Single-vulnerability challenges teach you a technique. Labs teach you how a real compromise actually unfolds — a low-severity CSRF that plants an XSS that steals a JWT that signs a password reset that hands you admin. Each lab below is an end-to-end kill path you execute yourself.
Each lab is framed as a narrative breach — you are a red-team operator with a clear objective. No artificial puzzles. Every step maps to a technique used in real incidents.
Output from one exploit becomes input for the next. Leak a token, forge a session, pivot to internal API, escalate privileges, drop a webshell. The final flag proves full kill.
One flag per lab, revealed only at the final step — no partial credit. If you submit BF{...} it means you walked every hop of the attack graph yourself, the way defenders will review the incident afterwards.
We don't reveal flags on this page — that would defeat the point. Every live lab hides a single string in the format BF{...}, and you only see it after you finish the full attack chain yourself. It'll appear in the final step — a response body, a database field, a file on disk, a rendered page. Paste what you captured into the submission box on the lab's card to mark it complete. Progress is saved to this browser, so you can close the tab and come back anytime.
Ten drafted labs covering the attack patterns seen most often in bug bounty write-ups and post-incident reports.
TaskBoard is a project-management SaaS. You own a low-privilege account attacker / attacker123. An internal "admin review" bot visits any URL you submit via /report — it runs in real headless Chromium with the admin's session cookie. Combine reflected XSS on /search to exfil that cookie, notice that CSRF tokens aren't bound to session, and use an IDOR on PUT /api/users/:id to set role=admin on your own user. Log back in as yourself and read the flag.
ShareBox is a small file-sharing portal — sign in with alice / alice123. The download endpoint hands you arbitrary bytes from the filesystem, so path traversal reads the Apache access log. That log captures your User-Agent header verbatim, so a crafted request poisons the log with PHP. The preview endpoint uses include() instead of readfile(), so including the poisoned log gives you code execution as www-data. From there a localhost-only cleanup admin tool invokes sudo clean.sh "$name" with a half-hearted filter, and command substitution in the argument runs as root to read /root/flag.txt.
ShopLoop is a tiny e-commerce site — browse, review, manage a wallet. You start as a fresh signup, unverified, broke. Five small mistakes compound: SQL injection on product search dumps every user's reset_token; the password-reset endpoint never rotates tokens, so you hijack a verified account; stored XSS in reviews runs inside the admin moderator's browser a few seconds later; a missing CSRF token on add-payment-method lets the payload register your card on admin's wallet; and the open redirect ferries the transfer response (which contains the flag) back to your listener.
MicroHub is an internal platform split into three API surfaces — user, files, billing — sharing one Mongo instance. You start with no credentials. Login passes the JSON body straight into Mongo's findOne, so a NoSQL injection with {"$ne":""} gets you in as a seeded user. The file preview endpoint fetches arbitrary URLs server-side — an SSRF through the docker network reaches an internal metadata service that publishes operator credentials. Those credentials land you an admin session, whose ZIP upload extracts entries without sanitising paths — zip-slip plants a role-override file that elevates you to billing-admin. The billing invoice endpoint then IDORs straight past ownership to the treasury user's premium invoice — the flag is in the memo.
Session cookies are AES-encrypted — but in ECB mode. A weak-crypto block swap lets you splice your own user_id into an admin's cookie template. Logged in as admin, an insecure deserialization in the session deserializer finishes the job with RCE.
An exposed /debug route from a security misconfig leaks the requirements.txt. One pinned library has a known pickle deserialization CVE. You craft the CVE payload against a file-upload endpoint whose whitelist only checks the file extension and pop a shell inside the worker container.
The victim visits your attacker page. A clickjacking iframe over a settings toggle silently flips their email to one you control. A weak password reset flow emails you the reset token. You log in, CORS misconfiguration on the internal API hands you their API key. Their account is yours — and they never typed a thing.
The flagship multi-stack lab. A single crafted XML file triggers XXE in the PHP import service to read internal URLs, pivots via SSRF to the Node-based queue worker, which pulls a YAML config — your payload also includes a YAML deserialization gadget that spawns an LDAP injection to authenticate as the Python microservice's service account. One payload. Three runtimes. One flag.
A reverse-proxy misconfiguration lets you perform HTTP request smuggling. Smuggled requests bypass the edge auth filter, exposing an admin-only endpoint. That endpoint has a prototype-pollution sink. Polluting Object.prototype.isAdmin = true globally elevates every subsequent request for the lab's duration — including the one that reads the flag.
No hints. No hand-holding. You are given the URL of a mock SaaS product and one instruction: get the flag. There are at least six chained bugs in scope. Every other lab was a guided tour; this one is the exam.
More labs will unlock once all single-vuln challenges are fully stable. Sharpen your fundamentals first.
Back to single-vuln challenges