About

I] What is W3Challs?

Purpose of thie site

W3Challs is a penetration testing training platform, which offers various computer challenges, in categories related to security: Hacking, Cracking, Wargame, Forensic, Cryptography and Programming.

Hacking Cracking Wargame Forensic Programming Cryptography

The purpose of this site is to offer realistic challenges, without simulation, and without guessing!

We give you an opportunity to test your skills against our challenges, and even to try to hack the site itself.
Nevertheless, bruteforcing (of challenges, authentication...) or any Denial of Service are forbidden!
You have to be registered to access challenges.

Origins

W3CW3Challs holds its name from a bad pun with the W3C (for World Wide Web Consortium).
This name is an abbreviation for World Wide Web Challenges.
Unlike W3C, this site doesn't pretend to define a standard ;-)

W3Challs exists since May 2009, but its first real release (1.0) dates from January 2010.


II] What are challenges about?

Definition

Bulb

A challenge is a virtual game which test your skills in various areas, usually related to computers.
Its purposes are to learn and distract, and practice prior theoretical knowledge.
All challenges will not necessarily learn you something, but all levels are required.
As well, resulting entertainement will not be the same depending on the individual.
However, we try to provide only challenges that present a computer security interest, even if this one is basic.

When you validate a challenge, a fixed amount of points is added to your account, according to the validated challenge difficulty, positioning yourself in a ranking against other players.
The ranking is just here as an information, but it may also bring you additionnal challenges with other players.
You can interpret this information as you like. Simply be aware that your position within the ranking doesn't necessarily represent your real skill level, and it is illusory to believe you are better than another because of it.

Ideally, a challenge should be a personnal research and/or a personnal cerebration.
Proceeding that way, you will benefit of:

  1. Knowledge of solution methods for the initial problem.
  2. Collateral knowledge, gathered during your research, that isn't necessarily directly related to the challenge.
  3. An improvement/clarification of your research and way of thinking methods.
  4. Ideas for future cogitation.

Scoring system

Points are distributed according to 3 basic categories: Easy, Medium and Hard.

  1. Easy : Basic challenges that doesn't require any special thinking [1-9 points]
  2. Medium : Challenges that require a minimum of thinking and/or research [10-19 points]
  3. Hard : Challenges that require thinking, research and/or advanced knowledge [20-30 points]

Beware of cheating

Stop

Any cheat of help to cheat is prohibited on W3Challs.
Any publication of methods or password concerning a W3Challs challenge is strictly prohibited.
If you ever have this idea, maybe it's time to seek the definition of « challenge ».
Cheating is a shortcut that may teach you a resolution method, but you would pass out on all the interest of the challenge.
Any detected cheating will remove you from the ranking, and exposes you to a ban of the site.
You have nothing to gain by cheating!
Thank you to respect the philosophy of this site on this particular point, even if you don't agree with it.

Hacking challenges


III] Challenge categories

This part describes challenge categories, and what you could expect from each one of these.
This description is not intended to be comprehensive, but summarizes the outline of each category.
Hacking

Hacking

Hacking challenges are designed to test penetration testing skills. Often, the aim is to find a way to bypass an authentication, to crack a password, or to execute arbitrary code. A challenge is often not limited to only one vulnerability, and it is regularly necessary to combine several vulnerabilities to complete an exploitation.

Challenges are often presented as web sites, however all challenges are not specifically about web vulnerabilities. Some other challenges are available as services on a given port...

The password to solve the challenge is displayed when required privileges are acquired, or it is contained in a flag file that you must find and display.

Themes:Attacks on access control, sessions, databases, client side attacks, password cracking...
Classic tools:Burp, Live HTTP Headers, Tamper Data, Web developer, Wireshark, John
Startup links:OWASP
Cracking

Cracking

Reverse-Engineering challenges. Here you have to reverse executable files for which the source code is not provided, for various operating systems (Windows, GNU/Linux...) and various hardware architectures (x86, x86_64, ARM, MIPS...).

The aim is generally to find the routine(s) that check whether the input serial is valid, and that permits to solve the crackme.

Themes:Assembly, bytecode, Anti-debugging...
Classic tools:IDA, OllyDBG, gdb, objdump
Startup links:Guide for RE beginners (FR, but most links are english)
Wargame

Wargame

Challenges in the same spirit than the Hacking category, because the aim is to hijack a feature to gain additional privileges. This category focuses on binary exploitation (the prominent example beeing buffer overflows) on Linux.

Challenges take place on a server that you access remotely with SSH.
Each level exposes a binary with one or more vulnerabilities.
The binary is setuid levelN+1. The aim is then to hijack features, most often to spawn a shell with levelN+1 permissions, and thus proceed to a privilege escalation. Each successful exploitation thereby unlock the next level.

Note that once the challenge is validated on the site, the connection password for levelN+1 is displayed on that challenge page. This avoids you the burden of keeping all passwords in a textfile and to start all over if you loose it ;)

A tutorial is available in /Wargame/HOWTOSTART on the wargame.
Prior knowledge of basic Linux shell commands is required before starting this category.

Themes:Race conditions, Buffer overflow, Format string...
Classic tools:IDA, gdb, objdump, strace, ltrace
Startup links:Hacking: The Art of Exploitation, The Shellcoder's Handbook, phrack
It is possible to find PDF versions of books ;)
Forensic

Forensics

The usual usage of computer forensics is to conduct a digital investigation to provide a proof.
In the challenge scope, the aim is to extract informations from a given support (hard drive, RAM dump, snapshot...), and then to analyse it.

This includes malware analysis, because it is recurrent in digital investigations when an infection occured. In which case, you have to analyse how the malware works and find interesting informations inside it (one or more challenge flags).

Themes:Memory analysis, Malwares...
Classic tools:List of digital forensics tools, IDA
Startup links:Forensics Wiki
Cryptography

Cryptography

The aim of cryptography challenges is to attest and exploit weaknesses in cryptography algorithms, or misuage of those.

Studied algorithms are always unveiled, and are recent algorithms (AES, RSA...), still currently in use nowadays.
No guessing!
These challenges take various forms: text statement, web interface, service on a given port...

Themes:Cryptanalysis, Cryptographic weaknesses, Recent algorithms...
Classic tools:CrypTool
Startup links:Wikipedia
Programming

Programming

Programming is mandatory for a lot of challenges from all categories.
This category focuses on code optimisation notions, and artificial intelligence relevant to hacking.

Themes:Optimisations, Artifical Intelligence, Captchas...
Classic tools:Python, PHP, gcc
Startup links:Python tutorial, C tutorial
/dev/null

/dev/null

This category include challenges lowered to 0 points, thereby not presented in the complete list of challenges.
These challenges were "removed" for various reasons: guessing, useless, removed category...

Themes:All categories above, Javascript, Logic, Guess...

IV] Additional informations

V] Rules

Reminder of the rules

Rules In order to maintain a clear and readable site, it's important to respect some rules.

I] Site rules

  • Scans of the site are not allowed.
  • No double accounts, one is enough.
  • Do not post any illegal file or link, so no cracks etc.

II] Challenge rules

  • Do NOT bruteforce online challenges.
  • It is forbidden to ask for help outside help sections in forums.
  • Any cheating or help to cheat is prohibited W3Challs.
  • Any publication of methods or password concerning a W3Challs challenge is strictly prohibited.
  • If you want to propose a challenge, check first if there isn't any already present similar challenge.

III] Forum rules

  • Do not be vulgar, and no racism, pornography...
  • NO flood. SMS language is fordidden, thanks to read your posts twice before sending them, otherwise they will may be modified or removed by a moderator.
    Spelling mistakes are tolerated, in a reasonable quantity, but do not abuse.
  • You can (and should) ask questions to other members or admins in forums. You can ask for hints, but not for answers or other cheats.
  • Do not give hints if nobody asked for it!

IV] IRC channel rules

  • We just require you to limit spelling mistakes and flood.

V] The End

Each member who doesn't abide by these rules may be banned, temporarily or definitively.
Thank you for understanding,
W3Challs Staff.


VI] Staff

awe NiklosKoda
Status Administrator, general manager Administrator, wargame manager
Contact
  1. IRC(ref)
  2. awe[at]w3challs[dot]com
Contact especially about: hacking server, new challenges, bugs or suggestions
  1. IRC(ref)
  2. NiklosKoda[at]w3challs[dot]com
Contact especially about all wargame related stuff

VII] Thanks

We truly thank the following members for their contributions to W3Challs:

awefounder of W3Challs
NiklosKoda for the wargame creation
ThunderLord for sharing important ressources (mails, ircd)
Challenge authors :
0vercl0k, acez, agix, awe, BAAL, BaDBoys, bouboule, casoum, coclico, djo, Ge0, horhos, Iansus, imm, MaZ, mego, mirmo, NiklosKoda, robert, S3cur3D, Simo36, ThunderLord, ufox, vortex

VIII] Conclusion

W3Challs' staff thank you for having the courage to read this page, and wish you very good future challenges.
If you are in trouble with anything or if you have any comment, contact us!