Welcome on W3Challs,

W3Challs is a penetration testing training platform, which offers various computer challenges, in categories related to security: Hacking, Cracking, Wargame, Forensic, Cryptography, Steganography and Programming.

The purpose of this site is to offer realistic challenges, without simulation, and without guessing!

We give you an opportunity to test your skills against our challenges, and even to try to hack the site itself.
Nevertheless, bruteforcing (of challenges, authentication...) or any Denial of Service are forbidden!
You have to be registered to access challenges.

Good visit!

Last news

Last news :

New esoteric wargame (awe, the 28/04/2014 at 23h04)Comments (0)
yo dawgz,

I herd u like wargames, so here's another one :)

tinypwn, by Simo36

This time we're back to userland, but don't miss the segmap level from the same author in the kernelpanic branch!

Thanks simo!

Remote kernel exploit: break the great firewall (awe, the 08/03/2014 at 01h07)Comments (0)
Hey dawgz,

I'm glad to announce the latest challenge in the kernelpanic series of wargames on W3Challs:

jinshanling, by acez (ARM, what else?)

Thanks acez!

For those of you that don't do kernel exploitation, give it a try! But next time we will try to publish in other categories, soon enough hopefully ;)

Welcome to ARMenia (awe, the 19/11/2013 at 02h00)Comments (0)
A new kernelpanic is available in the wargame category: ervis, by acez.
Gogogo ARM kernel pwnerz! Check out the other ARM kernelpanic challenge too: ranchar!

Thanks acez!

New versions of 2 virtual machines (awe, the 03/09/2013 at 08h12)Comments (0)
  • Migration of W3Challs to a datacenter ;
  • Hacking VM renovated, several challenges improved/renovated, no moar simulation ;
  • 3 new challenges: 2 hacks, 1 forensic ;
  • All wargame exercices are now available without dependencies.

Migration of W3Challs to a datacenter:

Until now W3Challs was home hosted, at my place. Now that I am abroad, that's not possible anymore, so everything has been migrated to a datacenter. The migration process has gone reasonably well, there wasn't any significant service outage. Our SLA are still good!
This migration also forced me to push the latest VM versions, which were under construction for a few months:
  • The main VM: the one that hosts the site itself, as well as many other services.
  • The hacking VM: mostly web challs, but not only.

Update of the Hacking VM:

This machine was a quite old debian Lenny VM, which was therefore not updated for a while, but that was voluntary to avoid breaking some challenges (PHP version, etc).
The new VM is quite up-to-date (and we should keep it that way). It's a Hardened Gentoo VM, with a lot of hardening at several levels (kernel, binary toolchain, network access, permissions...) that I won't describe here.
The challenges that can only work on a specific version of PHP are still fine, because several PHP versions are running at the same time.

This VM architecture was completly revised to allow our challenges to work with 0% of simulation. This is also true for the very first challenges as well, that have been modified or fully recoded. Thus, it is now possible to obtain a shell on the server (hey c99.php!) from some of the first challenges.

The purpose of W3Challs is to offer realistic challenges, without simulation and guessing. The previous measures are therefore in this context, also applied to the existing challs.

Here is a summary of what was modified, with little details to avoid any spoil:

ChangesOld pointsNew points
Change your browserThe current browser is now displayed42
.htaccessCompletly renovated, now in 2 parts67
Mobile-DownloadsCompletly renovated, different vulnerability68
A basic vulnerabilityNone.99
An images galleryFully renovated.1010
Hackme Windows XPCleaner design.1111
Temporal attackNone.1313
Wi-Fi N°2None.1414
WebCompanyNo moar simulation.
Now it is required to obtain RCE to solve it (which was expected anyway).
Temporary AttackedNone.1817
Vip Web ArmyNone.2018
W3News p0wned!No moar simulation.2018
TiviWikiNew challenge!-19
pyEvaluatorNew challenge!-20
Vip Web Army IIMinor modifications.2222
W3Warz I - The Phantom MenaceNone.2323
JohnDogNo change, but the challenge doesn't run in a chroot anymore.2424

Some complementary things are still to do, such as cleaning the outdated forum posts in these challenges, etc. That will come later. (Remind me if I forget!).

Some challenges may not work anymore: most of them were tested, but the err is human.
If you have any doubt please contact me and I'll check.

If you find any exploitable "Cross Challenge Scripting" (ie, bypass of a challenge from another), I am of course very interested. In principle I created protection mechanisms a bit everywhere to avoid that, but who knows...
Please just try not to contact me to tell me that we can get the fullpath of challenges by reading the /etc/passwd (which was not possible previously). I am well aware of that, and that isn't really important :D

Removal of the Wargame dependencies:

Before, the wargame exercices needed to be solved in a specific order. At least for the basic and classic branches.
The advantage of such a system is that it forces people to persevere on challenges when they are stuck, instead of just going to the next level.
The drawback is that experienced people can't go straight to the levels they feel interesting, and they have to solve the dependencies first.

Now all dependencies were removed, on all of the wargame exercices. Therefore any member can access any wargame level.
The notion of dependencies will maybe come back in the future, but then it'll be for resource issues.

For beginners, even if all levels are now accessible, it is of course still recommended to solve these in the correct order.
For experienced challengers, you can go straight to the kernelpanic exercices, that still haven't found any solver yet!

New challenges:

3 new challenges were added!
2 python hacks, 1 forensic:
  • TiviWiki, hacking, by awe
  • pyEvaluator, hacking, by awe
  • Alzheimer, forensic, by UfoX


Any feedback is indeed welcome!

New crackme (awe, the 06/07/2013 at 12h35)Comments (0)
Yet a little more work for holidays, in addition to kernelpanic exercices!

A new crackme, 'cuz it's been a while: dafuq by djo.

Thanks djo!