A fully static Capture The Flag platform hosted on GitHub Pages. Learn cybersecurity by exploiting real vulnerabilities — all running in your browser with zero server infrastructure.
🌐 Live at: try-hack.com
TRY-HACK.COM is an educational CTF platform with 44 challenges across 8 categories. Every challenge runs entirely client-side — no backend, no databases, no server required.
Each challenge embeds a hidden flag (format: FLAG{...}) that can only be found by exploiting the intended vulnerability.
| Category | Count | Challenges |
|---|---|---|
| 🌐 Web Applications | 21 | Hidden Comment, Inspect Vault, Redirect Trap, Script Kiddie, Cookie Monster, Profile Peeker, Encoded Secrets, SQLite Injection, Token Forge, Template Trickster, Path Walker, Prototype Poisoner, DOM Clobber, Race the Clock, The Final Hack, Locked Down, Invisible Ink, Client-Side Login, Base32 Vault, Session Hunter, The Naive Filter |
| 💥 Binary Exploitation | 3 | Stack Smasher, Format String, Integer Overflow |
| 🌐 Network Forensics | 3 | Packet Detective, Header Inspector, DNS Exfil |
| 🔍 Digital Forensics | 3 | Disk Dumpster, EXIF Detective, Log Sleuth |
| 🔄 Reverse Engineering | 4 | Obfuscated Key, XOR Chain, Tiny VM, Caesar Wheel |
| 🖼️ Steganography | 3 | Pixel Smuggler, Whitespace Message, Zero Width |
| 📡 Recon / OSINT | 3 | Subdomain Sweep, Robots Disallow, Exposed .git |
| 🎓 Academic Challenges | 4 | Weak RSA, Single-Byte XOR, Binary to ASCII, Vigenère |
Total: 44 challenges
Visit try-hack.com and start hacking!
# Clone the repository
git clone https://github.com/zrnge/try-hack.git
cd try-hack
# Serve with any static server
npx serve .
# or
python -m http.server 8000Open http://localhost:8000 in your browser.
- Pure HTML/CSS/JS — No frameworks, no build step
- sql.js (WASM) — Real SQLite database in the browser for SQL injection challenge
- Web Crypto API — SHA-256 flag validation
- GitHub Pages — Free static hosting
Flags are stored as SHA-256 hashes in the source code. While determined players could reverse-engineer the challenges, the real value is in learning the exploitation technique. Each flag is only obtainable through the intended vulnerability path.
- Create a new repository on GitHub and push this project to the
mainbranch. - Go to Settings → Pages in the repo.
- Under Build and deployment, select Deploy from a branch and choose
main/(root). - The
CNAMEfile already containstry-hack.com, so GitHub Pages will use your custom domain. - In your DNS provider, add an A record for
try-hack.compointing to GitHub Pages IPs:185.199.108.153185.199.109.153185.199.110.153185.199.111.153Or add a CNAME record forwwwpointing tozrnge.github.io.
- Wait a few minutes for DNS + HTTPS certificate provisioning, then visit https://try-hack.com.
No build step is required. Everything is static HTML/CSS/JS.
MIT License — Use this for education, workshops, and CTF events.
Found a bug? Want to add a challenge? PRs are welcome!
- Fork the repo
- Create your challenge in
challenges/CATEGORY/XX-slug/index.html - Add the challenge metadata to
js/challenges.jswith the matchingcategoryandcategoryPath - Submit a PR
Built by zrnge — zrnge.com · github.com/zrnge/try-hack
Built with 🏴☠️ for the cybersecurity community.