Capture The Flag

Test your hacker instincts

Five beginner-friendly challenges. Use the on-page tools and find each flag in the format TBS{...}. Submitting flags and unlocking hints needs a free academy account — it takes seconds and tracks your progress.

Score: 0 / 1300
Solved: 0 / 8
Steganography Easy 100 pts

The Hidden Message

A JPG image contains a hidden text message. Use the on-page metadata viewer to uncover it.

A photo was uploaded with hidden metadata. Inspect it with the viewer below.

Tip: some metadata fields are Base64-encoded.

Hints (−25 pts each): Create a free academy account to see a hint.
Web Security Medium 200 pts

Login Bypass

A safe, mock vulnerable login demonstrates the SQL injection concept. Bypass it to reveal the flag.

A demo login that builds its query unsafely. Can you log in as admin without the password?

Hints (−25 pts each): Create a free academy account to see a hint.
Social Engineering Easy 150 pts

Phishing Email

Analyze a sample phishing email and identify the red flags to reveal the flag.

Select the 5 red flags, then check your answer:

Hints (−25 pts each): Create a free academy account to see a hint.
Network Medium 200 pts

Gateway Imposter

A man-in-the-middle attacker has poisoned the ARP cache to impersonate the network gateway. Inspect the ARP table on-page and identify the rogue device.

A device on the LAN is impersonating the gateway (192.168.1.1) to run a man-in-the-middle attack. Two entries share a MAC — click the impostor to confirm the attack.

IP addressMAC address
192.168.1.1 (Gateway)AA:11:BB:22:CC:33
192.168.1.20DE:AD:BE:EF:00:01
192.168.1.66AA:11:BB:22:CC:33
192.168.1.99F0:0D:CA:FE:12:34
Hints (−25 pts each): Create a free academy account to see a hint.
Web Security Easy 150 pts

Trace the Flood

Your server is under a flood of traffic. Analyze the access logs on-page and identify the IP address responsible for the attack.

These are web-server access logs during an attack. One IP is flooding the server. Run the analyzer to find it.

198.51.100.23 - GET /about
203.0.113.7 - GET /index.php
203.0.113.7 - GET /index.php
192.0.2.10 - GET /contact
203.0.113.7 - GET /index.php
198.51.100.5 - GET /blog
203.0.113.7 - GET /index.php
203.0.113.7 - GET /login
203.0.113.7 - GET /index.php
192.0.2.10 - GET /pricing
203.0.113.7 - GET /index.php
203.0.113.7 - GET /index.php
Hints (−25 pts each): Create a free academy account to see a hint.
Forensics Easy 150 pts

Decode the Payload

An intercepted payload was captured in an encoded form. Decode it using the on-page tool to reveal the hidden flag.

An intercepted payload was captured in Base64. Decode it on-page to read the flag.

VEJTe2xheWVyZWRfZW5jb2RpbmdfZnVufQ==
Hints (−25 pts each): Create a free academy account to see a hint.