Real hands-on challenges you solve right in your browser — no install, no VM needed. Find flags, crack passwords, read logs, and triage malware. Every solve earns XP and ranks you up toward Marshal.
Some secrets hide in plain sight. This very page has a flag hidden in its HTML source. Right-click → "View Page Source" (or press Ctrl+U) and hunt for FLAG{...}.
Web servers leave a robots.txt file telling crawlers where not to look — which is exactly where people hide things. Open this robots.txt ↗ and find the flag.
We intercepted this message: secret-message.txt ↗. It looks scrambled, but it's just Base64 — encoding, not encryption. Decode it (try an online base64 decoder, or base64 -d) to reveal the flag.
Photos carry hidden metadata. Download evidence-photo.png ↗ — the flag isn't in the picture, it's in the file's metadata. Try an EXIF/metadata viewer, or strings / exiftool.
We pulled this password hash from a breached database:
0571749e2ac330a7455809c6b0e7af90
It's an unsalted MD5 of a common password. Crack it (try CrackStation or hashcat) and enter the plaintext password as your flag.
A "stronger" algorithm doesn't save a weak password. Crack this SHA-1 hash:
098c3fdea75ea905a838bc4833abcb13ca6cdcfc
Enter the plaintext password as your flag. Hint: a mythical fire-breathing creature followed by the current year.
This message used a Caesar cipher (letters shifted by a fixed amount):
SYNT{jurry-bs-ebzr-gheaf}
It's shifted by 13 (ROT13). Decode it for the flag.
Someone brute-forced their way into this server. Open auth.log ↗ and find the IP address that hammered failed logins before getting in. Enter the attacker's IP as your flag.
Same auth.log ↗. After breaking in, the attacker logged into one account and used it to copy the backups out. Which username did they compromise and use to exfiltrate data? Enter the account name.
A scheduled task showed up on a client's machine. Read suspicious-command.txt ↗, decode the Base64 PowerShell payload, and figure out what it is. The flag is FLAG{...} describing the technique (hint: it's an encoded PowerShell download cradle).
Head to the Scam Email Museum ↗ and study the first five specimens in the "Legit or Scam?" game. Count how many of those five are scams, then enter the flag in this format: FLAG{N-of-five-were-fakes} where N is the number spelled out (e.g. "three").
Hit a new rank and you can mint a verifiable Cyber Ranger badge — signed, shareable, and impossible to fake.
See the Ranks →