Capture The Flag

Test your hacker instincts

Five beginner-friendly challenges. Use the on-page tools, find each flag in the format TBS{...}, and submit it. No login required — progress is saved to your session.

Score: 0 / 1300

Solved: 0 / 8

Steganography Easy 100 pts

The Hidden Message

A JPG image contains a hidden text message. Use the on-page metadata viewer to uncover it.

A photo was uploaded with hidden metadata. Inspect it with the viewer below.

Tip: some metadata fields are Base64-encoded.

Hints (−25 pts each):

Cryptography Easy 150 pts

Caesar's Secret

Decode a message encoded with a ROT13 Caesar cipher variant.

Intercepted message (a Caesar cipher). Slide to find the right shift.

GOF{pelcgb_vf_sha_123} Shift: 0

Hints (−25 pts each):

Web Security Medium 200 pts

Login Bypass

A safe, mock vulnerable login demonstrates the SQL injection concept. Bypass it to reveal the flag.

A demo login that builds its query unsafely. Can you log in as admin without the password?

Hints (−25 pts each):

Social Engineering Easy 150 pts

Phishing Email

Analyze a sample phishing email and identify the red flags to reveal the flag.

From: IT-Support <support@m1crosoft-security.com> Subject: URGENT: Your account will be deleted in 24 hours!!!

Dear valued costumer,

We detected unusual activity. You must verify your password immediately or your acount will be permanently deleted within 24 hours.

Click here: http://bit.ly/secure-verify-now

Regards, The Security Team

Select the 5 red flags, then check your answer:

Mismatched / look-alike sender domain
The email has a subject line
Urgency and threats ("24 hours", "deleted")
Spelling errors ("costumer", "acount")
Request to verify your password
It is addressed to "Dear valued..."
Shortened / obfuscated link (bit.ly)

Hints (−25 pts each):

Password Security Medium 200 pts

Password Audit

A hash is provided. Use the on-page tool to match it against a 20-word wordlist.

Crack this SHA-256 hash by testing it against the wordlist below.

ef92b778…73e94f

Hints (−25 pts each):

Network Medium 200 pts

Gateway Imposter

A man-in-the-middle attacker has poisoned the ARP cache to impersonate the network gateway. Inspect the ARP table on-page and identify the rogue device.

A device on the LAN is impersonating the gateway (192.168.1.1) to run a man-in-the-middle attack. Two entries share a MAC — click the impostor to confirm the attack.

IP address	MAC address
192.168.1.1 (Gateway)	AA:11:BB:22:CC:33
192.168.1.20	DE:AD:BE:EF:00:01
192.168.1.66	AA:11:BB:22:CC:33
192.168.1.99	F0:0D:CA:FE:12:34

Hints (−25 pts each):

Web Security Easy 150 pts

Trace the Flood

Your server is under a flood of traffic. Analyze the access logs on-page and identify the IP address responsible for the attack.

These are web-server access logs during an attack. One IP is flooding the server. Run the analyzer to find it.

198.51.100.23 - GET /about
203.0.113.7 - GET /index.php
203.0.113.7 - GET /index.php
192.0.2.10 - GET /contact
203.0.113.7 - GET /index.php
198.51.100.5 - GET /blog
203.0.113.7 - GET /index.php
203.0.113.7 - GET /login
203.0.113.7 - GET /index.php
192.0.2.10 - GET /pricing
203.0.113.7 - GET /index.php
203.0.113.7 - GET /index.php

Hints (−25 pts each):

Forensics Easy 150 pts

Decode the Payload

An intercepted payload was captured in an encoded form. Decode it using the on-page tool to reveal the hidden flag.

An intercepted payload was captured in Base64. Decode it on-page to read the flag.

VEJTe2xheWVyZWRfZW5jb2RpbmdfZnVufQ==

Hints (−25 pts each):

Test your hacker instincts

The Hidden Message

Caesar's Secret

Login Bypass

Phishing Email

Password Audit

Gateway Imposter

Trace the Flood

Decode the Payload

You Hacked The System!