Search Labs
Search by Difficulty
Search by OS
Created: 14 days ago
Ivanti
Easy
●
Security Misconfiguration
Lab Rating:
A routine system in a secure environment hides more than it reveals.Can you navigate through layers of misconfiguration and uncover the quietly exposed doors? Every request counts especially the ones you’re not meant to make.
Created: 17 days ago
PwnDoc
Easy
●
CVE
Lab Rating:
PwnDoc is an easy-level Linux machine that focuses on web exploitation techniques and Docker-based privilege escalation.
Created: 18 days ago
Erebus
Hard
●
Log Poisoning
Lab Rating:
Step into the shadows of a forgotten helpdesk where routine maintenance hides
deeper secrets. What begins as a simple misconfiguration unravels into something far more deceptive. Are you paying close enough attention?
deeper secrets. What begins as a simple misconfiguration unravels into something far more deceptive. Are you paying close enough attention?
Created: 29 days ago
Sense
Easy
●
Security Misconfiguration
Lab Rating:
A system built to serve… yet something whispers beneath its surface. Can you hear what others ignore ?
Created: 38 days ago
Target
Medium
●
Security Misconfiguration
Lab Rating:
An ordinary service hides behind a quiet web shell, but deeper inspection reveals a misstep in trust. What seems like a harmless utility turns out to be a direct line to ultimate power. Can you spot the subtle crack in the system's armor?
Created: 38 days ago
Staging
Medium
●
Security Misconfiguration
Lab Rating:
Staging is a medium-difficulty Linux CTF where you brute-force hidden vhosts, spin up a remote database to configure an uninitialized WordPress, then exploit misconfigurations for initial access. From there, you reuse credentials and abuse sudo misconfigs to gain root. It mimics real-world staging pitfalls in poorly managed environments.
Created: 46 days ago
Graph
Medium
●
CVE
Lab Rating:
Harness the hidden Thread Weaving Protocol in Graph’s Gremlin engine: hijack traversal streams, override Java scheduler tokens, and slip past concurrency guards. Only those who master dynamic graph flows will unearth the buried flags.
Created: 46 days ago
Issabella
Easy
●
CVE
Lab Rating:
Infiltrate Issabella’s fortress: bypass deceptive interfaces, crack hidden protocols, and outsmart adaptive defenses at every turn. Will you seize the hidden prize before the system strikes back?
Created: 46 days ago
Bluerock
Medium
●
Artificial Intelligence
Lab Rating:
Unlock the power of BlueRock’s Model Context Protocol: manipulate streaming transaction insights, override dynamic risk thresholds, and slip past adaptive fraud defenses. Each challenge reshapes the analytics pipeline in real time only the sharpest operators will bend the MCP to their will and emerge unflagged.
Created: 57 days ago
Rejetto
Easy
●
Server Side Template Injection
Lab Rating:
A classic file-sharing service hums along, offering simple access to a few public resources. It looks stable, even nostalgic, perhaps a relic from another era. But age often brings
oversight. Explore its behavior, peek into its features, and you might just find something that
wasn’t meant to be shared
oversight. Explore its behavior, peek into its features, and you might just find something that
wasn’t meant to be shared
Created: 68 days ago
Chad
Easy
●
CVE
Lab Rating:
A seemingly simple web monitoring tool has been deployed on the server.
Something feels off—dig deeper, explore its features, and see where curiosity takes you.
Something feels off—dig deeper, explore its features, and see where curiosity takes you.
Created: 68 days ago
Zorlang
Medium
●
CVE
Lab Rating:
Zorlang is a Linux-based CTF machine designed to challenge a player’s skills in exploiting modern vulnerabilities and navigating post-exploitation scenarios. Players must gain an initial foothold by targeting an exposed service and then proceed to enumerate internal services to pivot deeper into the network. Success requires effective use of SSH tunneling techniques and a final privilege escalation through a misconfigured or vulnerable internal component, ultimately leading to full system compromise.
Created: 78 days ago
Doom
Medium
●
CVE
Lab Rating:
An internal CI server was hastily exposed with default configurations.
Created: 83 days ago
Veriface
Medium
●
Artificial Intelligence
Lab Rating:
AI-powered facial recognition, where your face might just be the key! Train, spoof, and outsmart the system in this bizarre biometric circus of challenge and deception. Can you beat the machine at its own game?
Created: 89 days ago
Middleman
Medium
●
CVE
Lab Rating:
This lab demonstrates middleware authentication bypass vulnerability in Next.js,
allowing unauthorized access to protected routes.
allowing unauthorized access to protected routes.
Created: 185 days ago
File Ception
Easy
●
Local File Inclusion
Lab Rating:
Welcome to the ultimate cybersecurity carnival, where Local File Inclusion meets Remote Code Execution! This quirky machine invites you to don your hacker hat and take a roller coaster ride through the twisted paths of misconfigured web applications.
Created: 185 days ago
Commander
Easy
●
Command Injection
Lab Rating:
Step into the role of a daring investigator, tasked with uncovering a web
vulnerability on the "Commander" machine. Each step takes you closer to the treasure — root access. Will you solve the puzzle?
vulnerability on the "Commander" machine. Each step takes you closer to the treasure — root access. Will you solve the puzzle?
Created: 232 days ago
Forward
Easy
●
Sql Injection
Lab Rating:
In the land of intranets and login screens there are often bypasses that go unnoticed, can you break through the security, bypass the login page, and gain access to the underlying operating system?
Created: 246 days ago
Operation Securenet
Medium
●
Command Injection
Lab Rating:
Infiltrate the heart of SecureNet, a tech startup where shadows hide secrets and
every service is a potential trap. Your mission: unravel the mysteries concealed within layers of
encryption, misdirection, and subtle clues. Trust your instincts, question everything, and stay
sharp—only the cleverest will uncover the truth behind the breach. Can you piece together the
puzzle before time runs out?
every service is a potential trap. Your mission: unravel the mysteries concealed within layers of
encryption, misdirection, and subtle clues. Trust your instincts, question everything, and stay
sharp—only the cleverest will uncover the truth behind the breach. Can you piece together the
puzzle before time runs out?
Created: 257 days ago
Shuttle Booking
Medium
●
Cross Site Scripting
Lab Rating:
Welcome to the Shuttle Booking system, where only the bravest hackers thrive. Before you is a seemingly simple website, but every input field hides potential danger. Your mission? Unleash the full power of XSS before anyone else does! Can you manipulate the browser's inner workings, hijack sessions like a pro, and seize total control?
Created: 278 days ago
One Click
Easy
●
Authentication Bypass
Lab Rating:
An end user has installed some software that was not approved on the ITs list. This resulted in a vulnerability being exposed, can you exploit this windows machine?
Created: 291 days ago
Splinter
Easy
●
Server Side Template Injection
Lab Rating:
Unemployable INC, a shady corporation, needs your penetration testing skills. Suspecting server-side template injection vulnerabilities, they've hired you to infiltrate their systems. Like Splinter, exploit weaknesses and demonstrate the impact. Uncover hidden vulnerabilities, prove your worth, and expose the true extent of their security flaws. The fate of Unemployable INC rests in your hands.
Created: 300 days ago
QuickScan
Easy
●
Server Side Request Forgery
Lab Rating:
Your task is to upload a file that triggers an unexpected behavior on the server. Explore different file types, bypass restrictions, and see if you can gain unauthorized access or leak sensitive information. Be creative and think like an attacker!
Created: 306 days ago
Filter
Easy
●
Local File Inclusion
Lab Rating:
Your mission is to bypass restrictive filters and exploit Local File Inclusion (LFI) vulnerabilities. But that's not all—use your skills to escalate into Command Injection. Can you manipulate the input and take full control?
Created: 314 days ago
Mdbraid
Easy
●
Insecure Network Services
Lab Rating:
Dive into mdbraid where you'll uncover hidden programs, manipulate access files, and crack SMB configurations. Challenge your skills as you navigate through secret pathways, decrypting clues, and exploiting vulnerabilities to conquer the system!
Created: 318 days ago
Middle Ground
Easy
●
MitM Attacks
Lab Rating:
Step into a digital battlefield where the stakes are high and the secrets are buried deep. Your mission? Exploit an exposed FTP server, sniff out what's hidden on port 80, and decode the mysteries of the network. Every corner holds a clue, every service a potential breakthrough.
Created: 323 days ago
Wallstreet Hijack
Hard
●
Replay Attacks
Lab Rating:
The gRPC stock trading service lacks robust protections against replay attacks. Exploit the weak security mechanisms to replay valid trade requests and manipulate stock values. Can you gain unauthorized profits by intercepting and replaying gRPC messages?
Created: 330 days ago
Hijack
Easy
●
Broken Authentication
Lab Rating:
The MySQL database on the machine 'Hijack' seems ripe for exploitation. Weak authentication and a lack of proper security controls give you a potential opening. Use your brute-forcing skills to break into the MySQL database, bypass the broken authentication mechanisms, and see what secrets lie within.
Created: 330 days ago
Share Me
Easy
●
Broken Authentication
Lab Rating:
Leaked credentials have surfaced, giving you potential access to an S3 bucket. But broken authentication mechanisms stand in your way. Use the creds, bypass the flaws, and see what secrets you can uncover. Can you find the flag hidden deep within?
Created: 335 days ago
Defcon 32
Medium
●
XXE
Lab Rating:
Attack a Parrot CTFs Defcon Village website, escalate your privileges within the application, compromise the server, and gain root access.
Created: 339 days ago
Cloud Admin
Medium
●
Cloud Misconfigurations
Lab Rating:
Dive into the world of cloud security with Cloud Admin. Face various challenges in cloud and server environments designed to test your ability to uncover vulnerabilities and exploit weaknesses. Do you have what it takes to compromise the infrastructure and reveal its secrets?
Created: 342 days ago
Wiki
Medium
●
RCE
Lab Rating:
Step into Sofia's Wiki, a Linux hosted wiki filled with intricate details and hidden treasures. uncover secrets buried within the pages, exploit upload functions, find hidden files and explore the Linux environment.
Created: 346 days ago
Simple
Easy
●
Insecure Network Services
Lab Rating:
Step into this Windows 10 labyrinth with RDP and a few surprise services open. Navigate the quirky challenges, uncover hidden secrets, and see if you can outsmart the simplicity to capture the flag!
Created: 351 days ago
Code Engine
Easy
●
Insecure Docker Config
Lab Rating:
Unleash the power of Node.js in Code Engine! Dive into a hands-on lab where participants will explore a Node.js web app running in a Docker container. They will face exciting challenges that require them to interact with the application through the browser, execute code, and navigate the intricacies of containerized environments.
Created: 354 days ago
Backdrop
Easy
●
RCE
Lab Rating:
Dive into the Backdrop CMS challenge! Unravel hidden secrets, tackle engaging tasks, and master the quirks of this unique CMS. Ready to crack the code?
Created: 358 days ago
Cyber Heist
Medium
●
Replay Attacks
Lab Rating:
Unravel GRPC secrets in Cyber Heist! Face fun and engaging tasks designed to test your skills in navigating complex GRPC environments. Participants will tackle challenges involving remote procedure calls, service definitions, and exploiting GRPC vulnerabilities to conquer the GRPC security landscape.
Created: 360 days ago
Kurby DC
Easy
●
Active Directory
Lab Rating:
Unravel Active Directory secrets in Kurby DC! Face fun and engaging tasks designed to test their skills in navigating complex AD environments. Participants will tackle challenges involving user authentication, group policies, and domain controllers to conquer the AD security landscape.
Created: 365 days ago
Habitual
Easy
●
Sql Injection
Lab Rating:
More vulnerable than your diet on cheat day! This easy lab machine invites you to dive into the world of common CVEs and SQLi exploits.
Created: 368 days ago
Chatter
Medium
●
Insecure Sockets
Lab Rating:
Play around with websockets, intercept messages, enumerate API endpoints and more with this awesome vulnerable chat API. Do you have what it takes to hack this API?
Created: 372 days ago
Poultry
Medium
●
RCE
Lab Rating:
Test your enumeration skills and hack this server that seems to be under development by a poultry farm? I wonder what they are going to sell.
Created: 377 days ago
Merch Metrics
Hard
●
IDOR
Lab Rating:
Dive deeper into the void of APIs, check metrics and find hidden flaws, can you hack this vulnerable API?
Created: 381 days ago
Staff Connect
Hard
●
SQL Injection
Lab Rating:
Dive into the zany world of a staffing agency's API, where your mission is to exploit IDOR vulnerabilities and uncover SQLi flaws while dodging our cheeky digital recruiter’s pranks.
Created: 387 days ago
SystemSpoils
Medium
●
Security Misconfiguration
Lab Rating:
Welcome to SystemSpoils, where you outsmart a tricky IIS server and a sneaky SMB share. Dive in, hack away, and uncover digital treasures!
Created: 390 days ago
Marketer
Medium
●
RCE
Lab Rating:
Ever come across a marketing provider like mailgun? This is that without the APIs can you attack this machine using your file upload and cryptography skills?
Created: 390 days ago
ArshaSpector
Easy
●
Security Misconfiguration
Lab Rating:
Arsha is a website development firm, they however are not too great at backend work yet. Can you find the misconfiguarations that lead to full server compromise?
Created: 396 days ago
NonSense
Easy
●
Security Misconfiguration
Lab Rating:
Welcome to Nonsense, a CTF where your mission is to outwit a pfSense router box that thinks it's impenetrable. Can you find the hidden flag in this labyrinth of digital defenses, or will you be caught in a web of nonsense?
Created: 623 days ago
Tiki 2
Hard
●
Insecure Deseralization
Lab Rating:
Embark on a thrilling CTF journey in the virtual Tiki world! Unravel the 'Insecure Deserialization' enigma, showcase your prowess, and emerge victorious in this cyber quest. Triumph awaits!
Created: 634 days ago
RootQL
Easy
●
Weak Authentication
Lab Rating:
Welcome to GraQLand, the magical realm of GraphQL APIs. A mischievous fairy has hidden the flag amidst its API tree. Traverse the mystical endpoints, decipher riddles, and unearth the hidden flag. But beware of the GraphQL challenges. Do you have the charm to outwit the fairy and capture the flag?
Created: 641 days ago
Header
Medium
●
Multiple Injections
Lab Rating:
Headers: the unsung heroes of the digital realm. Dive deep into the fascinating world of headers, where every line tells a tale, and every request holds a secret. From guiding data's dance to whispering web wishes, headers are the cool conductors of the cyber symphony. Join the header hullabaloo and discover the magic behind the scenes!
Created: 664 days ago
Ticket
Easy
●
SQL Injection
Lab Rating:
Ticketing Systems are very common in day-to-day operations with IT. However, the infrastructure for these systems is often left un-secured because they are used internally and often made from scratch. Find the flaw in this application.
Created: 665 days ago
Vape Shop
Medium
●
SQL Injection
Lab Rating:
This shop has given you a UAT environment to start testing its application can you find the flaws in this app?
Created: 720 days ago
Happi
Easy
●
IDOR
Lab Rating:
This API was made with developers who thought they were funny. Little did they know this tom foolery is what makes this API vulnerable.
Created: 748 days ago
Devguru
Medium
●
Security Misconfiguration
Lab Rating:
He's taught you his ways, can you show him how much you've learned and hack into this website?
Created: 756 days ago
Society
Easy
●
Buffer Overflow
Lab Rating:
Welcome society, a virtual world where the only currency is words, and the conversations never stop. Our servers are like a bustling cafe where people come to chat, share stories, and connect with others from all over the world.
Created: 756 days ago
Mr Robot V2
Medium
●
Multiple Injections
Lab Rating:
FSociety has assigned you a task: Hack Ecorp and Their Employees. Can you do it?
Created: 819 days ago
Elemental Express
Medium
●
Security Misconfiguration
Lab Rating:
Content Managment Systems are powerful, but they are also often time out of data and vulnerable. Can you prove that this is the case?
Created: 825 days ago
Blogger
Medium
●
XXE
Lab Rating:
A company has hired you to perform a penetration test against this blog. Can you bring back good results?
Created: 964 days ago
Pet Shop
Easy
●
Legacy Systems
Lab Rating:
This old school pet shop owner has an old website. It's not even set up yet! Can you find your way into this poor man's website and show him where the flaws are?
Created: 993 days ago
Jigsaw 2
Medium
●
Insecure Network Services
Lab Rating:
Can you crack the puzzle and find your way inside this more confusing and more puzzling machine? We dare you to give it a shot!
Created: 993 days ago
Itty Bitty
Medium
●
RCE
Lab Rating:
This Bit Bucket instance has not been updated in a long time. The big data firm that uses this server must not care about CVEs. Show off your exploitation skills!
Created: 993 days ago
Harvest
Easy
●
Insecure Authentication
Lab Rating:
They've harvested all the vegetables they need, but can you harvest the flags?
Created: 993 days ago
Photography
Easy
●
Insecure Deserialization
Lab Rating:
Photos are fun but so is hacking into this website. Can you find the vulnerability?
Created: 993 days ago
Air Port
Hard
●
Weak Authentication
Lab Rating:
This airports information server is due for a penetration test can you find everything wrong with this server?
Created: 994 days ago
Water Flask
Easy
●
Insecure Design
Lab Rating:
Wanna quench your hacker thirst? Hack into this flask application find the flaws and report those findings!
Created: 1000 days ago
Dentist Office
Easy
●
Weak Authentication
Lab Rating:
Sharpen up your skills like under this under the bridge dentist sharpens teeth show us can you hack this website?
Created: 1000 days ago
Git Hit
Hard
●
Information Disclosure
Lab Rating:
Gitlab is a great way to host code but hosting a self-managed instance can be dangerous can you show the owner of this server why this is the case?
Created: 1001 days ago
Jigsaw
Hard
●
Insecure Network Services
Lab Rating:
Can you crack the puzzle and find your way inside this confusing and puzzling machine? We dare you to give it a shot!
Created: 1211 days ago
Abby's Lab - NCIS
Hard
●
IDOR
Lab Rating:
No way! I'm getting hacked! Break through Abby's IPS in order to breach her system.
Created: 1217 days ago
Texas Ranger
Easy
●
Cryptography
Lab Rating:
Yee haw! Can you show the Texas Rangers who is boss?
Created: 1357 days ago
Aero Space
Medium
●
SQL Injection
Lab Rating:
Can you find the vulnerabilities in this CMS? If so, be sure to report them to their GitHub : ).
Created: 1364 days ago
Convergence
Easy
●
CVE
Lab Rating:
This Information Security Influencer Has a Documentation Server. Clearly, they did not stay up to date with the cyber security news.