// ethical hacking training platform

whoamilab

Practice real vulnerabilities in isolated environments. Beginner to advanced. Free forever.

student@lab:~$ cat /opt/it-staff/.confidential/.flag.txt

FLAG{w3lc0m3_u5er_h4cker}

student@lab:~$ /submit flag

✓ Flag captured! Rank: Hacker [+100 XP]

Hackers

393

Completions

Challenges

15/15

First Bloods

// how it works

Real hacking labs on real Linux servers. Not simulations.

Pick a challenge

15 labs from beginner Linux to advanced exploitation. Choose your difficulty.

Get your own server

An isolated Docker container spins up just for you. SSH in or hack through the browser.

Capture the flag

Find the vulnerability, exploit it, grab the flag. Earn ranks and climb the leaderboard.

// challenges

From your first SSH connection to server-side template injection.

Beginner

3 labs

First Steps

SSH Connect via SSH and find hidden files

★☆☆☆☆

Profile Hacker

WEB Exploit insecure direct object references

★☆☆☆☆

Cookie Monster

WEB Manipulate browser cookies for privilege escalation

★☆☆☆☆

Intermediate

8 labs

Command Injection

WEB+SSH Chain OS commands through a web interface

★★☆☆☆

Database Bypass

WEB+SSH Bypass authentication with SQL injection

★★☆☆☆

Malicious Upload

WEB+SSH Upload a web shell past file filters

★★☆☆☆

XML Attack

WEB Read server files through XML entity injection

★★☆☆☆

Path Traversal

WEB+SSH Traverse directories to read sensitive files

★★☆☆☆

Script Kiddie

WEB+SSH Inject JavaScript to steal credentials

★★☆☆☆

Vault Cracker

WEB+SSH Decode layered encoding to crack a vault

★★☆☆☆

API Hacker

WEB+SSH Exploit broken API access controls

★★☆☆☆

Advanced

4 labs

Template Injection

WEB+SSH Execute code through template engines

★★★☆☆

Token Forger

WEB+SSH Forge authentication tokens

★★★☆☆

Root Access

SSH Escalate from user to root via SUID

★★★☆☆

Internal Access

WEB+SSH Access internal services through SSRF

★★★☆☆

Join Discord to Start

// skills you'll learn

Real techniques used by penetration testers and bug bounty hunters.

SQL Injection

Bypass login forms and extract database contents

Command Injection

Chain OS commands through vulnerable web apps

Cross-Site Scripting

Inject JavaScript to steal cookies and credentials

File Upload Attacks

Upload web shells past security filters

Path Traversal

Read files outside the intended directory

Privilege Escalation

Go from low-privilege user to root access

JWT Attacks

Forge authentication tokens to gain admin access

SSRF

Make servers request internal resources on your behalf

ready to hack?

Join the Discord, type /welcome, and you're hacking in 60 seconds.