Welcome on W3Challs,

W3Challs is a penetration testing training platform, which offers various computer challenges, in categories related to security: Hacking, Cracking, Wargame, Forensic, Cryptography, Steganography and Programming.

The purpose of this site is to offer realistic challenges, without simulation, and without guessing!

We give you an opportunity to test your skills against our challenges, and even to try to hack the site itself.
Nevertheless, bruteforcing (of challenges, authentication...) or any Denial of Service are forbidden!
You have to be registered to access challenges.

Good visit!

Last news

Last news :

4 new wargames (awe, the 04/10/2018 at 10h59)Comments (0)
4 new wargames!
  • cong0miner by brendel
  • echo by awe
  • w3calc by awe
  • bmp_editor by awe

PS: challenge submissions are welcome – you can discuss it with me on IRC if you think you have a cool idea ;)

Major wargame update (awe, the 25/05/2017 at 19h34)Comments (0)
The old wargame (where "basic" and "classic" categories are hosted) was recently modernized a bit. For the record that wargame was launched in January 2011, initially on Debian 5 x86 with both ASLR and NX disabled.
Over the years it was moved to a Debian 8 x64 VM, but the challs remained x86 without ASLR/NX.
Since we're now in 2017 and these protections are present everywhere (except on FreeBSD for ASLR *cough*), I've decided to now enable ASLR and NX on (almost) all challs. The VM also moved from Debian 8 to Ubuntu 16.04, which is the usual choice in CTFs.
Many challenges are also now remote instead of local, and the source was adapted whenever necessary. However - even if we're in 2017, heh - the architecture is still x86 and without PIE (so only partial ASLR).
Indeed I wanted to keep a x86 wargame branch without *all* mitigations (just the default ones). Don't worry, you will have plenty enough of x64 soon™, and PIE is much more common there ;)

This doesn't really impact the "basic" category, but it significantly changed the difficulty of several tasks in the "classic" category.
As a result all previous "classic" solves were invalidated, so if you solved it you'll have to solve the new version to get your points back.
To be fair with those that solved the older version, they keep their access to the old afterwards (now moved to /dev/null) - which might help.. or not.
Of course all these challenges were tested and solved, you don't have to worry about that.

I've tried to make it progressive so that those not familiar with ASLR/NX can discover with smaller steps than going directly to ROP.
I know that this will annoy quite a few people, but hopefully you'll enjoy the "hardened classic" version enough to forgive me ;)

Since all classic challenges are now more or less hardened, having a "hardened" category doesn't make sense anymore, therefore it was renamed "linux x64", and "classic" becomes "linux x86".

We recently had a new crypto - singularity - from ThunderLord, which is still waiting for its first solve!
2 new wargames are also available now: ropbaby and netchecker, both from myself.

Haters gonna hate, roppers gonna rop!

New Web challenges (awe, the 12/05/2016 at 19h36)Comments (0)
It's been a while since last news, although challenges were published in the mean time..
Today we have 3 new challenges in the Hacking category:
  • Beat them all, by agix
  • Take a view by agix
  • privescalator by awe
If you have preferences for the categories of future challenges, let us know! Also note that contributions are still very welcome ;)

Edit: + a new crypto, RandomRSA by ThunderLord!

Moar cookies (awe, the 30/06/2015 at 19h22)Comments (0)
After the death "cryptor" from ThunderLord, noob cryptos from awe :)
2 new crypto challs: CookieCrypt II & CookieCrypt III!

By the way, the site is now full HTTPS/HSTS (not including subdomains), which may have unpredicted consequences (ex: the IRC bot is still connecting in HTTP atm). If you find related bugs, please report them!

hf & bon appetit!

Security Day (awe, the 12/12/2014 at 10h16)Comments (1)
Quick news to announce a security event that will be held in Lille (France) on January 16th, where you'll meet several W3Challs members (some are speakers!).

More info on http://securitydaylille1.github.io/ and #securityday on irc.w3challs.com!
Topics are cool so gogogo ;)