ben@thomson.cx:~$ ls /vm/challenges/
Browser-based Linux VMs — no installation required. Solve challenges, earn points, climb the leaderboard.
Sign up with an email and username to track your points and appear on the leaderboard. No verification required.
Click Launch VM to open a full Debian Linux environment in your browser — powered by WebAssembly.
Find a flag{...} in the VM and paste it into the submit box below. Points are awarded instantly.
Linux Basics / File System
Navigate a Linux filesystem to find hidden files and decode base64 strings. A perfect introduction to CTF fundamentals — no prior experience needed.
Forensics / File Analysis
A suspicious file was uploaded to the server with the wrong extension. Use magic bytes and Linux file tools to uncover what it really is — and what it contains.
Forensics / Binary Analysis
A firmware image was recovered from a compromised device. A developer accidentally compiled a secret into the binary. Extract it, decode it, claim the flag.
Log Analysis / DFIR
A web server was compromised overnight. Analyse the provided Apache access logs to identify the attacker's IP, the exploit used, and the exfiltration method.
Cryptography / Password Cracking
A credential database was leaked. Identify the hash algorithm, select the right wordlist strategy, and crack the target hash to recover the plaintext password.
Forensics / Incident Response
An attacker accessed a Linux server at 3:47 AM. Analyse the log directory timestamps to identify which file was tampered with and recover the evidence inside.
Persistence / Privilege Escalation
An attacker maintained persistence on a compromised Linux host by planting a scheduled task. Hunt through cron directories, decode the obfuscated payload, and recover the flag hidden inside.
Linux / SUID Abuse
A misconfigured SUID binary is running on this host. Identify it, understand how it can be abused, and use it to read a privileged file that contains the flag.
DFIR / Secrets Management
A developer left API keys and credentials scattered across environment variables, dotfiles, and shell history. Harvest all exposed secrets and piece together the flag hidden across multiple locations.
Lateral Movement / SSH
An attacker moved laterally through three user accounts using SSH keys left in authorized_keys files. Follow the chain from guest → developer → admin and retrieve the root flag.
Web Security / SQL Injection
A locally hosted web application has no visible error output, but it's vulnerable. Use boolean-based blind SQL injection to enumerate the database, extract the admin hash, and crack it to get the flag.
Memory Forensics / Rootkit Analysis
A suspicious kernel module was loaded on a production server. Analyse /proc, extract the module binary, reverse its embedded strings, and decode the C2 address the attacker left behind.