Hack the Hackers

The goal of this contest is to discover vulnerabilities in Pentest-Tools.com, an online platform for penetration testing and vulnerability assessment.

In order to create a free account on the platform, you can use the following registration link and the voucher code HACKING-VILLAGE-2022.

Each vulnerability that you find should be reported at [email protected] and reports must include technical details such as: proof-of-concepts, screenshots and a set of reproducible steps.

After we centralize and analyze the results based on our scoring system, which is described below, the top three contestants will receive a prize.

Not all vulnerabilities are considered equal and it is up to our security team to decide the accepted risk level for each vulnerability.

However, you should consider the guidelines from the Rules and Scoring sections below.

Rules of Engagement


  • pentest-tools.com
  • app.pentest-tools.com

Out-of-Scope vulnerabilities:

  • Cross-Site Request Forgery (CSRF) without a specific, demonstrable impact
  • Automated scanner output or scanner-generated reports, including any automated or active exploit tool
  • Man-in-the-Middle attacks
  • Social engineering attacks, including those targeting internal employees
  • Host header injections without a specific, demonstrable impact
  • Denial of service (DOS) attacks using automated tools
  • Self-XSS, which includes any payload entered by the victim
  • Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls
  • Infrastructure vulnerabilities, including:
  • Issues related to SSL certificates
  • DNS configuration issues
  • Server configuration issues (e.g. open ports, TLS versions, etc.)
  • Information disclosure of public or non-protected information (e.g. code in a public repository, server banners, etc.)
  • Any other submission determined to be low risk, based on unlikely or theoretical attack vectors, requiring significant user interaction, or resulting in minimal impact
  • Vulnerabilities on third party libraries without showing specific impact to the target application (e.g. a CVE with no exploit)
Scoring system

Each accepted vulnerability will have a risk level and score:

– Low – 25 points
– Medium – 50 point
– High – 75 points
– Critical – 100 points

For a contestant to be eligible to a prize, he needs to score at least 75 points.

Contact: [email protected]


The top three contestants will receive equal prizes consisting in both: a Hack The Box VIP subscription for one year and a voucher for the Burp Suite Certified Practitioner certification.