There are plethora of challenge/hacking sites where one could find cool challenges any time of the year.
Some of them are ranked and have their own scoreboards while others are there just for learning sake. While one can find running CTFs all year round, CTFs have there own cons
- The challenges/problems are shortlived. The lifetime of a typical CTF is 2 days and server based challenges would be typically running for a week or two.
- The range of challenges in a CTF is not vast given the time constraints, and usually less focussed on a single concept.
Enter the always running challenge sites to practice! While some of them are focussed on a specific topic say SQLi, others are more general. Check out the description of each site to know more.
The order of sites is purely coincidental, it by no means tries to order the awesomeness of sites!!
tags shall be mentioned beneath each site to specify the challenge categories.
These are the sites which contain a broad range of challenges, usually on various topics.
Wechall is an attempt to form a global ranking amongst other challenge sites. It has various challenges, but most importantly it serves as a gateway to other challenge/hacking sites.
Learning cybersecurity on TryHackMe is fun and addictive. Earn points by answering questions, taking on challenges and maintain your hacking streak through short lessons.
Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with thousands of people in the security field.
RingZer0 holds a plethora of challenges on various topics. Plus the site has gold based system giving the ability to unlock hints for challenges in exchange of gold.
RingZer0 Team’s online CTF offers you tons of challenges designed to test and improve your hacking skills through hacking challenges.
Our community offers you security challenges to learn and practice hacking. Our goal is to provide fun and unique challenges running in a real world environment, with no guessing and no simulation! Our challenges address several subsets of hacking, mostly oriented on the offensive. A multitude of technologies and architectures are waiting for you. Show us your mad skillz and pop some shells (or calcs)!
W3Challs contains a wide variety of challenges which are good in quality with no guessing involved.
CTFlearn is an ethical hacking platform that enables tens of thousands to learn, practice, and compete. We host an ever-changing array of user-submitted and community-verified challenges in a wide range of topics.
CTFlearn has an open community and a wide variety of community submitted challenges. Most of the challenges are on easier guessy side but good to get someone started.
Net-Force.nl is a website where people interested in (internet) security can play so-called ‘hack challenges’, read interesting articles about security and hacking and communicate with each other about these subjects via the forums or IRC. Visitors can register and participate in these hack-challenges, increase their skills and climb the ranks.
Net-Force.nl is an older sites, covering wide range of categories about
It is parent of three projects/pathways
Rootme is a well reputed french challenge site with challenges on almost any category. Although its present in various languages, some challenges may be in french.
Root-Me is a non-profit organization which goal is to promote the spread of knowledge related to hacking and information security.
Hax tor is an old website having a set of 50 cool challenges. WARNING! This site was created in 2006. It is here for historical purposes. Many of the levels are deprecated because they rely on old PHP flaws or involve third parties.
Welcome to HellBound Hackers. The hands-on approach to computer security. Learn how hackers break in, and how to keep them out.
Defend the Web is an interactive security platform where you can learn and challenge your skills. Try and complete all of our 60+ hacking levels. Learn from our series of articles covering all aspects of security. Articles will guide you through the essentials to get started. As you progress more complex topics will be introduced to build up your knowledge.
Since 2003, Enigma Group has been providing its members a legal and safe security resource where they can develop their pen-testing skills on various challenges provided by this site.These challenges cover the exploits listed in the OWASP Top 10 Project and teach members the many other types of exploits that are found in today’s applications; thus, helping them to become better programmers in the mean time.
This is a game designed to challenge your application hacking skills. There are several challenges that stand before you. Each challenge contains a section of code that has vulnerable weak points. Your mission, should you choose to accept it, is to identify the vulnerability that exists in each challenge.
Use wayback machine to navigate the challenges
Capture The Flags, or CTFs, are a kind of computer security competition. Teams of competitors (or just individuals) are pitted against each other in a test of computer security skill. Very often CTFs are the beginning of one’s cyber security career due to their team building nature and competetive aspect. In addition, there isn’t a lot of commitment required beyond a weekend. In this guide/wiki/handbook you’ll learn the techniques, thought processes, and methodologies you need to succeed in Capture the Flag competitions.
Learn cybersecurity skills by playing Capture the Flag. Compete with other players and become a hacker today. Changed to forallsecure
Hack This Site is a free, safe and legal training ground for hackers to test and expand their hacking skills. More than just another hacker wargames site, we are a living, breathing community with many active projects in development, with a vast selection of hacking articles and a huge forum where users can discuss hacking, network security, and just about everything. Tune in to the hacker underground and get involved with the project.
Rankk is about solving challenges, discovering and learning new knowledge. It’s a journey, a sacred, personal experience. The site is a reincarnation of The Pyramid, an earlier attempt at assembling a set of challenges for those who enjoy solving problems. You start with the easy levels and progress to the intermediate and hard levels by solving the minimum number of required challenges at each level.
This site is a tribute for all fans of the show with some skills in Cryptography, Steganography, Programming, Reversing, Logic, Web-Security, Mathematical knowledge. There are 6 different levels and one master challenge. The first challenges, those where you have access at the beginning are easy. Then it gets more and more difficult up the level-tree.
Welcome to the portal with the highest number of logic riddles and rebuses. Beside riddles targeted as logical puzzles you are going to learn how to decrypt encrypted messages. Finds secret messages hidden in pictures, music or in simple poems or rhymes. A popular puzzle category with purely logical character are undoubtedly Zebra puzzles. And the most popular puzzles are of Orbis Pictus category, where I all have equal chances, where you have to find just what you see in the picture. Try how you stand with general knowledge. Please login and certainly you will find something new to learn.
This website offers the opportunity for to test your hack skills. To solve the challenge, capture the flag.
try wayback machine to access the challenges
The site has been closed
Again wayback machine for help
Yet another challenge site which tries to gamify the challenges
Welcome to Security Traps. Here you can try challenges from different security domains. The website is not for educational purposes, it aims to help you check your skill level. In order to register, you must complete 5 pre-levels. I’ve hidden some Easter Eggs on the site,so feel encouraged to audit ;)
Welcome to HackerFire! A learning CTF from the developers of CTFd. Play around, don’t be mean, and have fun.
Hacking-Lab is a service by Security Competence GmbH, a Swiss subsidiary of Compass Security AG. Compass Security is a well renowned European company specializing in penetration testing, incident response, digital forensics, and security trainings. Our research and community contributions regularly gain international recognition. Our employees have presented at the highly regarded security conferences, such as Black Hat Las Vegas and Microsoft’s invite only conference, called Blue Hat, in Redmond. With Hacking-Lab, the flagship project of Compass Security, a comprehensive attack/defense CTF system is provided to run the European Cyber Security Challenge. Hacking-Lab is licensed to numerous universities worldwide for educational purposes, with its aims of building young cyber talents as well as encouraging them to pursue a career in cyber security. Build your skills and join us for exciting challenges. www.compass-security.com
Hacker101 is a free class for web security. Whether you’re a programmer with an interest in bug bounties or a seasoned security professional, Hacker101 has something to teach you.
At CyberSecLabs, we aim to provide secure, high-quality training services that allow information security students the opportunity to safely learn and practice penetration testing skills.
Evilzone used to have a forum, file hosting, multiple IRC servers and more. But due to lack of people, time and resources we are now focusing more on delivering services. For now Evilzone will mostly provide fun and educational hacking and security related challenges, with more services coming later.
This site provides several security-oriented challenges for your entertainment. It is actually one of the oldest challenge sites still around :) The challenges are diverse and get progressively harder.
Hack.me is a FREE, community based project powered by eLearnSecurity. You can think of it as a platform where the community can build, host and share vulnerable web application code for educational and research purposes. It aims to be the largest collection of “runnable” vulnerable web applications, code samples and CMS’s online. The platform is available without any restriction to any party interested in Web Application Security.
This game was designed to test your application hacking skills. You will be presented with vulnerable pieces of code and your mission if you choose to accept it is to find which vulnerability exists in that code as quickly as possible
You might have years of experience, or you might be just starting out, for us you are equally important and desirable. What we need are your skills, talent and initiative. If you’re interested in any of these positions and you think you have what it takes to do this job, we would like to talk to you. Send us the best examples of your previous work, or join the fun and solve the problem next to the position you would like to apply for.
The aim of the site is to help you learn and improve as much as we can and also provide a community with a chance to chat. The site is always up for suggestions for improvement and any challenge submissions or tutorial content are also welcome so please help to improve our community.
µContest is a site proposing lots of programming challenges. This means you will find challenges you have to solve by creating programs in the language you want. You win a number of points when you validate a chall, depending on its difficulty. There are challenges for all levels so do not hesitate to register ;)
Hackers tend to have stereotypes about wargames; Many consider wargames as basic learning materials for new-comers of cyber security. Well, it’s not completely true. I personally think wargames are supposed to be and meant to be very challenging, regardless of how they’re good at it. So, here it is. This wargame is a little bit different to break your typical stereotypes. This wargame is intended for offensive security experts who are willing to overcome situations of getting stuck in breaking into web services or web-based solutions.
This game was designed to test your application hacking skills. You will be presented with vulnerable pieces of code and your mission if you choose to accept it is to find which vulnerability exists in that code as quickly as possible.
To provide materials that allows anyone to gain practical ‘hands-on’ experience in digital security, computer software & network administration.
Penetration testing laboratories “Test lab” emulate an IT infrastructure of real companies and are created for a legal pen testing and improving penetration testing skills.
If you want to join the team that every day faces global cyber-threats, uncover a hidden puzzle in the crackme program and prove us your potential.
“Practice makes Pwnage”
This is the frontpage of the IO wargame. IO is our most mature game, but is never the less in continually updated as technology develops. We provide recent radare2 and gdb builds.
The wargames offered by the OverTheWire community can help you to learn and practice security concepts in the form of fun-filled games. To find out more about a certain wargame, just visit its page linked from the menu on the left.
The Bandit wargame is aimed at absolute beginners. It will teach the basics needed to be able to play other wargames. If you notice something essential is missing or have ideas for new levels, please let us know!
Natas teaches the basics of serverside web-security.
Leviathan is a wargame that has been rescued from the demise of intruded.net, previously hosted on leviathan.intruded.net. Big thanks to adc, morla and reth for their help in resurrecting this game!
The Krypton wargame.
Narnia is a wargame that has been rescued from the demise of intruded.net, previously hosted on narnia.intruded.net. Big thanks to adc, morla and reth for their help in resurrecting this game!
Behemoth is a wargame that has been rescued from the demise of intruded.net, previously hosted on behemoth.intruded.net. Big thanks to adc, morla and reth for their help in resurrecting this game!
Utumno is a wargame that has been rescued from the demise of intruded.net, previously hosted on utumno.intruded.net. Big thanks to adc, morla and reth for their help in resurrecting this game!
Maze is a wargame that has been rescued from the demise of intruded.net, previously hosted on maze.intruded.net. Big thanks to adc, morla and reth for their help in resurrecting this game!
This network is a legal environment where you can learn coding/hacking techniques without destroying anything. You have to solve Semtex 0 to get a username/password for login. Once logged in, you have to make your way from one level to the next, each one containing a small security hole/feature that has been installed for you. Your mission is to find out how to exploit the weakness and to cause interesting behavior :)
Manpage is a wargame that has been rescued from the demise of intruded.net, previously hosted on manpage.intruded.net. Big thanks to adc, morla and reth for their help in resurrecting this game!
Drifter is a wargame along the lines of Vortex.
Under the Wire trains experienced, developing, and novice Information Technologists to use Windows PowerShell in a variety of situations through innovative and fun wargames.
ATENEA is a cyber security platform that presents a number of challenges which cover a wide array of topics: Cryptography and Steganography , Exploiting, Forensics , Networking and Reversing , etc.
CTFs with servers up
picoCTF is a free computer security game targeted at middle and high school students, created by security experts at Carnegie Mellon University. The game consists of a series of challenges centered around a unique storyline where participants must reverse engineer, break, hack, decrypt, or do whatever it takes to solve the challenge.
Picoctf is a high school level annual 14 day ctf by CMU. It is one of the most popular CTFs with low entry barrier and servers running all year round!
Backdoor is a platform for hackers to show their talent in a competitive environment. Earlier it was launched only within the IIT Roorkee campus, but now it has been made available for anyone over the internet.
It is a good archive of past backdoorctf challenges and other internal challenges of IITR.
CTF365 (Capture the flag 365) is a “security training platform for it industry” with a focus on security professionals, system administrators and web developers.
Welcome to ångstromCTF, a capture-the-flag (CTF) competition hosted and organized entirely by students at Montgomery Blair High School! CTF cybersecurity competitions have become an increasingly popular way for students to learn more about cybersecurity and develop and refine their hacking skills. These competitions are designed to educate and inspire high school students through interactive hacking challenges.
PACTF is an annual online computer security competition for middle and high school students.
The SANS holiday hack previous challenges
Most CTF competitions are only online for a few days, limiting the ability of players to access, solve and learn from the interesting problems created. The 247/CTF is an online, year-round, continuous learning environment.
A fun platform for learning modern cryptography
One of the most amazing cryptography sites with amazing UI and non-guessy amazing challenges.
It has the best discord community I have ever been into
This site will host all eight sets of our crypto challenges, with solutions in most mainstream languages.
Below are some problems related to computer security (specifically poorly implemented security). Do Them. You are free to use any language and environment you like to complete them. The problems require familiarity with programming, but not necessarily with applied cryptography or computer security in general.
Electrica is a puzzle/challenge site which has grown from two previous sites - C&C and the Cronos Crypto Challenge.
A nice short set of bootleg crypto
Crack mysterious messages, submit jokes for others to decrypt, and access secret messages within your private groups.
You like riddles? You always loved to solve the crosswords in your newspaper? Or maybe you are just curious and want to find out about some of the ways to hide a secret (and possibily even to uncover it)? This is your place! Here at MysteryTwister C3 you can solve crypto challenges, starting from the simple Caesar cipher all the way to modern AES we have challenges for everyone. Our challenges range from level I to III, and an additional level X for “mystery” challenges (they may have been unsolved for a long time, mostly we don’t know their solution or have no idea whether there is a solution at all). If you are a beginner its probably best if you start trying those challenges that have been solved mostly (see table below). Additional information regarding MTC3 can be found on our about page.
This site tests your ability to Cracking & Reverse Code Engineering.
The purpose of these challenges is to familiarize beginners with common malware techniques.
This is a simple place where you can download crackmes to improve your reverse engineering skills.
Well, “challenges” is a loud word, these are rather just exercises for RE.
A collection of crackmes for OS X. Send them to me if you have new ones to add!
FireEye’s challenge RE.
Welcome to AndroidTM App Reverse Engineering 101! This workshop’s goal is to give you the foundations to begin reverse engineering Android applications. While this workshop won’t teach you the details of Android app development, Android malware analysis, Android vulnerability hunting, etc., I hope to give you all the necessary foundations through this workshop such that you can apply your new Android reversing skills to doing those things.
Given a debugger and a device, find an input that unlocks it. Solve the level with that input.
Learn return-oriented programming through a series of challenges designed to teach ROP techniques in isolation, with minimal reverse-engineering and bug-hunting.
Pwn Adventure 3: Pwnie Island is a limited-release, first-person, true open-world MMORPG set on a beautiful island where anything could happen. That’s because this game is intentionally vulnerable to all kinds of silly hacks! Flying, endless cash, and more are all one client change or network proxy away. Are you ready for the mayhem?!
exploit.education provides a variety of resources that can be used to learn about vulnerability analysis, exploit development, software debugging, binary analysis, and general cyber security issues.
‘pwnable.kr’ is a non-commercial wargame site which provides various pwn challenges regarding system exploitation. the main purpose of pwnable.kr is ‘fun’.please consider each of the challenges as a game. while playing pwnable.kr, you could learn/improve system hacking skills but that shouldn’t be your only purpose.
Here you will find pwnables for beginners. Most of the challenges were created for an internal event at our ctf team OpenToAll. Eventually I grew fond of the idea of hosting them publicly, so this website was born. Some challenges will have multiple variations with progressive difficulty, I hope you enjoy them all.
Smash the stack Wargaming network
Pwnable.tw is a wargame site for hackers to test and expand their binary exploiting skills.
because you can’t resist a good: .php?id=
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!
All about XSS attacks and payloads
Free, online web security training from the creators of Burp Suite
At Google, we know very well how important these bugs are. In fact, Google is so serious about finding and fixing XSS issues that we are paying mercenaries up to $7,500 for dangerous XSS bugs discovered in our most sensitive products. In this training program, you will learn to find and exploit XSS bugs. You’ll use this knowledge to confuse and infuriate your adversaries by preventing such bugs from happening in your applications.
bWAPP, or a buggy web application, is a free and open source deliberately insecure web application. It helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities. bWAPP prepares one to conduct successful penetration testing and ethical hacking projects. What makes bWAPP so unique? Well, it has over 100 web vulnerabilities!
I have prepared several levels here that will test your knowledge in diffrent ways. Also you will be tested in some ways of logical thinking and exploiting not so obvious security holes. Apart from those well known sql injection vulnerabilities I prepared some level where you wont be able just to put some sql commands. I hope this will be, at least for some of you, fun and you will enjoy all.
This codelab shows how web application vulnerabilities can be exploited and how to defend against these attacks.
It has some similarities to h0yt3r’s and shadowleet’s sql-injection hackits but it will also test you in some logical ways of thinking. All levels are based on real vulnerabilitys I found in the wild.
Through a series of levels you’ll learn about common mistakes and gotchas when using Amazon Web Services (AWS). There are no SQL injection, XSS, buffer overflows, or many of the other vulnerabilities you might have seen before. As much as possible, these are AWS specific issues.
Similar to the original flAWS.cloud (also created by Summit Route), this game/tutorial teaches you AWS (Amazon Web Services) security concepts. The challenges are focused on AWS specific issues, so no buffer overflows, XSS, etc. You can play by getting hands-on-keyboard or just click through the hints to learn the concepts and go from one level to the next without playing.
WebGoat is a deliberately insecure application that allows interested developers just like you to test vulnerabilities commonly found in Java-based applications that use common and popular open source components.
A site specifically focussed on SQL Injections
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
The Infosec Instite n00bs CTF Labs is a web application that hosts 15 mini Capture the Flag (CTF) challenges intended for beginners. The levels can be navigated in the navbar. There is no scoring or leaderboard, but to claim the bounty for each level (bounties range from $10 to $150) you’ll need to write up the solution and any other helpful instructions or information and post that in a public place (blog, forum, etc.). If you don’t have a place to post it…ask a friend!
For various forensics challenges and mindmap
Since April 2015, this website has served as a set of levels that simulate challenges and puzzles that one may encounter during an ARG (Alternate Reality Game) including simple ciphers, steganography, different types of encodings, and familiarity with internet resources. Each level consists of some text, images, data, or files that is intended to lead you to the next page with some amount of investigation.