Challenges

All 96 Web 10 Pwn 7 Crypto 7 Forensics 7 Rev 6 Misc 7 OSINT 6 network 7 Mobile 10 Cloud 10 web3 10 Linux 9
Web Easy

Cookie Manipulation

A simple web application that uses cookies to determine user role. The cookie is not encrypted or signed - can you modify it to gain admin access? Learning Objectives: - Understanding HTTP cookies - Browser developer tools - Cookie manipulation techniques - Importance of cookie security Skills Required: - Basic web browsing - Browser DevTools Skills Learned: - Cookie inspection and modification - Session management basics - Client-side security failures

50 pts
14 solves 🩸
Web Easy

Cookie Monster

A login portal that grants guest access. Admin privileges reveal the flag. Analyze HTTP cookies.

100 pts
6 solves 🩸
Web Easy

JWT Algorithm Confusion

A simple web API that uses JWT tokens for authentication. The developer trusted the algorithm field in the JWT header. Can you forge an admin token?

100 pts
12 solves 🩸
Web Easy

Robots.txt Disclosure

find an information discloser bug

50 pts
10 solves 🩸
Web Easy

Stored XSS Comment Board

Inject JavaScript to steal admin cookie

150 pts
11 solves 🩸
Web Medium

Blind SQL Injection

A login form vulnerable to SQL injection. However, error messages are suppressed. You'll need to use time-based blind SQLi to extract the admin password. The database contains a 'secrets' table with a 'flag' column.

250 pts
9 solves 🩸
Web Medium

SQLi Shop

An e-commerce search feature vulnerable to SQL injection. A secrets table hides the flag.

250 pts
4 solves 🩸
Web Medium

SSTI Greet

A Flask greeting app that renders user input as a Jinja2 template. Exploit Server-Side Template Injection.

300 pts
5 solves 🩸
Web Hard

JWT Auth

A JWT authentication portal. The server accepts the 'none' algorithm, allowing unsigned token forgery.

400 pts
5 solves 🩸
Web Insane

SSRF + RCE Chain

A URL fetcher with an internal metadata service. Chain SSRF to reach the internal service, then use a custom header to achieve RCE and read the flag file.

500 pts
4 solves 🩸
Pwn Easy

Buffer Overflow Basic

A classic stack buffer overflow. Overflow the 64-byte buffer to redirect execution to the win() function.

150 pts
4 solves 🩸
Pwn Easy

Stack Overflow - ret2win

A simple buffer overflow challenge. The binary has a win() function that prints the flag, but it's never called. Can you overflow the buffer and redirect execution? Compile: gcc -o stack_overflow stack_overflow.c -fno-stack-protector -no-pie -m32

100 pts
7 solves 🩸
Pwn Medium

Format String

A format string vulnerability. The global 'flag' array is stored in the binary. Leak it from the stack.

300 pts
4 solves 🩸
Pwn Medium

Format String Exploit

This program has a format string vulnerability. Use it to leak the flag from memory. The flag is stored in a global variable. Compile: gcc -o format_string format_string.c -fno-stack-protector -no-pie -m32

250 pts
7 solves 🩸
Pwn Hard

Heap Overflow

Heap overflow into a function pointer. Overflow heap chunk 1 (freed then reallocated) into chunk 2's function pointer to call print_admin().

450 pts
4 solves 🩸
Pwn Hard

ret2libc

Buffer overflow with ASLR disabled. Use ret2libc technique to call system('/bin/sh') and cat the flag.

400 pts
4 solves 🩸
Pwn Insane

ROP Chain

NX enabled, no shellcode. Build a ROP chain using gadgets to call execve('/bin/sh') and read the flag file.

500 pts
4 solves 🩸
Crypto Easy

Ancient Secrets (ROT13)

A ciphertext encrypted with the classic ROT13 (Caesar cipher with shift 13). Decode to reveal the flag.

100 pts
5 solves 🩸
Crypto Easy

Classic Caesar Cipher

A secret message was encrypted using a Caesar cipher with an unknown shift. Can you decrypt it and find the flag? Encrypted message: nFRP{p43f4e_p1cu3e_3m_oe34x}

50 pts
13 solves 🩸
Crypto Easy

Small RSA Exponent Attack

RSA was used with a very small public exponent (e=3). The ciphertext is small enough that m^3 < n, so you can just take the cube root without needing the key!

100 pts
10 solves 🩸
Crypto Medium

XOR Secrets

A repeating-key XOR cipher. The key is 4 characters and a common hacker word. Use known-plaintext attack.

250 pts
4 solves 🩸
Crypto Hard

Tiny RSA

RSA with small 32-bit primes. Factor n to recover d, then decrypt the ciphertext.

400 pts
Crypto Insane

ECC Discrete Log

Elliptic curve discrete logarithm on a weak curve. The curve has small subgroup order, enabling Pohlig-Hellman attack.

500 pts
3 solves 🩸
Crypto Insane

Padding Oracle

AES-CBC padding oracle attack. The server reveals whether decryption has valid PKCS7 padding. Use this oracle to decrypt the flag byte-by-byte.

500 pts
4 solves 🩸
Forensics Easy

Hidden in Plain Sight

A flag is hidden inside an image file using LSB steganography. Extract the hidden message from the image.

100 pts
9 solves 🩸
Forensics Easy

Hidden in Plain Sight PT:2

A PNG image with the flag hidden in its metadata (tEXt chunk). Use exiftool or strings to extract.

100 pts
5 solves 🩸
Forensics Medium

Corrupted Archive Recovery

A ZIP file containing the flag has been corrupted. The magic bytes are wrong. Can you fix the file header and extract the flag?

200 pts
8 solves 🩸
Forensics Medium

Pixel Secrets (LSB Stego)

The flag is hidden in the Least Significant Bit of the Red channel of a PNG image.

250 pts
5 solves 🩸
Forensics Medium

Wire Shark (PCAP)

HTTP network capture with the flag hidden in a custom HTTP response header (X-Secret-Token).

300 pts
5 solves 🩸
Forensics Hard

Memory Forensics

Binary memory dump. Find the XOR-encoded flag (key=0x42) and also a base64-encoded copy buried deeper.

400 pts
4 solves 🩸
Forensics Insane

Disk Recovery (FAT)

FAT12 disk image with a deleted file. Recover the file by finding entries with 0xE5 first byte and reading their data cluster.

500 pts
4 solves 🩸
Rev Easy

Simple Serial Key Checker

This program checks if you enter the correct serial key. Reverse engineer the validation logic to find the correct key. The flag is the serial format. Compile: gcc -o crackme crackme.c -O0

150 pts
7 solves 🩸
Rev Easy

String Search

A simple crackme with the password stored as hex-escaped bytes. Extract using strings or a disassembler.

100 pts
4 solves 🩸
Rev Medium

Anti-Debug Bypass

Binary uses ptrace() to detect debuggers. Bypass the anti-debug or patch the binary to always take the non-debug path.

300 pts
4 solves 🩸
Rev Hard

Obfuscated Python

Obfuscated Python with base64 encoding. Trace the decode logic to recover the password and flag.

400 pts
4 solves 🩸
Rev Hard

VM Reversing

A custom virtual machine with 7 opcodes. Reverse the bytecode to find the password, then run the VM to get the flag.

400 pts
4 solves 🩸
Rev Insane

Packed Binary

Binary with XOR-encoded payload using key 'UNPACK'. Deobfuscate to reveal the secret passphrase which IS the flag.

500 pts
4 solves 🩸
Misc Easy

Exposed Git Repository

A website accidentally exposed its .git directory. Can you download it and find the flag hidden in the commit history?

200 pts
7 solves 🩸
Misc Easy

Layer Cake

Multi-layered encoding: ROT13 → Base32 → Base64 → Flag. Peel each layer.

100 pts
5 solves 🩸
Misc Easy

Misconfigured S3 Bucket

A company left their S3 bucket publicly accessible. The bucket name follows a predictable pattern. Can you find it and access the sensitive files? Bucket naming pattern: company-[environment]-[year]-backups Company: acmecorp Environments: dev, staging, prod Years: 2024, 2025

100 pts
8 solves 🩸
Misc Easy

QR Quest

Flag hidden in QR code PNG metadata. Either scan a proper QR (generate with generate_qr.py) or extract from tEXt chunk.

200 pts
5 solves 🩸
Misc Medium

Radio Silence (Morse)

Morse code encoded message. Decode to find the flag. Special markers: { = .-.-.- } = -.-.-- _ = ..--.-

300 pts
3 solves 🩸
Misc Hard

Maze Runner

Navigate a 15x15 maze in under 100 moves. Scripting is recommended to solve the maze algorithmically.

400 pts
5 solves 🩸
Misc Insane

Grand Finale Chain

Multi-step challenge: find hidden message in WAV metadata → base64 decode → reveals the flag.

500 pts
3 solves 🩸
OSINT Easy

Username Hunt

Find a threat actor's public profiles using their username 'h4ck3rj0hn_ctf'. The flag is in their GitHub README.

100 pts
4 solves 🩸
OSINT Medium

Email Investigation

Analyze email headers and decode the base64-encoded flag hidden in the message body.

300 pts
4 solves 🩸
OSINT Medium

Geolocation

GPS coordinates from photo EXIF data point to a Paris cafe near the Eiffel Tower (7th arrondissement).

200 pts
4 solves 🩸
OSINT Medium

Social Media OSINT

A hacker with username "cyb3rgh0st2025" has been identified. Use OSINT techniques to gather information about them and find the flag hidden in their public profiles.

250 pts
10 solves 🩸
OSINT Hard

Social Media Trail

Combine 4 key fragments found across Twitter, LinkedIn, GitHub Gist, and Reddit to form the flag.

400 pts
4 solves 🩸
OSINT Insane

Deep Dive

Multi-source OSINT: WHOIS + certificate transparency + DNS history + Wayback Machine. Find archived page with flag.

500 pts
4 solves 🩸
network Easy

DNS Exfiltration

DNS TXT record contains exfiltrated flag data. Analyze the PCAP to extract it.

100 pts
4 solves 🩸
network Easy

Insecure FTP Login

A user logged into an FTP server. Analyze the network traffic to extract the username and password. The flag is in the format: aSEC{password}

100 pts
9 solves 🩸
network Medium

DNS Data Exfiltration

An attacker exfiltrated sensitive data using DNS queries. Analyze the packet capture to extract the hidden message and find the flag.

200 pts
8 solves 🩸
network Medium

Hidden Service

Port scan captured. Find the one open port, follow its TCP stream, and extract the flag from HTTP response headers.

250 pts
4 solves 🩸
network Hard

Custom Protocol

Reverse engineer a binary network protocol. Craft valid AUTH and GET_FLAG packets to retrieve the flag.

400 pts
3 solves 🩸
network Hard

WiFi Cracking

WPA2-PSK handshake challenge. The password is a dictionary word + year. Crack with hashcat or aircrack-ng.

300 pts
3 solves 🩸
network Insane

Encrypted C2

C2 traffic with XOR-encrypted payload. Use the session key to decrypt the exfiltrated flag.

500 pts
3 solves 🩸
Mobile Easy

Exposed Android Component

AcmeVault declares SecretActivity with android:exported='true' and no permission requirement. Any app or adb command can launch it directly to retrieve the access token.

100 pts
2 solves 🩸
Mobile Easy

Hardcoded Secrets in APK

A developer left test credentials hardcoded in BuildConfig.java and an encoded string in strings.xml. Decompile the APK and decode the hidden value.

150 pts
1 solve 🩸
Mobile Easy

Insecure SQLite Storage

The Notes app stores private admin data in an unencrypted SQLite database. On a rooted device or via adb backup, the DB can be extracted and read directly.

150 pts
1 solve 🩸
Mobile Medium

Deep Link Token Weakness

AcmeCorp Portal's deep link handler validates session tokens only by prefix ('SES-') and length (16 chars) — no cryptographic check. Craft a valid URL and launch it.

250 pts
1 solve 🩸
Mobile Medium

Root Detection Bypass

SecureApp checks for su binaries, test-keys, and Magisk via RootGuard.isRooted(). Hook the method with Frida to return false, then call getAccessToken().

250 pts
1 solve 🩸
Mobile Medium

SSL Certificate Pinning Bypass

AcmeShopping implements OkHttp3 certificate pinning. Bypass it with Frida to proxy HTTPS traffic through Burp Suite. The flag is hidden in a response header.

250 pts
Mobile Hard

AES-ECB Hardcoded Key

CryptoStore derives an AES key from a hardcoded password via MD5 and uses ECB mode. The ciphertext is a constant in the class. Recover the password, derive the key, and decrypt.

350 pts
Mobile Hard

iOS NSUserDefaults Insecurity

The iOS app stores a sensitive internal config in NSUserDefaults (a plain plist file) instead of the Keychain. The value is encoded using another field in the same file as the key.

350 pts
Mobile Insane

Dynamic DEX Malware Analysis

DropperActivity decrypts a DEX payload from assets/ using a rolling XOR key and loads it via DexClassLoader. Decrypt it statically or dump it at runtime with Frida, then decompile.

500 pts
Mobile Insane

Native Anti-Tamper Bypass

libguard.so uses ptrace(PTRACE_TRACEME) to detect debuggers. Hook ptrace in libc via Frida's native Interceptor to always return 0, then call getProtectedToken().

450 pts
Cloud Easy

EC2 IMDS Credential Theft via SSRF

An EC2 web app has an SSRF vulnerability. Use it to reach the Instance Metadata Service (169.254.169.254) and steal IAM role credentials. Decode the flag hidden in the Token field.

150 pts
Cloud Easy

Exposed S3 Bucket

acmecorp-backup-dev has public-read ACL. Anyone can list objects and download them without credentials. Enumerate the bucket, find flag.b64, download and decode it.

100 pts
Cloud Medium

CloudFormation Secrets Exposure

infra.yaml was committed to a public repo. It contains hardcoded parameter defaults and a UserData bootstrap script with a multi-encoded BOOTSTRAP_TOKEN variable.

250 pts
Cloud Medium

IAM Privilege Escalation

The 'developer' IAM user has iam:CreatePolicyVersion. Use it to inject an Allow:* statement into the AdminPolicy, escalate to full admin, then read the flag from SSM.

250 pts
Cloud Medium

Lambda SSRF → IMDS

A Lambda function fetches any user-supplied URL with no validation. SSRF it to 169.254.169.254 to steal the execution role's temporary credentials, then use them to read an SSM flag.

300 pts
Cloud Hard

Azure AD JWT Claim Abuse

A captured Azure AD Bearer token contains a custom claim with a nested encoded value. Decode the JWT payload (base64url) and extract the flag from the x_internal_token claim.

400 pts
Cloud Hard

Container Escape via Privileged Pod

A 'debug' pod runs with privileged:true and mounts the host filesystem at /host-root. From inside the container, read /host-root/root/.flag_cld7 to escape the container boundary.

400 pts
Cloud Hard

Kubernetes RBAC Misconfiguration

dev-sa has a ClusterRoleBinding granting it read access to all secrets cluster-wide. Use it to read a ConfigMap (XOR key) and a Secret (encoded payload) from the prod namespace, then combine them.

350 pts
Cloud Insane

GCP Service Account Key Leak

A GCP SA key was committed to a public repo then 'deleted' — but git history is permanent. Recover the key, authenticate to GCP, and read the flag from a GCS bucket.

450 pts
Cloud Insane

Terraform State File Exposure

terraform.tfstate was stored in a public S3 bucket. It contains all resource attribute values including a 3-layer encoded SSM parameter. Parse, identify, and decode it.

500 pts
web3 Easy

Exposed Wallet Tx Data

A developer committed their Ethereum wallet export to a public repository. One transaction has a non-empty hex-encoded input field containing the flag.

100 pts
web3 Easy

Private Storage Read

SecretVault stores a 'private' bytes32 in slot 2. Solidity's private keyword hides variables from other contracts only — on-chain storage is always publicly readable.

150 pts
web3 Medium

Integer Overflow (Solidity 0.7)

VulnToken uses uint8 balances and Solidity 0.7 — no built-in overflow protection. Transferring more than your balance causes an underflow: uint8(0)-1 = 255.

250 pts
web3 Medium

Reentrancy Attack

EtherBank sends ETH before updating balances (violating CEI). An attacker contract can re-enter withdraw() via its receive() fallback to drain the bank before balances are zeroed.

250 pts
web3 Hard

Flash Loan Price Manipulation

VaultOracle reads the spot price from a single DEX pool. Flash-loan a large amount to crash the pool's ratio below FLOOR, call triggerEmergency(), then repay — all in one transaction.

350 pts
web3 Hard

Signature Replay

PaymentChannel accepts off-chain signatures containing only (recipient, amount) — no nonce, no chainId. The same valid signature can be replayed unlimited times to drain the channel.

300 pts
web3 Hard

tx.origin Phishing

Treasury authenticates with tx.origin == owner. A malicious contract can call Treasury while the owner calls it — tx.origin remains the owner throughout the call chain.

400 pts
web3 Hard

Uninitialized Owner

Registry has no constructor setting an owner. The initialize() function can be called by anyone — but only once. Call it before the admin to claim ownership, then call revealConfig().

350 pts
web3 Insane

Delegatecall Slot Collision

ProxyWallet delegatecalls into Implementation. Slot 0 in Implementation is adminFlag; slot 0 in ProxyWallet is owner. Writing adminFlag via delegatecall overwrites the proxy's owner.

450 pts
web3 Insane

MEV Frontrunning

RiddleVault awards the flag to the first correct solver. The answer is plaintext in calldata — anyone watching the mempool can copy it and resubmit with higher gas to arrive first.

500 pts
Linux Easy

Cron Wildcard Injection

A root cron job runs 'tar czf backup.tar.gz *' in a user-writable directory. Creating filenames that look like tar flags causes arbitrary command execution as root.

150 pts
Linux Easy

SUID Binary PATH Hijack

The viewlog utility runs as SUID root and calls 'cat' without an absolute path. Whoever controls $PATH controls which binary executes — as root.

100 pts
Linux Medium

Stack Buffer Overflow

feedparser reads a URL into a 64-byte stack buffer using gets() with no bounds check. Stack canaries and PIE are disabled. Redirect execution to success_handler() to print the flag.

250 pts
Linux Medium

Sudo vim Escape

A misconfigured sudoers rule allows ctfplayer to run vim on a log file as root with no password. vim can be used to escape to a shell.

200 pts
Linux Hard

Format String Exploit

logd passes user input directly to printf() as the format string. Overwrite the access_level global variable using %n writes to unlock flag output.

350 pts
Linux Hard

Kernel Module /proc Interface

A kernel module creates /proc/sysaudit. The read handler only reveals its data when a magic string has been written to the file first. Read the source to find it.

400 pts
Linux Hard

Ret2Libc + ASLR Bypass

authd leaks a libc puts() address in its banner. Use the leak to compute libc base, then build a ret2libc ROP chain to execute system('/bin/sh') and read the flag.

400 pts
Linux Insane

Heap UAF (tcache)

ticketd stores a function pointer in each heap-allocated ticket struct. Freeing a ticket without clearing the pointer creates a use-after-free. Overwrite the callback pointer to redirect execution to flag_print().

500 pts
1 solve 🩸
Linux Insane

ROP Chain + PIE Bypass

apid is PIE-enabled and leaks a code pointer in its banner. Use the leak to calculate PIE base, then build a ROP chain to jump to flag_handler().

450 pts