Pick a path, open a lab, start training in a controlled environment:

their level of difficulty varies, from very easy to increasingly more difficult

Each challenge is designed for controlled, authorized training. Practice realistic security scenarios in isolated environments and build practical skills step by step.

Authorized Use Only:
This lab is a training environment intended solely for lawful educational exercises.
Do not apply any techniques, payloads or procedures to systems, domains, applications, accounts or infrastructure unless you have explicit authorization.
By entering the lab, you confirm that you act only within the provided training environment or your own authorized test environment.

Training Paths

Pick a path, open a lab, start training in a controlled environment.

Web Recon & Surface Discovery

Requests, parameters, cookies, recon, basic weaknesses.

File Handling & Upload Attacks

LFI/RFI, path traversal, insecure uploads, metadata tricks.

Injection Attacks

SQLi, command injection, template injection, payload thinking.

Authentication & Logic Flaws

Sessions, auth bypass, broken flows, IDOR logic, resets.

Container & Docker Misconfigurations

Privilege misconfig, Exposed Docker socket, Writable volumes.

Log Poisoning & LFI to RCE

Apache log injection, PHP wrapper abuse, Filter bypass

System Exploitation & Privilege Escalation

SUID, Writable cron, PATH hijacking

State Change & CSRF

Cross-site request forgery, session-backed actions, weak defenses, token mistakes.

Secure Coding & Fixes

Hardening examples, Before/After lab, Secure rewrite

Encoding, Data & Logic Basics

base64, hex, JWT decoding, simple logic puzzles

Start training

Choose a path above to filter labs.

SQLi Login

15 pts

Try to bypass login using basic SQL injection. Goal: find the flag.

⌛ unsolved 👤 account 🔒 👁 Preview

Base 64 Warmup

10 pts

A quick warm-up lab. No account needed.

⌛ unsolved 🆓 free ▶ Open