// PLATFORM ONLINE · 20 LABS RUNNING

whoamilab

New Capture The Flag (CTF) platform with 20 vulnerable machines. Fully integrated into Discord - go to #learn-hacking run /welcome to get started and climb the ranks.

student@whoamilab:~$ ● LIVE
$ /welcome
[+] discord oauth2 ✓ · rank: rookie · access: granted
$ /start start
[+] container spawned · isolated · 1h timeout
$ ssh student@lab.whoamitang.com
$ cat /opt/it-staff/.confidential/.flag.txt
FLAG{w3lc0m3_u5er_h4cker}
$ /submit id:start FLAG{w3lc0m3_u5er_h4cker}
✓ captured · rank → Hacker · [+100 XP]
256
Hackers
1315
Completions
22
Live challenges
22/22
First bloods claimed
sign in with discord →
join discord ↗ · browse labs

// LIVE FEED · RECENT CAPTURES

Last 3 flags submitted.

Zen Crypto solved Cookie Monster
1m 0s
Zen Crypto solved Profile Hacker
4m 39s
Bilal Jones solved Command Injection
12m 47s

// HOW IT WORKS

Real Linux. Real exploits. Each lab is its own Docker container.

/ 01 · PICK

Choose a challenge

20 labs from "find a hidden file" to "deserialize this PHP object into RCE." Pick by tier or by topic.

$ /labs list
/ 02 · SPAWN

Get your own server

Discord bot spins a fresh container just for you. SSH credentials in DM, or hack it from the browser.

$ /start sqli
/ 03 · CAPTURE

Submit the flag

Find the bug. Exploit it. Read the flag. Post it. First to solve gets the first blood.

$ /submit id:sqli FLAG{...}

// CHALLENGES · 22 LIVE

From your first SSH connection to deserialization RCE.

/ 01
Beginner
3 labs
First Steps
SSH Connect via SSH and find hidden files
★☆☆☆☆
Profile Hacker
WEB Exploit insecure direct object references
★☆☆☆☆
Cookie Monster
WEB Manipulate browser cookies for privilege escalation
★☆☆☆☆
/ 02
Intermediate
10 labs
Command Injection
WEB+SSH Chain OS commands through a web interface
★★☆☆☆
Database Bypass
WEB+SSH Bypass authentication with SQL injection
★★☆☆☆
Malicious Upload
WEB+SSH Upload a web shell past file filters
★★☆☆☆
XML Attack
WEB Read server files through XML entity injection
★★☆☆☆
Path Traversal
WEB+SSH Traverse directories to read sensitive files
★★☆☆☆
Script Kiddie
WEB+SSH Inject JavaScript to steal credentials
★★☆☆☆
Vault Cracker
WEB+SSH Decode layered encoding to crack a vault
★★☆☆☆
API Hacker
WEB+SSH Exploit broken API access controls
★★☆☆☆
Source Code
WEB+SSH Find secrets in exposed version control history
★★☆☆☆
Param Tampering
WEB+SSH Exploit hidden form fields to escalate privileges
★★☆☆☆
/ 03
Advanced
7 labs
Template Injection
WEB+SSH Execute code through template engines
★★★☆☆
Token Forger
WEB+SSH Forge authentication tokens
★★★☆☆
Root Access
SSH Escalate from user to root via SUID
★★★☆☆
Internal Access
WEB+SSH Access internal services through SSRF
★★★☆☆
Hash Cracker
WEB+SSH Crack weak password hashes from an exposed database
★★★☆☆
Blind Injection
WEB+SSH Extract data through boolean-based blind SQL injection
★★★☆☆
Race the Clock
WEB Exploit a race condition to bypass purchase limits
★★★☆☆
/ 04
Expert
2 labs
Object Injection
WEB+SSH Exploit PHP deserialization for remote code execution
★★★★☆
Sign of Weakness
WEB Forge signed URLs by extending an MD5-based MAC
★★★★☆

// RANKS · 7 TIERS

Each rank is gated. Capture a lab at your tier, the next tier unlocks.

Unranked
no rank yet
Rookie
accept rules
Hacker
capture First Steps
Expert
any Hacker lab
Master
any Expert lab
Legend
any Master lab
Grandmaster
any Legend lab

Type /welcome.
Start hacking.

Join the Discord, sign in with one click, get your first lab in 60 seconds. No signup form, no email, no payment ever.

join discord → sign in with discord
ETHICAL · ISOLATED · FREE · 256 OPERATORS IN