PwnKata
Start drilling free
Deliberate practice for pentesters

Drill one technique
at a time.

PwnKata is LeetCode for offensive security. Open a live, isolated target in your browser, exploit the seeded weakness, capture the flag — then do it again on a fresh variant until it's muscle memory.

Capture your first flag free Prepping for OSCP?
No card. A real shell in seconds 986+ variants, every one CI-proven solvable A fresh variant every rep
drill workspace · session live
easy

SUID binary privilege escalation

A standard user has a shell. One root-owned binary carries the setuid bit — find it, abuse it, read the protected flag.

Objective

Recover the flag at /root/flag.txt and submit it.

user@target:~$ find / -perm -4000 -type f 2>/dev/null
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/find
user@target:~$ find . -exec /bin/sh -p \; -quit
# id
uid=1000(user) euid=0(root)
# cat /root/flag.txt
PWNKATA{…}
#

Built on verified content — not invented numbers.

986+
pre-verified variants
59
techniques
6
skill domains
100%
CI-proven solvable
How it works

Three steps, then repeat.

No sprawling multi-step machines — just the one skill, drilled until it sticks.

1

Pick a technique

Choose a single TTP from the catalog — sudo misconfig, SUID abuse, SQL injection, Kerberoasting, and more.

2

Open the target

A live, isolated target opens in your browser. Enumerate the host or service; simulated dependencies are labeled in the catalog.

3
↻ repeat

Capture & repeat

Read the flag, submit it, and a fresh seeded variant spins up instantly. Drill the reps until it's automatic.

The missing middle

From one rep to exam pressure.

Atomic drills make execution automatic. The ladder grades the space between a single drill and a full machine — the connective tissue OSCP and CPTS actually test — on the same verified targets.

  1. Rep

    Atomic drill

    One technique, executed clean.

    Start where the skill is isolated. The objective is named, the flaw is one primitive, and a fresh variant lands every solve until execution is automatic.

  2. Blind

    Blind identification

    An unnamed target. Find the weakness yourself.

    Hide the label and you get a real box's first problem: enumerate, identify which primitive applies, then execute. Blind solves weigh heavier on your dashboard.

  3. Triage

    Distractors & rabbit-holes

    Plausible dead ends. Don't burn the clock.

    Decoys — a dead cron, a NOEXEC binary, fake creds — are planted alongside the real path, each proven inert. You practice triage: spotting the rabbit hole before it costs you.

  4. Chain

    Multi-step chain

    Foothold → privesc on one host.

    Verified atomic drills welded into the shape of a standalone exam box. One terminal flag plus checkpoint tokens for partial credit — the connective tissue the certs actually test.

  5. Sprint

    Exam Sprint

    Timed battery → readiness report.

    A wall-clock battery of unseen blind items weighted by an exam blueprint. The payoff is a diagnostic readiness report — solved-vs-attempted by skill area, time outliers, and a verdict.

Certification prep

Map the catalog to your exam.

The catalog is sourced and tagged against the OSCP and CPTS syllabi. Pick your exam and drill the techniques it tests — then prove you're ready with a timed sprint.

OSCP OffSec

Make the primitives automatic before exam day.

  • Linux privilege escalation
  • Web application attacks
  • Active Directory
  • Enumeration & service attacks
OSCP prep guide
CPTS Hack The Box

Build the methodology into muscle memory.

  • Privilege escalation
  • Web exploitation
  • Active Directory
  • Service enumeration
CPTS prep guide
PNPT TCM Security

Own the domain, then explain how you did it.

  • External recon & web foothold
  • Active Directory to Domain Admin
  • Privilege escalation
  • Service enumeration
PNPT prep guide
eWPT INE Security

Make web exploitation a reflex.

  • Recon & content discovery
  • Injection attacks
  • File & inclusion attacks
  • Server-side attacks
  • Client-side & access control
eWPT prep guide
Why PwnKata

Recognition over recall.

Walkthroughs teach you one path once. PwnKata rebuilds the same technique on a fresh variant every rep, so what sticks is the primitive — not a memorised command.

Real, not simulated

An actual shell on an actual box.

Every drill is a live Linux target you exploit for real. The same enumeration, the same primitives, the same payoff you'd get on an engagement — minus the setup.

  • A fresh, single-use box per session, destroyed on solve
  • Fully isolated — you're attacking a throwaway, safely
  • Standard tooling — bring your real workflow
target · live shell
A fresh variant every rep

The flaw moves. The skill stays.

Solve a drill and the box is destroyed and reborn from a new deterministic seed — a different binary, account, or path. You can't pattern-match your way through; you have to actually recognise the technique.

  • Deterministic seeds — reproducible, never random-feeling
  • Every seed is proven solvable before it ships
  • Reset and re-roll in one click
Rep 1 · /usr/bin/find seed 0x1f
Rep 2 · /usr/bin/awk seed 0x4c
Rep 3 · /usr/bin/vim seed 0x9a
· Rep 4 · queued seed —
Know before exam day

A readiness report, not a vibe.

An Exam Sprint sequences unseen blind reps and chains under a wall-clock budget weighted by an exam blueprint — then tells you, by skill area, whether you're actually ready. Find the gap here, before you spend a real exam attempt on it.

  • Solved-vs-attempted by skill area
  • Time-per-item outliers flagged as possible rabbit holes
  • A readiness verdict you can act on
Sprint readiness On track
Linux privesc7/8
Web7/10
Active Directory2/5
Service enum5/6
⚠ AD chain · 41 min — possible rabbit hole
The catalog

65 techniques across 6 domains, and growing.

59 live today — Linux privesc, web exploitation, Active Directory, network services, and cloud. Pick one and start a rep.

Linux Privilege Escalation

11 live View all →
Linux · Privilege Escalation Live

File Capability Privilege Escalation

Linux file capabilities can grant one binary more power than intended. Drill finding and abusing that mistake.

easy
Linux · Privilege Escalation Live

sudo -l Privilege Escalation

A misconfigured sudo rule is one of the most common real-world Linux privesc paths. Drill it until `sudo -l` is the first thing your fingers type.

easy
Linux · Privilege Escalation Live

SUID Binary Privilege Escalation

A stray SUID bit on the wrong binary is an instant root. Drill enumerating and abusing SUID binaries until it's automatic.

easy

Web Exploitation

23 live View all →
Web Live

SQL Injection: Auth Bypass

Drill authentication-bypass SQL injection by matching the payload to the query context.

easy
Web Live

OS Command Injection

Find where user input reaches a shell, then pick a payload form that survives the filter and response style.

medium
Web Live

SSRF via URL Parameter

Make the server fetch what it shouldn't. Internal targets are simulated safely inside the drill.

medium

Windows Privilege Escalation

2 live View all →
Windows · Privilege Escalation Live

Windows PowerUp Local Privilege Escalation

Use PowerUp on a real Windows Server target to find and abuse a weak service DACL.

medium
Windows · Privilege Escalation Live

Windows Manual Local Privilege Escalation

Escalate on a real Windows Server VM by hand — no PowerSploit, no shortcuts.

medium

Active Directory

6 live View all →
Windows · Active Directory Live

Kerberoasting

Kerberoasting is a workflow: identify the right SPN, request the ticket, crack offline, and prove the credential works.

hard
Windows · Active Directory Live

AS-REP Roasting

Find the account with Kerberos pre-authentication disabled, then turn that misconfiguration into a credential.

medium
Windows · Active Directory Live

AD Graph Enumeration Simulator

AD Graph Enumeration Simulator distilled into repeatable single-technique reps on isolated targets.

medium

Network Services

16 live View all →
Network Live

SNMP Community Strings

A valid community string is only the first step. Walk the tree and identify the OID that proves impact.

easy
Network Live

SMB Share Enumeration and Loot

SMB Share Enumeration and Loot distilled into repeatable single-technique reps on isolated targets.

easy
Network Live

FTP Anonymous Enumeration

FTP Anonymous Enumeration distilled into repeatable single-technique reps on isolated targets.

easy

Cloud Security

1 live View all →
Cloud Live

IMDS Credential Theft

Metadata services expose temporary credentials to workloads. Drill retrieving them and proving access without touching a real cloud account.

medium
Why not just grind boxes?

Built for reps, not for show.

Sprawling CTF machines and video courses have their place. For building reflexes on a specific technique, focused repetition wins.

PwnKata Sprawling CTF machines Video courses
Scope One technique per drill Many skills at oncehard to isolate the gap Passive, broad
Repetition Fresh variant every rep One-and-done box Re-watch the clip
Feedback Instant flag check + solution Write-up, eventually Quiz, maybe
Exam readiness Timed sprints + report No signal No signal
Anti-memorisation Seeded, proven solvable Walkthrough-shaped Single example
Pricing

Start free. Go Pro when the cap gets in your way.

Every live technique is free to drill. Upgrade for unlimited reps and the full ladder.

Free
$0 /mo
  • Every live technique
  • 5 drills per 24 hours
  • Real isolated boxes
  • Progress, streaks & accuracy
Create a free account
Pro
Pro
$15 /mo

or $144/year — two months free

  • Everything in Free
  • Unlimited drills — no daily cap
  • Blind, distractors, chains & Exam Sprints
  • Priority access to new techniques
Start free, upgrade anytime

Founding cohort: $99/year while it lasts · billed securely via Stripe — no card stored by us.

FAQ

Questions, answered.

Is this real exploitation or just a simulation?
Real. Each drill spins up a live, isolated Linux box and gives you an actual shell — you enumerate and exploit it the way you would on a real engagement. A handful of Active Directory and cloud drills use simulated services (LDAP/Kerberos, instance metadata) where standing up a real domain or cloud account isn't practical; those are clearly labelled.
Do I need to install or VPN into anything?
No. The box runs in your browser over a terminal. There's nothing to download, no VPN, and no local setup — open a technique and you have a shell in seconds.
Is PwnKata good for OSCP, CPTS, or PNPT prep?
It's built for exactly that. Certs and real engagements reward recognising a primitive fast and executing it cleanly. PwnKata turns each technique into repeatable reps so the recognition becomes automatic, then composes them into exam-shaped chains and timed sprints with a readiness report.
Aren't single-technique drills just training wheels?
That's why the difficulty ladder exists. Once a technique is automatic, you progress to blind targets (no label — identify it yourself), planted rabbit-holes (triage under pressure), multi-step chains (foothold → privesc on one host, the shape of an exam box), and timed Exam Sprints. The same verified targets grade all the way up to exam pressure.
Is it safe to run real exploits in the browser?
Yes. Every target is a single-use, fully isolated box that exists only for your session and is destroyed the moment you solve it or leave. You're attacking a throwaway — it never touches anything that matters, and flags are graded outside the box so they can't be forged from inside it.
What's free versus paid?
The free tier covers every live technique with full progress tracking and a daily drill cap. Pro removes the cap for unlimited reps and adds priority access to new techniques, chains, and sprints as the catalogue grows.
Can I use my own tools and workflow?
You're in a real shell with standard tooling available — bring the enumeration and exploitation workflow you'd actually use. Drills reward understanding the primitive, not memorising one exact command.

Stop reading walkthroughs. Start drilling.

Spin up a real box and capture your first flag in the next two minutes — free.

Start drilling free