LEVEL 01
FREE
Information Leakage
Find credentials hidden in the page source and use them to log in as admin.
OWASP A05 — Security Misconfiguration
HackLab drops you into a live terminal with shell access to a fake company's server. Find real vulnerabilities, exploit them, steal the secrets. No tutorials — just hacking.
Each level gives you real tools and a real target. No guided walkthroughs until you ask for a hint.
Use a real terminal to poke around the web server files. Read the source code. Find the bug.
Use curl, the browser, or the request builder to craft your payload. Inject the input. Steal the secrets.
Every level ends with an explanation of what went wrong and exactly how a real developer would fix it.
Five free levels covering the OWASP Top 10 essentials. Five advanced levels for real-world attack chains.
Find credentials hidden in the page source and use them to log in as admin.
Access another user's private profile by changing a single number in the URL.
Inject a script tag into the search page to steal the admin's session cookie.
Bypass the admin login without knowing the password using a classic SQL injection payload.
Chain shell commands through a vulnerable diagnostic tool to read secret API keys off the server.
Buy a $999 laptop for $0.01 by intercepting and modifying the checkout request.
Escape the image directory using ../ sequences to read admin credentials off the server.
Make the server fetch its own AWS IAM credentials from the EC2 metadata service — just like the Capital One breach.
Register as admin by injecting a hidden field into the signup request the form never exposes.
Hijack the admin's password reset link by poisoning the Host header in the reset request.
⬡ Levels 6–10 are part of Operation Blacksite — unlock all five together for $0.99.
No account required. Progress is saved in your browser.
No account. No download. Open the terminal and go.
▶ Play Free Now