HACKR.GG
Hands-on penetration testing labs. Each machine runs a real vulnerable app — pick a target, get a shell, capture the flag.
A clean terminal environment to practice Linux commands. No target to hack — just you, bash, and the filesystem.
A shoe blog left a little something in your session. Find the XSS vulnerability and steal the cookie.
Crapazon's product search reflects your input directly on the page. Something in that response shouldn't be there.
Crapazon's seller portal has a login form that talks directly to the database. No sanitisation, no prepared statements — just raw SQL.
Crapazon's order page shows your orders fine. But what happens if you change the order ID in the URL? Does it check who you are?
Crapazon's network diagnostics tool pings any host you enter. The host goes straight into a shell command.
Crapazon's account settings form has no CSRF token. Any page can silently change Alice's email on her behalf.
WhatsUp's link preview feature fetches any URL you send it — including internal ones.
InstaSnap lets you upload a photo to your profile. No file type validation — upload anything you want.
eCorp Fintech lets you pick a plan and send the price yourself. The server trusts whatever number you send.
Chirper has no rate limiting, no lockout, and no CAPTCHA. Brute-force the admin account.
CryptoBurner left debug mode on in production. Sensitive endpoints are wide open.
FirstBank's internet banking has no lockout and no rate limiting. The customer's PIN is 4 digits.
FirstBank's statement viewer takes an account number in the URL. It never checks who you are.
FirstBank's transfer API takes an amount from the client. No validation on whether it's positive.
FirstBank signs session JWTs with a weak secret. Crack it, forge a new token with role: admin.
A premium e-commerce store built with client-side price trust. The checkout API accepts whatever total the browser sends. Intercept the request and pay $0.01 for $279 of gear.
Your personal HTTP intercept session. Spin up an isolated interceptor instance.
Critbook is a social review platform with a sloppy dev team. Map its full attack surface — subdomains, hidden paths, leaked keys, exposed services.
Critbook reflects any Origin header in its CORS response. Exploit the misconfiguration to make cross-origin requests that leak authenticated data.
Critbook's OAuth flow doesn't validate the state parameter. Hijack the authorisation code and log in as another user.
Critbook exposes a GraphQL API with introspection enabled and no authorisation on sensitive queries. Extract the schema and dump user data.
Chirper's password reset uses a short numeric token sent by email. The endpoint has no rate limiting — enumerate the token and take over any account.
FirstBank added two-factor authentication but the 2FA endpoint is a different route with no session binding. Skip it entirely and go straight to the dashboard.
Crapazon's post-payment redirect takes a URL from the query string and doesn't validate it. Send a customer anywhere after checkout.
Crapazon's coupon system checks then applies codes in two separate operations. Send concurrent requests to apply the same code multiple times before the check runs.
DevDocs serves files from a local directory. The filename parameter isn't sanitised — traverse outside the intended folder and read arbitrary files from the server.
LogViewer aggregates application logs with no authentication on the log stream endpoint. Find evidence of an attacker in the logs and retrieve the flag they left behind.
KladGPT has a content policy filter. Craft a prompt injection payload that bypasses it and makes the model reveal its system prompt and the hidden flag.
KladGPT's web summariser fetches a URL and summarises the content. Supply a URL pointing to a page with injected instructions and hijack the model's output.
KladGPT refuses harmful requests. Use roleplay framing, token manipulation, and multi-turn context to jailbreak the model and extract the flag from its restricted knowledge.
NovaPay's operations manager Sarah Chen is your target. Use PhishKit to craft a convincing email, capture her credentials, and log into her dashboard.
A Node.js app authenticates against MongoDB by dropping your input directly into a query object. Inject a NoSQL operator to bypass the password check entirely.
A Node.js app renders user input through the Pug template engine without sanitisation. Inject a template expression to execute server-side code and read the flag.
DocParser accepts XML uploads and processes them server-side. Inject an XXE payload to make the parser read local files and exfiltrate their contents.
An API blindly binds the request body to a user object. Include an isAdmin field in your registration request and promote yourself to administrator.
The app issues a session token before login and never rotates it afterwards. Fix the session ID before the victim logs in and inherit their authenticated session.
PageForge's theme upload accepts any file type and executes uploaded scripts server-side. Upload a webshell, get command execution, find the admin credentials, and deface the site.
Zeddit renders comments as raw HTML with no sanitisation. Inject a payload that executes JavaScript in any visitor's browser. The session cookie is your target.
Zeddit assigns sequential IDs to drafts and returns them without checking ownership. What's in draft #1?
Zeddit's upvote endpoint has no CSRF token and no Origin check. The mod bot visits submitted report URLs with a privileged session. Make the mod vote for you.
Zeddit doesn't prevent self-voting or duplicate votes. Exploit the broken logic to push your own post's karma past the threshold and unlock the flag.
A Linux server has SSH open with password authentication enabled. You have a username. Brute-force the password with Hydra and escalate to root.
You have a shell inside a Docker container. The docker.sock has been mounted in. Escape to the host filesystem and read the root flag.
A vulnerable web app passes user input directly into a shell command. Review the source, understand the injection point, and exploit it to read the flag.
You have a shell on the target. The flag is buried somewhere in configs, logs, history files, and backups. Find it before the blue team wipes the box.
You have root on a compromised host. Plant a cron-based backdoor that survives a cleanup sweep, then trigger the cleanup to unlock the flag.
You have a low-priv shell. Credentials for the dbadmin account are scattered across configs, history files, and memory dumps. Find them and switch user to read the flag.
You're on a jump box with access to an internal service that isn't directly reachable. Use chisel or socat to tunnel through and retrieve the flag from the internal endpoint.
AcmeCorp's server 'only runs a website' — or so they claim. Scan every port, fingerprint every service, and find the flag hidden in an exposed banner or file.
You have a low-privilege shell as 'hacker'. The root flag is at /root/flag.txt. Find and exploit the misconfiguration that lets you escalate.
VaultCorp's admin panel is protected by a weak password. A hash from their database has been leaked. Crack it — or brute force your way in.
A startup deployed straight from their dev machine. Directory listing, exposed .git, leaked .env — everything is there if you look. Find the flag.
A corporate server is running FTP, SMB, and SNMP alongside a web service. Enumerate every service and find the flag hidden in the exposed data.
You've captured traffic from a corporate network. Credentials were transmitted in cleartext. Find them, authenticate, and retrieve the flag.
AcmeCorp has dangling CNAME records pointing to deprovisioned services. Find them, fingerprint them, and claim the subdomain.
BankVault forgot to set X-Frame-Options. Overlay their transfer button and trick a victim into sending funds.
ResetHub builds password reset URLs using the HTTP Host header. Inject your own host to steal the reset token.
ConfigHub uses a recursive deep merge with no key sanitisation. Pollute Object.prototype to gain admin access.
A Flask app stores sessions as base64-encoded Python pickle objects. Craft a malicious __reduce__ payload to achieve RCE and exfiltrate the flag.
SwiftNews caches by URL only. The X-Forwarded-Host header isn't in the cache key but gets reflected — poison the cache for every visitor.
A profile photo uploader that checks file extension and Content-Type. Spoof the MIME type to bypass the filter and execute a webshell.
A feedback form pings your domain to test connectivity — but shows no output. Confirm injection with sleep, then exfiltrate the flag.
TokenForge's auth server accepts JWTs with alg set to 'none'. Log in as a regular user, forge an admin token by removing the signature.
Beeper's user search passes your query directly into a SQL UNION. Pivot from the users table to the secrets table and extract the hidden flag.
LinkPeek is a URL preview service. It'll fetch any URL you give it — including internal ones. Find the hidden endpoint that was never meant to be public.
FileVault reads files from /files/ by name — but forgets to sanitise the path. Escape the base directory and read the flag hidden in /secret/flag.txt.
VaultDB's login API passes your JSON straight to a NoSQL-style comparison. Send a MongoDB \$ne operator as your password and bypass authentication entirely.
CardCraft builds greeting cards by concatenating your name directly into a Pug template. Inject template syntax to leak the server's FLAG environment variable.
SearchIt reflects your query into the page with no escaping. Craft an XSS payload, send it to the bot endpoint, and steal the admin's session cookie.
NoteKeeper has XSS but hides behind Content-Security-Policy. Three progressively harder CSP configurations to bypass.
AuthLog writes your username straight into an audit log. Inject a newline to append a fake system marker — then trigger the compliance check to claim the flag.
FileDump has an unlisted /backup/ path with directory listing enabled. Use gobuster to find it, browse the index, and grab the config file with the flag inside.
MemberZone stores your session as plain Base64 JSON. Decode your guest cookie, change the role to admin, re-encode it, and access the admin panel.
SpotAPI rate-limits unlock attempts by IP — but it trusts the X-Forwarded-For header you control. Rotate it on every request to brute force the 4-digit artist code.
SpotAPI Vault fingerprints you by IP, User-Agent, and X-Request-ID. All three are user-controlled. Rotate all headers to bypass rate limiting and brute force the vault PIN.
LiveChat validates your session when the WebSocket connects — but never again. Send an admin action as a regular user.
SlackIt validates tokens by prefix only — no signature. Any token starting with admin_ grants admin access. Forge one and read the private #admin channel to get the flag.
PageForge strips <script> tags but allows id/name attributes. Clobber window.config to redirect a fetch to your server.
PageForge's bot checks window.app.settings.trusted. Use the two-anchor technique to clobber a two-level property chain and earn the trusted badge.
TunnelProxy uses Content-Length; the backend uses chunked encoding. Smuggle a request prefix to poison the next victim.
StreamProxy CDN reads chunked (TE) while the origin reads Content-Length (CL). Use TE.CL desync to smuggle a request that poisons the cache for all visitors.
Tweetr's username check leaks only true/false. The flag lives in a hidden secrets table. Use blind boolean injection to extract it character by character.
ShipFast has three features — only one calls a shell command. Identify the injectable endpoint, confirm with a timing probe, and extract both flags from /app/secrets/.
ShopEasy encodes HTML in the page body but reflects your search term raw inside a value attribute. Break out of the attribute to fire an XSS and steal the session cookie.
NoteSnap reads location.hash and writes it directly to innerHTML. Craft a URL fragment with an XSS payload to steal the session cookie.
SupportDesk stores contact form submissions and renders them in an admin panel. The admin bot visits every 5 seconds. Inject a payload that calls back to your listener and steal the admin cookie.
DevHub validates CSRF tokens but checks a global pool — any valid token from any session passes. Get your own token, craft an attack page, queue the admin bot, and escalate your role.
PixelVault allows SVG uploads and serves them with image/svg+xml on the same origin. Upload a malicious SVG containing a script tag to steal the gallery_session cookie.