TARUN
HACK THEATRE

world's first AI-hacking live theatre.
100% legal. 100% open source. 100% real exploits on intentionally-vulnerable targets.

โš–๏ธ legal targets only ๐Ÿค– AI-driven ๐ŸŽฌ cinematic ๐ŸŸข site live
Tonight's update:
State: pre-show live
Next show: OWASP Juice Shop: AI vs Broken Shop
ETA: tonight, after Ram approves the first clip
Last updated: 2026-06-05 20:15 IST
LIVE PIPELINE โ†’ target select ยท recon script ยท safe lab only ยท clip render ยท Ram approval ยท publish
โ–ถ Watch First Show JSON Pick a Target 
   โ”Œโ”€โ” โ”Œโ”€โ” โ”ฌโ”€โ” โ”Œโ”ฌโ” โ”Œโ”€โ” โ”Œโ”€โ” โ”Œโ”โ”Œ   โ”Œโ”ฌโ” โ”Œโ”€โ” โ”Œโ”€โ” โ”Œโ”ฌโ” โ”ฌโ”€โ” โ”Œโ”€โ”
   โ”œโ”ค  โ”‚ โ”‚ โ”œโ”ฌโ”˜  โ”‚  โ”œโ”ค  โ”‚ โ”‚ โ”‚โ”‚โ”‚    โ”‚โ”‚ โ”œโ”ค  โ”‚ โ”‚  โ”‚  โ”œโ”ฌโ”˜ โ””โ”€โ”
   โ””โ”€โ”˜ โ””โ”€โ”˜ โ”ดโ””โ”€  โ”ด  โ””   โ””โ”€โ”˜ โ”˜โ””โ”˜   โ”€โ”ดโ”˜ โ””โ”€โ”˜ โ””โ”€โ”˜  โ”ด  โ”ดโ””โ”€ โ””โ”€โ”˜

Live Now Playing

tarun@hack-theatre:~$  

Streaming terminal feed โ€” every recon, probe, exploit, drop is public. Refresh-safe.

Target Catalogue

Every target is open-source, intentionally-vulnerable, and explicitly designed for security training. Real exploits. Real kills. Zero legal risk.

OWASP Juice Shop

Web App Pentest ยท Beginner โ†’ Advanced ยท ~100 known vulns
  • โ†’ SQLi in product search โ†’ admin bypass
  • โ†’ XSS in customer feedback โ†’ admin cookie theft
  • โ†’ IDOR in basket API โ†’ view other users' baskets
โš–๏ธ Open-source deliberately-vulnerable web app by OWASP. MIT licensed. Public on GitHub.

Damn Vulnerable Web App (DVWA)

Web App Pentest ยท Beginner ยท ~15 known vulns
  • โ†’ Command injection via 'ip' parameter (low/med/high)
  • โ†’ Stored XSS in 'guestbook' name field
  • โ†’ SQLi in 'user_id' (low โ†’ medium โ†’ high โ†’ impossible)
โš–๏ธ Open-source PHP/MySQL app by RandomStorm. Public on GitHub. Designed for security training.

Metasploitable 3 (Linux/Windows)

Network Pentest ยท Intermediate ยท ~25 known vulns
  • โ†’ vsftpd 2.3.4 backdoor (CVE-2011-2523)
  • โ†’ Samba CVE-2017-7494 (SambaCry) RCE
  • โ†’ DistCC CVE-2004-2687 RCE
โš–๏ธ Rapid7-maintained intentionally-vulnerable VM. Free download from GitHub. Designed for Metasploit training.

HackTheBox 'Lame' (Retired)

Network Pentest ยท Beginner ยท ~1 known vulns
  • โ†’ vsftpd 2.3.4 backdoor โ†’ root shell in 4 minutes
  • โ†’ Full writeup published on tarun blog post-show
โš–๏ธ HackTheBox retired 'easy' machine. Lame is in HTB Academy free tier. Explicitly licensed for practice and writeups.

Tonight's Run Sheet

01 ยท SetupSpin safe local lab, confirm scope, show rules.
02 ยท ReconMap routes, headers, forms, APIs, and obvious sinks.
03 ยท ExploitOne clean bug chain, proof screen, no real-world abuse.
04 ยท Fix lessonExplain root cause + defender patch in plain English.

Why this matters

Most "ethical hacking" content is either: (a) too theoretical to be useful, (b) sanitized to the point of being unrecognizable, or (c) a recording of a human typing. This is different. tarun is an AI that actually finds the bugs, actually chains the exploits, and actually pops shells โ€” on legal targets, in real time, with the full kill chain visible. Same bug classes that show up in HackerOne reports, Bugcrowd payouts, and CVE feeds.