Become a mentor to the infosec community by creating a vulnerable service where security researchers can level up their skills
What are vulnerable services?
These are specially crafted virtual machines intentionally riddled with vulnerabilities.
They serve as the training ground for hackers and cybersecurity pros, allowing them to practice threat detection and exploitation in a safe, controlled environment.
They serve as the training ground for hackers and cybersecurity pros, allowing them to practice threat detection and exploitation in a safe, controlled environment.
What is a critical event?
A critical event is a cyberattack-induced incident that significantly harms an organization and impacts its operations. Examples may include passenger check-in failures or massive PII data leaks.
Every vulnerable service can contain one or multiple critical events.
Every vulnerable service can contain one or multiple critical events.
Where will these services be used?
The best services will be deployed on the Standoff Hackbase online cyberrange — a virtual infrastructure mirroring real-world IT systems across various industries.
The cyberrange features diverse industries, recreating technical and business processes of different economic sectors.
The cyberrange features diverse industries, recreating technical and business processes of different economic sectors.
Почувствуй себя в роли тренера для комьюнити экспертов в ИБ — разработай уязвимый сервис, на котором будут качать свои навыки исследователи безопасности
If the community and the Standoff team love your service,
special prizes await!
special prizes await!
Examples of services you can build
Windows and Active Directory
containing vulnerabilities granting unauthorized network access
Reverse engineering
Challenges requiring the analysis and exploitation of software flaws to understand system algorithms and find ways to disrupt them
System vulnerabilities
Online library
containing a vulnerability that leads to a confidential data leak
Courier delivery service
containing a vulnerability that allows attackers to steal packages by manipulating recipient addresses
Web resources
How to submit your service
Before sending the service to the Standoff team, run through the following checks:
1. Initial check. Run a black-box test to ensure the attack vector logic holds up.
2. Check for unintended vulnerabilities.
3. Evaluate host resilience. The virtual machine must be able to roll back to its initial state and function perfectly without any extra tweaking.
2. Check for unintended vulnerabilities.
- If you find any, and it difficulty matches the host’s intended difficulty, approve it with the Standoff team.
- If it does not match the host’s intended difficulty, check with the Standoff team for adjustments.
3. Evaluate host resilience. The virtual machine must be able to roll back to its initial state and function perfectly without any extra tweaking.
Step 2
Check your service
Every service should have an educational goal: your vulnerabilities should teach the user something new, hone their skills, and broaden their horizons.
Important:
- Address real security issues, from broad concepts to specific, everyday scenarios.
- Meticulously craft the attack vector leading to the critical event. It must be logical and clear to avoid any confusion (no pointless "rabbit holes").
- Put yourself in the hacker’s shoes to anticipate where they will look for vulnerabilities. Use unconventional, complex solutions to make your service a highly valuable learning tool for the community.
Always double-check the requirements so your hard work does not go to waste.
Step 1
Design and build your vulnerable service based on our requirements
Please submit all information about your service using our template.
To ensure nothing is missed, check your service against the following checklist:
Full step-by-step walkthrough (in Markdown) for the attack vector and capturing both flags
Flag locations and auto-renewal instructions (preferably via cmd, bash, SQL, and similar commands)
All user credentials
Descriptions of all key components and processes involved in the attack vector
Descriptions of ports used
Source code for scripts, web apps, and configurations
Firewall rules (if applicable)
Step 3
Download and fill in the template
What happens next?
If your service is approved by the Standoff team
We will host your service on the Standoff Hackbase cyberrange and feature it on our socials. The best services will receive special rewards.
If your service is not approved
You can tweak your service based on our feedback, build a new one from scratch, or check out existing services on the Standoff Hackbase cyberrange for inspiration.
For Windows hosts
About the service
- Image: compatible with VMware Workstation 16.2 or ESXi 7.0.
- OS versions: latest available at the time of development.
- OS patches: up-to-date at the time of development, unless a specific patch is required.
- Vulnerability age: no older than 12 months (based on exploit or PoC release date).
- Ports: closed. Exception: you may leave them open if they are necessary for the service to function or to execute the attack vector.
- Unused devices and drives must be disabled.
- User-generated content created during the attack must auto-delete after a reasonable timeframe needed to complete the step.
- Stubs must be functional and should not simply return 500, 403, or other errors.
- Use only free software with no expiration dates. Commercial software is prohibited, including demo versions.
- Design services to prevent "traffic jams" among hackers. For example, having only one account for everyone to use in a password reset vector is bad practice.
About the hosts
- Language: English (for all vulnerable host components)
- Image: OVA format with VMware Tools installed
- Post-setup: use tools like WinPEAS or LinPEAS to detect and patch any unintended vulnerabilities
About the content
- Make it hyper-realistic. It should look and behave exactly like a real-world service.
- If you include hints, they must seamlessly blend into the scenario.
About bruteforcing
- It should take no longer than 10 minutes to bruteforce any element. Use passwords from well-known dictionaries, such as Seclists.
- Avoid bruteforce vectors. Disable request rate limits.
- For passwords not meant to be bruteforced, use the xkpasswd service. Format example: 55-floor-EXACTLY-form-64
- Hostname must match the vulnerable service name on the platform.
- Domain name must match the hostname (***.stf).
- Max resources: 40GB ROM, 4GB RAM, 4 CPUs.
- Disable command history unless needed for the attack vector.
- Use free trial versions.
- Hostname must match the vulnerable service name on the platform.
- Max resources: 20GB ROM, 4GB RAM, 2 CPUs. Got a killer idea needing more resources? Email us at hello@standoff365.com.
- To prevent hints leaking in history files, route them to /dev/null (for example, bash_history, .mysql_history, .viminfo, .zsh_history, .bash_eternal_history, and so on) unless it is required for the attack vector.
For Unix-like hosts
Service difficulty levels
The basics
Service requirements
Please read these guidelines carefully and stick to them when creating your service.
The absolute "don'ts"
Profanity, insults, or highly sensitive topics (politics, religion)
Pointless "rabbit holes" that serve no purpose
Software that consumes excessive host resources, unless it is required by the vector. For example, prefer nginx over Apache2
Links to external resources or use of external components outside the local network
Planting backdoors for your own team
Using logos or names of existing companies. For example, you can’t build a clone of X or VK using their logos or names
Never heard of you. What exactly is Standoff?
A virtual infrastructure with realistic replicas of IT systems from various industries, where cybersecurity specialists can train 24/7
A cyber exercise for information security professionals from around the world to test their skills in highly realistic conditions
Standoff 365 is a platform for testing and improving your cybersecurity skills.
The best vulnerable services will be hosted here
And possibly here
If you have any questions, please contact us at: hosts@standoff365.com
Programs from platform partners with monetary rewards for discovering vulnerabilities
Submission form