Login

ID
PW





Join

*passwords are hashed. but avoid using important password (i.e., password for your google account).
ID
NAME
E-MAIL
PW
PW Confirm
Input valid E-MAIL if you want wechall scoring and password recovery
Login First
Home Play Rank Notice Login

Sh3ll we play a game?
New challenges will open altogether at 2025 June 7th 12:00 KST
Please check "notice" menu.
What is 'pwn'?

   "pwn" - means to compromise or control, specifically another computer (server or PC), web site, gateway device, or application. It is synonymous with one of the definitions of hacking or cracking, including iOS jailbreaking.  -  Wikipedia.
 
 
How do I play?

   there are flag   files corresponding to each challenges (similar to CTF), you need to read it and submit to pwnable.kr to get the corresponding point. in order to read the flag file, you need some skills regarding programming, reverse-engineering, bug exploitation, system knowledge, cryptography. each challenges have author's intended solution, however, there are a lot of unintended solutions as well :) the challenges are divided into four categories.

[Toddler's Bottle]  -  very easy challenges with simple mistakes.
[Rookiss]  -  typical bug exploitation challenges for rookies.
[Grotesque]  -  these challenges are grotesque-y. painful to solve it, but very tasty flag :)
[Hacker's Secret]  -  real-world level challenges which involve special techniques/secrets.

 
Disclaimer

1. pwnable.kr is a non-commercial website.
2. the contents and services provided by pwnable.kr is free to individuals for non-commercial use
3. contact admin or use proper citation in case of using the contents of pwnable.kr for non-commercial *public* use (e.g., academic class exercise).
4. never use pwnable.kr's resources or information learned from pwnable.kr for illegal purpose.
 
 
Rules & Tips

1. all kinds of DoS activities (i.e., too many process/file creation, or network access) are forbidden. there is no challenge which requires *excessive brute-forcing*. the intended solution always gets you the flag in less than a minuet
2. if you find any unintended bug or system deficiency, please report admin. you will be thanked and get some credit
3. challenges in Toddler's Bottle are allowed to freely post the solutions online. However, please refrain from posting solution for challenges in other categories. But if you insist, post easy ones (solved by many people) and do not spoil too much details for the sake of fun.
4. you can ask/answer hints for challenges in discord, but again, don't spoil too much
5. all challenges are solvable. but if you think something is wrong, feel free to report admin


Contact

admin daehee (daehee87@khu.ac.kr)
discord Join Discord


Credits

AstralProjection: reporting server vulnerability (unintended solution for QEMU task)
jonathanxz22 : reporting server vulnerability (web config mistake)
Undvik : reporting unintended configuration (solution leak)
AstralProjection: reporting server vulnerability (system management)
jonathanxz22 : reporting server vulnerability (weak password)
N1kasu, martin : reporting server vulnerability (local privilege escalation)
veritas501 : reporting configuration error that allows unintended access for all QEMU-based tasks
haber : reporting multiple vulnerabilities in configuration
afang : reporting unintended solution (dos4fun)
debukuk : reporting CSRF vulnerability on webpage
yelang123 : reporting XSS vulnerability on webpage
5unKn0wn : reporting unintended solution (pwnsandbox)
Charo : reporting web server configuration error
martin : reporting server vulnerability (local privilege escalation on proxy-server challenge)
bla : IRC channel support
neomant : reporting site management mistake (information disclosure)
null0 : reporting site configuration error (duplicate flag authentication)
acez : reporting server configuration error (unintended access for all QEMU-based tasks)
sweetchip : reporting server configuration error (unintended ssh access)


pwnable.kr is powered/supported by Pwnlab@KHU



© PWNABLE.KR SINCE 2014 - ALL RIGHTS RESERVED. OPTIMIZED TO CHROME