPN_DATA
, but make sure you change it as well.
Then, pull the necessary Docker images:
docker pull strellic/openvpn-client
docker pull strellic/hackbox_example_room # not required if you remove example room
docker pull strellic/hackbox_kali # not required if you remove kali room
After this, you should have created a Docker volume and have the OpenVPN Docker container up and running. From there, follow the setup instructions in each of the folders.
GOTTY can allow CLI applications to be accessible over the web. If GOTTY_ENABLED
is set to true in hackbox_server
, people will be able to access the example Kali room over a webshell. See GOTTY's LICENSE (MIT) here.
Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.