🩶🩶🩶

Cozyhosting

March 19, 2025

This box highlights the risks of exposing debugging interfaces in production environments and demonstrates how small misconfigurations—when chained together—...

Editorial

March 16, 2025

Editorial features a modern CMS hosting platform that suffered from exposed Git history and environment leaks.

Broker

January 23, 2025

Broker simulates a financial services intranet system hosted on Linux, with misconfigured messaging services and weak file permissions.

Timelapse

November 29, 2024

Timelapse emulates a modern corporate workstation environment integrated with Active Directory and custom time-tracking software.

Analytics

November 28, 2024

Analytics simulates a data dashboard built on Node.js and MongoDB with poor session handling and misused admin logic.

Soccer

November 20, 2024

Soccer features a PHP-based sports forum application with weak input validation and predictable file paths. Access was gained by exploiting an unauthenticate...

Cicada

November 11, 2024

Cicada explores a Linux system hosting a misconfigured development IDE that listens on an open port.

Remote

November 03, 2024

Remote is a Windows machine simulating a corporate helpdesk portal with vulnerable file parsing logic.

Pilgrimage

November 01, 2024

Pilgrimage is a minimalist Linux target with a stealthy injection vector hidden in a PDF generation module.

Boardlight

October 31, 2024

Boardlight emulates an internal taskboard system tied to Active Directory with modern user management features.

Love

September 27, 2024

Love is a web-focused Linux machine that hides a command injection vulnerability behind a modern-looking frontend.

Sau

August 27, 2024

Sau replicates a lab environment using modern web technologies with subtle misconfigurations.

Magic

July 24, 2024

Magic presents a Linux web application vulnerable to both insecure file uploads and unsafe PHP function usage.

Giddy

July 21, 2024

Giddy features a Windows box vulnerable to MS SQL Server misconfigurations and weak service permissions.

Nibbles

July 20, 2024

Nibbles simulates a lightweight web server hosting a blog engine vulnerable to hardcoded credentials and file upload flaws.

Precious

July 03, 2024

Precious focuses on a server running a vulnerable document conversion utility.

Querier

June 17, 2024

Querier revolves around a vulnerable MS SQL Server configured for remote access and weak credentials.

Codify

April 26, 2024

Codify demonstrates the risks of poorly configured internal APIs and CI/CD exposure.

Busqueda

April 17, 2024

Busqueda mimics a medium-sized enterprise environment with Active Directory Certificate Services (AD CS) misconfigurations.

Devvortex

April 12, 2024

Devvortex replicates a modern CI/CD pipeline environment with misconfigured Git services.

Knife

March 27, 2024

Knife is a Linux machine that demonstrates the danger of exposing development tools in production environments.

Tabby

March 11, 2024

Tabby simulates a corporate server hosting a vulnerable file sharing platform exposed via LFI (Local File Inclusion).

Return

January 23, 2024

Return explores a vulnerable PHP web application with insecure handling of serialized data, leading to a PHP object injection vulnerability.

Sauna

January 19, 2024

Sauna presents a realistic Windows Active Directory environment, offering a strong focus on domain enumeration and Kerberos-based attacks.