From the very beginning of building SixHack Academy, we were clear about one thing: labs were the core. Not videos, not slides, not quizzes. Labs. The only real way to learn how to attack is by attacking, and the only way to truly understand a vulnerability is by exploiting it in an environment that behaves like production.
CTF Labs was born from that conviction. And today it's available to everyone.
What is CTF Labs
CTF Labs is SixHack Academy's web hacking challenge system. Each challenge is a real web application with a real vulnerability. There are no obvious visual hints, no "go to next step" buttons. There's an application, there's an objective, and you need to find the way in.
The goal of each challenge is to find and exploit the vulnerability to capture a flag: a unique token that proves you made it to the end. When you submit a correct flag, the system validates it, adds points to your account and updates your position on the global leaderboard.
How the challenges are organised
Challenges are classified by difficulty into three levels:
Easy — Foundational vulnerabilities. Ideal for those who are learning or want to solidify concepts before moving up. They're not trivial, but the path to the flag is more straightforward.
Medium — The level where real learning begins. Medium challenges require combining techniques, thinking about the application's context and not giving up when the first approach doesn't work.
Hard — Challenges designed to test those who already have a strong foundation. They require lateral thinking, deep knowledge and patience. Not everyone makes it.
The global leaderboard
Every correct flag earns points. Points accumulate in your profile and determine your position on the global leaderboard, which is public and updates in real time.
The leaderboard is already moving. There are hackers who have been solving challenges for days, competing for the top spots and claiming the First Blood on each new challenge: the distinction that goes to the first person to solve it.
What vulnerabilities you'll find
CTF Labs challenges cover the most relevant web vulnerabilities in today's landscape, including OWASP Top 10 categories and beyond:
SQL Injection — Classic injections, blind, time-based and error-based in different contexts.
XSS — Reflected, stored and DOM-based Cross-Site Scripting, with varying levels of filtering.
IDOR — Insecure Direct Object Reference: accessing resources that don't belong to you by manipulating direct references.
SSRF — Server-Side Request Forgery: making the server send requests on your behalf to destinations it shouldn't be able to reach.
Broken authentication — Session logic flaws, predictable tokens, authentication bypass and more.
Business logic — Vulnerabilities that won't show up in any scanner because they require understanding how the application is supposed to work in order to find how to make it do what it shouldn't.
And this is just the beginning. The challenge catalogue will keep growing.
Completely free access
CTF Labs is free. Anyone can register at SixHack Academy, activate their account and start solving challenges the same day. No subscription, no credit card, no attempt limits.
The idea is that access shouldn't be the obstacle. The challenge is the obstacle.
Why we built it this way
Traditional CTFs tend to have two problems: either they're too gamified and lose touch with reality, or they're so complex that they're inaccessible to those who are learning.
We've tried to find the middle ground. Challenges that resemble what you'd encounter in a pentest or a bug bounty programme, but with a progression that allows you to enter without prior experience and go as far as your knowledge takes you.
Each challenge is designed with a specific vulnerability in mind, in an environment that contextualises it realistically. It's not a classic CTF challenge where you have to guess the author's intention. It's an application with a real flaw that you need to find.
Start now
The leaderboard is already live. There are unsolved challenges, First Bloods available and a position on the leaderboard waiting for you.
Register for free and access CTF Labs from day one.
Good luck.