Commit structure for a vulnhub challenge


I just solved a vulnhub machine as a hack challenge, but now I don’t know what to do with the commit, how do I choose the complexity? And since vulnhub does not have any ranking system, how should I fill the ranking and score fields on the commit message?


Please read the past Merged MR, and you will find the clues. In the documentation contains also the specification for that.

Hi @blue-snot yes, the docs says that I can use the autonomic ranking, but it does not give much information, I guess the initial rank for booth national and global should be the current position in the ranking and the final position should be the expected position after the MR gets accepted. Am I correct?

And what should I use for the score, the percentage number of unique solutions or the number of unique solutions?


Best source of truth is the repo it self, git log, past commits, past merged MRs!! :wink:

@blue-snot yes, but in this case I can’t find a commit that would help me since, untill now all vulnhub machines are being used to fill the OTHERS.lst files and not for solving them. These are the commits I found regarding vulnhub

And none of those commits are using the current commit structure.


Hello there

Your doubt is comprensible, and since this is a new feature we’ve just introduced to the challenges repo there are still some details to work on. As for me I suggest you to use the commit msg for a VbD Challenge, and since vulnhub is a VbD platform the correct commit would be:

discovered vulnerabilities: X by me, Y already in repo, X+Y total.
total estimated vulnerabilities in system: Z
discovery percentage: ((X+Y)/Z) * 100%
effort: W hours during challenges.


  • Discovered vulnerabilities are the number of features related to that machine or challenge.
  • total estimated vulnerabilities are the estimated amount of vulnerabilities of the machine or challenge, some of them maybe haven’t been exploited yet
  • discovery percentage is the amount of exploited vulnerabilities with respect to the total
  • effort Same as other challenges, the number of hours spent since you started the challenge until you sent the MR

I hope this solve your doubts

Hi @hermit-purple on another post I was told that vulnhub was for hack challenges only, not for VbD

And I want my solution to count as a hack challenge since what I solve was a CTF challenge, so, should I use the body of a VbD commit but the description of a hack challenge I mean, something like this:

sol(hack): #0 vulnhub, machine (difficulty)

discovered vulnerabilities: X by me, Y already in repo, X+Y total.
total estimated vulnerabilities in system: Z
discovery percentage: ((X+Y)/Z) * 100%
effort: W hours during challenges.

It is that Ok? But I don’t think that would pass the CI


@perceived-doubt We are currently moving vulnhub to the VbD scope, since as you already noticed it it would be confusing to set a ranking and a score for each machine, so the previous commit template would work like a charm :wink:

@hermit-purple you mean the VbD template that you posted before? If so, the thing is, can I use the VbD commit with the ctf’s feature template? Because I solved the machine thinking of it as if it was a ctf challenge, so I used the ctf’s .feature and honestly I don’t want to lose all that work, but if it needs to be a VbD challenge, I’m ok with that.

This template should be used in the commit. For the feature, you won’t lose your work since most of the feature will still being valid, you’ll have to change some scenarios and add other sections that are in the VbD feature such as remediation and scoring, feature examples for VbD are also available in the repo :wink:

@hermit-purple got it, just one last thing, since I had to exploit more than one vulnerability can I send all of them on a commit or it has to be several commits one for each vulnerability and filling the corresponding correlations section.

Sorry for all my questions, but this got me really confused.


If you find more than one vulnerability in one machine you can send several features, each one describing and exploiting a different vulnerability, if vulnerabilities are correlated you can explain at the end of the feature which are the correlations and add a brief explaination about the exploitation process, example:

Scenario: Correlation
Given I have found SMTP Auth credentials by exploiting the current SQLi
When I use the credentials to access the service
Then I can impersonate the corporate email account

EDIT: Also remember to take into account the number of vulnerabilities in the commit msg, if you find a new vulnerability update the total estimated metric :wink:

EDIT2: One MR per feature, please