h4ckers.infoSearch terms
Skill tracks

The five disciplines

Almost every challenge — and every real engagement — falls into one of these buckets. Learn the mental model behind each, internalize the curated tactics, and you'll know where to look before you've read the prompt twice.

01

Web Exploitation

web

The browser is the largest attack surface on earth.

Find and weaponize flaws in how applications handle input, sessions, and trust. Most real-world breaches start here.

Curated tactics

  1. Map before you attack

    Enumerate every route, parameter, and hidden form field. A site map is worth ten random payloads — you can't exploit an endpoint you never found.

  2. Trust nothing the client sends

    Cookies, headers, hidden inputs, and JWT claims are all attacker-controlled. If the server trusts them without verification, that is the bug.

  3. Chain low-severity bugs

    An open redirect plus a lax cookie plus a verbose error page can compose into account takeover. Severity lives in the chain, not the part.

  4. Read the source maps

    Front-end build artifacts frequently ship .map files that reveal internal API routes, feature flags, and commented-out admin endpoints.

02

Cryptography

crypto

Don't roll your own. Learn to break those who did.

Attack weak primitives, predictable randomness, and broken protocol logic. The math is rarely the weak point — the implementation is.

Curated tactics

  1. Identify the scheme first

    Block size, key reuse, padding behavior, and ciphertext length leak the algorithm. ECB shows visible patterns; CBC bit-flips propagate one block.

  2. Look for nonce reuse

    Reusing a nonce in stream ciphers (CTR, GCM, ChaCha20) collapses confidentiality and, for GCM, lets you forge tags. Same nonce, same keystream.

  3. Padding oracles are everywhere

    If the server distinguishes 'bad padding' from 'bad MAC', you can decrypt CBC ciphertext byte-by-byte without ever knowing the key.

  4. Small parameters fall fast

    Tiny RSA exponents, smooth-order groups, and short keys yield to known attacks. Always check the modulus and exponent before assuming hardness.

03

Binary Exploitation

pwn

Memory is a promise the program can't always keep.

Turn memory-corruption bugs into arbitrary code execution. This is where you learn how computers actually work — at the byte level.

Curated tactics

  1. Always check the mitigations

    Run a checksec pass first. NX, PIE, RELRO, and stack canaries each change your entire strategy. Know the battlefield before you plan the assault.

  2. Leak, then exploit

    With ASLR enabled you need an address before you can use one. Find an info leak to defeat randomization, then pivot to your control-flow primitive.

  3. Master the format string

    An attacker-controlled format string is both an arbitrary read (%x, %s) and an arbitrary write (%n). It defeats canaries and leaks the stack at once.

  4. Return-oriented programming

    When you can't inject shellcode, borrow it. Chain existing gadgets ending in `ret` to build your payload from the program's own bytes.

04

Digital Forensics

forensics

Every action leaves a trace. Learn to read them.

Recover hidden data, reconstruct timelines, and analyze artifacts from disk images, memory dumps, packet captures, and crafted files.

Curated tactics

  1. Magic bytes never lie

    File extensions are a suggestion; the header is the truth. Inspect the first bytes with a hex editor — a `.jpg` starting with `PK` is really a ZIP.

  2. Carve for hidden payloads

    Run a binwalk pass on any media file. Appended archives, embedded thumbnails, and trailing data after EOF markers are classic hiding spots.

  3. Follow the TCP stream

    In packet captures, reassemble full conversations rather than reading lone packets. Credentials, files, and C2 commands live in the reconstructed flow.

  4. Volatility is your friend

    Memory dumps hold running processes, network sockets, and decrypted secrets that never touched disk. Always profile the image before listing processes.

05

Recon & OSINT

recon

The quiet phase that wins the loud ones.

Map the target's footprint from public sources before sending a single packet. Great recon turns an impossible target into an obvious one.

Curated tactics

  1. Enumerate the whole surface

    Subdomains, ASNs, certificate transparency logs, and exposed cloud buckets all expand the map. The forgotten staging host is usually the soft entry.

  2. Certificates are a goldmine

    CT logs reveal hostnames an organization never meant to publish. Query them early — they expose internal naming conventions and dev environments.

  3. Mind your footprint

    Passive recon (DNS, archives, public records) leaves no logs on the target. Save active scanning for when you genuinely need it — and when you're authorized.

  4. Document as you go

    A messy notes file loses the win. Track every host, port, version, and credential the moment you find it; future-you will need that detail under pressure.

Ready to put it into practice?

The getting-started guide walks you from your first tooling install to your first solved flag — with legal practice labs for every track above.

Open the guide