This box highlights the risks of exposing debugging interfaces in production environments and demonstrates how small misconfigurations—when chained together—can lead to full system compromise. By relying on session hijacking, command...
Editorial features a modern CMS hosting platform that suffered from exposed Git history and environment leaks.
Broker simulates a financial services intranet system hosted on Linux, with misconfigured messaging services and weak file permissions.
Timelapse emulates a modern corporate workstation environment integrated with Active Directory and custom time-tracking software.
Analytics simulates a data dashboard built on Node.js and MongoDB with poor session handling and misused admin logic.
Soccer features a PHP-based sports forum application with weak input validation and predictable file paths. Access was gained by exploiting an unauthenticated file upload endpoint that allowed direct webshell deployment....
Cicada explores a Linux system hosting a misconfigured development IDE that listens on an open port.
Remote is a Windows machine simulating a corporate helpdesk portal with vulnerable file parsing logic.
Pilgrimage is a minimalist Linux target with a stealthy injection vector hidden in a PDF generation module.
Boardlight emulates an internal taskboard system tied to Active Directory with modern user management features.
Love is a web-focused Linux machine that hides a command injection vulnerability behind a modern-looking frontend.
Sau replicates a lab environment using modern web technologies with subtle misconfigurations.
Magic presents a Linux web application vulnerable to both insecure file uploads and unsafe PHP function usage.
Giddy features a Windows box vulnerable to MS SQL Server misconfigurations and weak service permissions.
Nibbles simulates a lightweight web server hosting a blog engine vulnerable to hardcoded credentials and file upload flaws.
Precious focuses on a server running a vulnerable document conversion utility.
Querier revolves around a vulnerable MS SQL Server configured for remote access and weak credentials.
Codify demonstrates the risks of poorly configured internal APIs and CI/CD exposure.
Busqueda mimics a medium-sized enterprise environment with Active Directory Certificate Services (AD CS) misconfigurations.
Devvortex replicates a modern CI/CD pipeline environment with misconfigured Git services.
Knife is a Linux machine that demonstrates the danger of exposing development tools in production environments.
Tabby simulates a corporate server hosting a vulnerable file sharing platform exposed via LFI (Local File Inclusion).
Return explores a vulnerable PHP web application with insecure handling of serialized data, leading to a PHP object injection vulnerability.
Sauna presents a realistic Windows Active Directory environment, offering a strong focus on domain enumeration and Kerberos-based attacks.