Hacking Labs

Hands-on cybersecurity challenges across web exploitation, binary analysis, active directory, cloud security, and more. Build real offensive and defensive skills.

75+
Labs
3
Difficulty Levels
Multi-OS
Environments
TimeKeeper
Hard File Upload 170 days ago
TimeKeeper
TimeKeeper is a compact Linux CTF machine modeled as a time-tracking web service. Players will need to investigate the application and host to progress through layered challenges that exercise web application analysis and local privilege escalation.
★★★★★ by archtrmntor
View Lab
Echo Chamber
Medium Command Injection 170 days ago
Echo Chamber
EchoChamber is a lightweight web-driven challenge where commands echo louder than expected. Careful observation and creative thinking will help you uncover the hidden layers of control, but not everything is as it first appears.
★★★★★ by archtrmntor
View Lab
NoteVault
Easy File Upload 208 days ago
NoteVault
NoteVault is a Linux CTF machine where persistence meets curiosity. A seemingly simple note-keeping service hides unexpected behaviors, and careful exploration of the system may reveal unconventional ways to turn small wins into full control.
★★★★★ by archtrmntor
View Lab
Archive Hunter
Easy Security Misconfiguration 223 days ago
Archive Hunter
ArchiveHunter is a high-energy sandbox where zip files become grappling hooks. Upload, slip, shell, and rewrite history, then drop the mic with root access.
★★★★★ by archtrmntor
View Lab
Logger
Easy Code Execution 245 days ago
Logger
Logger is a medium-difficulty Linux CTF challenge that revolves around a misconfigured internal log management system. Participants begin by authenticating to a web interface, where they must identify and exploit a Remote Code Execution (RCE) vulnerability.
★★★★★ by osmsec
View Lab
Ivanti
Easy Security Misconfiguration 263 days ago
Ivanti
A routine system in a secure environment hides more than it reveals.Can you navigate through layers of misconfiguration and uncover the quietly exposed doors? Every request counts especially the ones you???re not meant to make.
★★★★★ by archtrmntor
View Lab
PwnDoc
Easy CVE 266 days ago
PwnDoc
PwnDoc is an easy-level Linux machine that focuses on web exploitation techniques and Docker-based privilege escalation.
★★★★★ by osmsec
View Lab
Erebus
Hard Log Poisoning 267 days ago
Erebus
Step into the shadows of a forgotten helpdesk where routine maintenance hides deeper secrets. What begins as a simple misconfiguration unravels into something far more deceptive. Are you paying close enough attention?
★★★★★ by archtrmntor
View Lab
Sense
Easy Security Misconfiguration 278 days ago
Sense
A system built to serve??? yet something whispers beneath its surface. Can you hear what others ignore ?
★★★★★ by archtrmntor
View Lab
Target
Medium Security Misconfiguration 287 days ago
Target
An ordinary service hides behind a quiet web shell, but deeper inspection reveals a misstep in trust. What seems like a harmless utility turns out to be a direct line to ultimate power. Can you spot the subtle crack in the system's armor?
★★★★★ by archtrmntor
View Lab
Staging
Medium Security Misconfiguration 287 days ago
Staging
Staging is a medium-difficulty Linux CTF where you brute-force hidden vhosts, spin up a remote database to configure an uninitialized WordPress, then exploit misconfigurations for initial access. From there, you reuse credentials and abuse sudo misconfigs to gain root. It mimics real-world staging pitfalls in poorly managed environments.
★★★★★ by osmsec
View Lab
Graph
Medium CVE 295 days ago
Graph
Harness the hidden Thread Weaving Protocol in Graph???s Gremlin engine: hijack traversal streams, override Java scheduler tokens, and slip past concurrency guards. Only those who master dynamic graph flows will unearth the buried flags.
★★★★★ by archtrmntor
View Lab
Issabella
Easy CVE 295 days ago
Issabella
Infiltrate Issabella???s fortress: bypass deceptive interfaces, crack hidden protocols, and outsmart adaptive defenses at every turn. Will you seize the hidden prize before the system strikes back?
★★★★★ by osmsec
View Lab
Bluerock
Medium Artificial Intelligence 295 days ago
Bluerock
Unlock the power of BlueRock???s Model Context Protocol: manipulate streaming transaction insights, override dynamic risk thresholds, and slip past adaptive fraud defenses. Each challenge reshapes the analytics pipeline in real time only the sharpest operators will bend the MCP to their will and emerge unflagged.
★★★★★ by Kaizen226
View Lab
Rejetto
Easy Server Side Template Injection 306 days ago
Rejetto
A classic file-sharing service hums along, offering simple access to a few public resources. It looks stable, even nostalgic, perhaps a relic from another era. But age often brings oversight. Explore its behavior, peek into its features, and you might just find something that wasn???t meant to be shared
★★★★★ by archtrmntor
View Lab
Chad
Easy CVE 317 days ago
Chad
A seemingly simple web monitoring tool has been deployed on the server. Something feels off???dig deeper, explore its features, and see where curiosity takes you.
★★★★★ by archtrmntor
View Lab
Zorlang
Medium CVE 317 days ago
Zorlang
Zorlang is a Linux-based CTF machine designed to challenge a player???s skills in exploiting modern vulnerabilities and navigating post-exploitation scenarios. Players must gain an initial foothold by targeting an exposed service and then proceed to enumerate internal services to pivot deeper into the network. Success requires effective use of SSH tunneling techniques and a final privilege escalation through a misconfigured or vulnerable internal component, ultimately leading to full system compromise.
★★★★★ by osmsec
View Lab
Doom
Medium CVE 327 days ago
Doom
An internal CI server was hastily exposed with default configurations.
★★★★★ by archtrmntor
View Lab
Veriface
Medium Artificial Intelligence 332 days ago
Veriface
AI-powered facial recognition, where your face might just be the key! Train, spoof, and outsmart the system in this bizarre biometric circus of challenge and deception. Can you beat the machine at its own game?
⯨☆☆☆☆ by Kaizen226
View Lab
Middleman
Medium CVE 338 days ago
Middleman
This lab demonstrates middleware authentication bypass vulnerability in Next.js, allowing unauthorized access to protected routes.
★★★★★ by archtrmntor
View Lab
File Ception
Easy Local File Inclusion 433 days ago
File Ception
Welcome to the ultimate cybersecurity carnival, where Local File Inclusion meets Remote Code Execution! This quirky machine invites you to don your hacker hat and take a roller coaster ride through the twisted paths of misconfigured web applications.
★★★★★ by malwarekid
View Lab
Commander
Easy Command Injection 433 days ago
Commander
Step into the role of a daring investigator, tasked with uncovering a web vulnerability on the "Commander" machine. Each step takes you closer to the treasure ??? root access. Will you solve the puzzle?
★★★★★ by archtrmntor
View Lab
Forward
Easy Sql Injection 480 days ago
Forward
In the land of intranets and login screens there are often bypasses that go unnoticed, can you break through the security, bypass the login page, and gain access to the underlying operating system?
★★★★★ by malwarekid
View Lab
Operation Securenet
Medium Command Injection 494 days ago
Operation Securenet
Infiltrate the heart of SecureNet, a tech startup where shadows hide secrets and every service is a potential trap. Your mission: unravel the mysteries concealed within layers of encryption, misdirection, and subtle clues. Trust your instincts, question everything, and stay sharp???only the cleverest will uncover the truth behind the breach. Can you piece together the puzzle before time runs out?
★★★★★ by archtrmntor
View Lab
Shuttle Booking
Medium Cross Site Scripting 505 days ago
Shuttle Booking
Welcome to the Shuttle Booking system, where only the bravest hackers thrive. Before you is a seemingly simple website, but every input field hides potential danger. Your mission? Unleash the full power of XSS before anyone else does! Can you manipulate the browser's inner workings, hijack sessions like a pro, and seize total control?
★★★★★ by parrotassassin15
View Lab
One Click
Easy Authentication Bypass 526 days ago
One Click
An end user has installed some software that was not approved on the ITs list. This resulted in a vulnerability being exposed, can you exploit this windows machine?
★★★★★ by parrotassassin15
View Lab
Splinter
Easy Server Side Template Injection 540 days ago
Splinter
Unemployable INC, a shady corporation, needs your penetration testing skills. Suspecting server-side template injection vulnerabilities, they've hired you to infiltrate their systems. Like Splinter, exploit weaknesses and demonstrate the impact. Uncover hidden vulnerabilities, prove your worth, and expose the true extent of their security flaws. The fate of Unemployable INC rests in your hands.
★★★★★ by parrotassassin15
View Lab
QuickScan
Easy Server Side Request Forgery 549 days ago
QuickScan
Your task is to upload a file that triggers an unexpected behavior on the server. Explore different file types, bypass restrictions, and see if you can gain unauthorized access or leak sensitive information. Be creative and think like an attacker!
★★★★★ by smog
View Lab
Filter
Easy Local File Inclusion 555 days ago
Filter
Your mission is to bypass restrictive filters and exploit Local File Inclusion (LFI) vulnerabilities. But that's not all???use your skills to escalate into Command Injection. Can you manipulate the input and take full control?
★★★★☆ by smog
View Lab
Mdbraid
Easy Insecure Network Services 563 days ago
Mdbraid
Dive into mdbraid where you'll uncover hidden programs, manipulate access files, and crack SMB configurations. Challenge your skills as you navigate through secret pathways, decrypting clues, and exploiting vulnerabilities to conquer the system!
★★★★★ by parrotassassin15
View Lab
Middle Ground
Medium MitM Attacks 567 days ago
Middle Ground
Step into a digital battlefield where the stakes are high and the secrets are buried deep. Your mission? Exploit an exposed FTP server, sniff out what's hidden on port 80, and decode the mysteries of the network. Every corner holds a clue, every service a potential breakthrough.
★★★★★ by parrotassassin15
View Lab
Wallstreet Hijack
Hard Replay Attacks 572 days ago
Wallstreet Hijack
The gRPC stock trading service lacks robust protections against replay attacks. Exploit the weak security mechanisms to replay valid trade requests and manipulate stock values. Can you gain unauthorized profits by intercepting and replaying gRPC messages?
★★★★★ by Kaizen226
View Lab
Share Me
Easy Broken Authentication 579 days ago
Share Me
Leaked credentials have surfaced, giving you potential access to an S3 bucket. But broken authentication mechanisms stand in your way. Use the creds, bypass the flaws, and see what secrets you can uncover. Can you find the flag hidden deep within?
★★★☆☆ by parrotassassin15
View Lab
Hijack
Easy Broken Authentication 579 days ago
Hijack
The MySQL database on the machine 'Hijack' seems ripe for exploitation. Weak authentication and a lack of proper security controls give you a potential opening. Use your brute-forcing skills to break into the MySQL database, bypass the broken authentication mechanisms, and see what secrets lie within.
★★★★★ by smog
View Lab
Defcon 32
Medium XXE 584 days ago
Defcon 32
Attack a Parrot CTFs Defcon Village website, escalate your privileges within the application, compromise the server, and gain root access.
★★★★★ by Kaizen226
View Lab
Cloud Admin
Medium Cloud Misconfigurations 588 days ago
Cloud Admin
Dive into the world of cloud security with Cloud Admin. Face various challenges in cloud and server environments designed to test your ability to uncover vulnerabilities and exploit weaknesses. Do you have what it takes to compromise the infrastructure and reveal its secrets?
★★★★★ by parrotassassin15
View Lab
Wiki
Medium RCE 591 days ago
Wiki
Step into Sofia's Wiki, a Linux hosted wiki filled with intricate details and hidden treasures. uncover secrets buried within the pages, exploit upload functions, find hidden files and explore the Linux environment.
★★★★★ by parrotassassin15
View Lab
Simple
Easy Insecure Network Services 595 days ago
Simple
Step into this Windows 10 labyrinth with RDP and a few surprise services open. Navigate the quirky challenges, uncover hidden secrets, and see if you can outsmart the simplicity to capture the flag!
★★★★★ by smog
View Lab
Code Engine
Easy Insecure Docker Config 600 days ago
Code Engine
Unleash the power of Node.js in Code Engine! Dive into a hands-on lab where participants will explore a Node.js web app running in a Docker container. They will face exciting challenges that require them to interact with the application through the browser, execute code, and navigate the intricacies of containerized environments.
★★★★★ by Kaizen226
View Lab
Backdrop
Easy RCE 603 days ago
Backdrop
Dive into the Backdrop CMS challenge! Unravel hidden secrets, tackle engaging tasks, and master the quirks of this unique CMS. Ready to crack the code?
★★★★★ by smog
View Lab
Cyber Heist
Medium Replay Attacks 607 days ago
Cyber Heist
Unravel GRPC secrets in Cyber Heist! Face fun and engaging tasks designed to test your skills in navigating complex GRPC environments. Participants will tackle challenges involving remote procedure calls, service definitions, and exploiting GRPC vulnerabilities to conquer the GRPC security landscape.
★★★★★ by Kaizen226
View Lab
Kurby DC
Easy Active Directory 609 days ago
Kurby DC
Unravel Active Directory secrets in Kurby DC! Face fun and engaging tasks designed to test their skills in navigating complex AD environments. Participants will tackle challenges involving user authentication, group policies, and domain controllers to conquer the AD security landscape.
★★★★★ by parrotassassin15
View Lab
Habitual
Easy Sql Injection 614 days ago
Habitual
More vulnerable than your diet on cheat day! This easy lab machine invites you to dive into the world of common CVEs and SQLi exploits.
★★★★★ by smog
View Lab
Chatter
Medium Insecure Sockets 617 days ago
Chatter
Play around with websockets, intercept messages, enumerate API endpoints and more with this awesome vulnerable chat API. Do you have what it takes to hack this API?
★★★★★ by Kaizen226
View Lab
Poultry
Medium RCE 621 days ago
Poultry
Test your enumeration skills and hack this server that seems to be under development by a poultry farm? I wonder what they are going to sell.
★★★★★ by smog
View Lab
Merch Metrics
Hard IDOR 626 days ago
Merch Metrics
Dive deeper into the void of APIs, check metrics and find hidden flaws, can you hack this vulnerable API?
★★★★★ by Kaizen226
View Lab
Staff Connect
Hard SQL Injection 630 days ago
Staff Connect
Dive into the zany world of a staffing agency's API, where your mission is to exploit IDOR vulnerabilities and uncover SQLi flaws while dodging our cheeky digital recruiter???s pranks.
★★★★★ by Kaizen226
View Lab
SystemSpoils
Medium Security Misconfiguration 636 days ago
SystemSpoils
Welcome to SystemSpoils, where you outsmart a tricky IIS server and a sneaky SMB share. Dive in, hack away, and uncover digital treasures!
★★★★★ by parrotassassin15
View Lab
ArshaSpector
Easy Security Misconfiguration 639 days ago
ArshaSpector
Arsha is a website development firm, they however are not too great at backend work yet. Can you find the misconfiguarations that lead to full server compromise?
★★★★⯨ by parrotassassin15
View Lab
Marketer
Medium RCE 639 days ago
Marketer
Ever come across a marketing provider like mailgun? This is that without the APIs can you attack this machine using your file upload and cryptography skills?
★★★★★ by parrotassassin15
View Lab
NonSense
Easy Security Misconfiguration 645 days ago
NonSense
Welcome to Nonsense, a CTF where your mission is to outwit a pfSense router box that thinks it's impenetrable. Can you find the hidden flag in this labyrinth of digital defenses, or will you be caught in a web of nonsense?
★★★★★ by parrotassassin15
View Lab
Tiki 2
Hard Insecure Deseralization 872 days ago
Tiki 2
Embark on a thrilling CTF journey in the virtual Tiki world! Unravel the 'Insecure Deserialization' enigma, showcase your prowess, and emerge victorious in this cyber quest. Triumph awaits!
★★★★★ by silky
View Lab
RootQL
Easy Weak Authentication 883 days ago
RootQL
Welcome to GraQLand, the magical realm of GraphQL APIs. A mischievous fairy has hidden the flag amidst its API tree. Traverse the mystical endpoints, decipher riddles, and unearth the hidden flag. But beware of the GraphQL challenges. Do you have the charm to outwit the fairy and capture the flag?
★★★★★ by smog
View Lab
Header
Medium Multiple Injections 890 days ago
Header
Headers: the unsung heroes of the digital realm. Dive deep into the fascinating world of headers, where every line tells a tale, and every request holds a secret. From guiding data's dance to whispering web wishes, headers are the cool conductors of the cyber symphony. Join the header hullabaloo and discover the magic behind the scenes!
★★★★★ by parrotassassin15
View Lab
Ticket
Easy SQL Injection 913 days ago
Ticket
Ticketing Systems are very common in day-to-day operations with IT. However, the infrastructure for these systems is often left un-secured because they are used internally and often made from scratch. Find the flaw in this application.
★★★★★ by parrotassassin15
View Lab
Vape Shop
Medium SQL Injection 914 days ago
Vape Shop
This shop has given you a UAT environment to start testing its application can you find the flaws in this app?
★★★★★ by parrotassassin15
View Lab
Happi
Easy IDOR 969 days ago
Happi
This API was made with developers who thought they were funny. Little did they know this tom foolery is what makes this API vulnerable.
★★★★☆ by parrotassassin15
View Lab
Devguru
Medium Security Misconfiguration 997 days ago
Devguru
He's taught you his ways, can you show him how much you've learned and hack into this website?
★★★★★ by y2ksecurity
View Lab
Mr Robot V2
Medium Multiple Injections 1005 days ago
Mr Robot V2
FSociety has assigned you a task: Hack Ecorp and Their Employees. Can you do it?
★★★★☆ by parrotassassin15
View Lab
Society
Easy Buffer Overflow 1005 days ago
Society
Welcome society, a virtual world where the only currency is words, and the conversations never stop. Our servers are like a bustling cafe where people come to chat, share stories, and connect with others from all over the world.
★★★★★ by parrotassassin15
View Lab
Elemental Express
Medium Security Misconfiguration 1068 days ago
Elemental Express
Content Managment Systems are powerful, but they are also often time out of data and vulnerable. Can you prove that this is the case?
★★★★★ by parrotassassin15
View Lab
Blogger
Medium XXE 1074 days ago
Blogger
A company has hired you to perform a penetration test against this blog. Can you bring back good results?
★★★★★ by cypress
View Lab
Pet Shop
Easy Legacy Systems 1213 days ago
Pet Shop
This old school pet shop owner has an old website. It's not even set up yet! Can you find your way into this poor man's website and show him where the flaws are?
★★★★★ by parrotassassin15
View Lab
Jigsaw 2
Medium Insecure Network Services 1242 days ago
Jigsaw 2
Can you crack the puzzle and find your way inside this more confusing and more puzzling machine? We dare you to give it a shot!
★★★★★ by y2ksecurity
View Lab
Harvest
Easy Insecure Authentication 1242 days ago
Harvest
They've harvested all the vegetables they need, but can you harvest the flags?
★★★★★ by smog
View Lab
Itty Bitty
Medium RCE 1242 days ago
Itty Bitty
This Bit Bucket instance has not been updated in a long time. The big data firm that uses this server must not care about CVEs. Show off your exploitation skills!
★★★★★ by parrotassassin15
View Lab
Photography
Easy Insecure Deserialization 1242 days ago
Photography
Photos are fun but so is hacking into this website. Can you find the vulnerability?
★★★★★ by smog
View Lab
Air Port
Hard Weak Authentication 1242 days ago
Air Port
This airports information server is due for a penetration test can you find everything wrong with this server?
★★★★★ by parrotassassin15
View Lab
Dentist Office
Easy Weak Authentication 1249 days ago
Dentist Office
Sharpen up your skills like under this under the bridge dentist sharpens teeth show us can you hack this website?
★★★★★ by parrotassassin15
View Lab
Git Hit
Hard Information Disclosure 1249 days ago
Git Hit
Gitlab is a great way to host code but hosting a self-managed instance can be dangerous can you show the owner of this server why this is the case?
★★★★★ by parrotassassin15
View Lab
Jigsaw
Hard Insecure Network Services 1250 days ago
Jigsaw
Can you crack the puzzle and find your way inside this confusing and puzzling machine? We dare you to give it a shot!
★★★★★ by y2ksecurity
View Lab
Abby's Lab - NCIS
Hard IDOR 1460 days ago
Abby's Lab - NCIS
No way! I'm getting hacked! Break through Abby's IPS in order to breach her system.
★★★★★ by cypress
View Lab
Texas Ranger
Easy Cryptography 1466 days ago
Texas Ranger
Yee haw! Can you show the Texas Rangers who is boss?
★★★★★ by cypress
View Lab
Aero Space
Medium SQL Injection 1606 days ago
Aero Space
Can you find the vulnerabilities in this CMS? If so, be sure to report them to their GitHub : ).
★★★★★ by parrotassassin15
View Lab
Convergence
Easy CVE 1613 days ago
Convergence
This Information Security Influencer Has a Documentation Server. Clearly, they did not stay up to date with the cyber security news.
★★★★★ by parrotassassin15
View Lab

Ready to compete?

Join our CTF events and competitions to test your skills in live challenges.

Browse CTF Events