🎯 Attack Simulator

Every developer leaves traces. A careless programmer left credentials in the HTML source code. Can you find them?

An intercepted transmission contains an encoded password. The encoding looks familiar... Can you decode it?

A web server is hiding something. The robots.txt file often reveals paths the admin wants hidden from search engines.

A router admin panel is still using factory default credentials. Try the most common default username and password.

A page shows "Access Level: guest" based on a URL parameter ?role=guest. Change it to admin.

A photo uploaded by the target contains hidden metadata. Use EXIF tools to extract GPS coordinates and a secret comment.

The server is leaking a flag in a custom HTTP response header. Check the response headers using DevTools or curl.

A website has an XML sitemap that indexes a secret admin page not linked anywhere on the site. Find it.

A developer left a notes.txt file on the web server. Browse to it and read the contents.

A login form has a hidden field controlling access level. Modify it to gain admin privileges and reveal the flag.

A message was encrypted using an ancient cipher. The shift key is somewhere between 1 and 25. Decrypt it.

The page has a locked vault. The unlock function exists in JavaScript but is not connected to any button. Call it from the console.

An API endpoint only serves data to a specific user agent string. Spoof your user agent to match the required bot.

An admin page checks that the Referer header comes from the same site. Forge the header to bypass the check.

The server has directory listing enabled. Browse the /uploads/ folder to find a config file with database credentials.

The admin left a backup of the login page. Try common backup extensions like .bak, .old, .swp to find the source code.

The application shows verbose error messages in production. Trigger an error to leak the database connection string.

The admin account uses one of the top 10 most common passwords. Try them all on the login form.

The server checks a cookie to determine if you are admin. Modify your cookies to escalate privileges.

A login form is vulnerable to SQL injection. Bypass authentication without knowing the password.

A database dump revealed password hashes. Identify the hash type and crack the weakest one to find the flag.

The app does not regenerate session IDs after login. Fix a known session ID, trick the admin into using it, then hijack their session.

The login page has no rate limiting. Use a wordlist to brute-force the 4-digit PIN protecting the admin account.

The server reveals its exact software versions via headers and error pages. Find all version numbers to build an exploit profile.

A file upload only checks the file extension client-side. Bypass the JavaScript validation to upload a PHP web shell.

A JWT token is signed with a weak secret. Crack it using a wordlist, then forge a token with admin privileges.

The main website is locked down, but a staging subdomain has no authentication. Enumerate subdomains to find it.

A search form reflects user input without sanitization. Inject a script to trigger an alert and prove XSS is possible.

A JWT token controls your access. Decode it, change your role to admin, and forge a new token.

A file viewer restricts access to /public/. Escape the directory and read /etc/passwd to find the flag.

An API returns user data at /api/user/1001. Your account is 1001. Change the ID to access the admin account at ID 1.

A web tool runs ping on user-supplied input. The input is not sanitized. Inject an OS command to read /etc/flag.

A URL preview feature fetches any URL you provide. Trick it into fetching an internal service at http://169.254.169.254/flag.

The password change form has no CSRF token. Craft a request that changes the admin password when they visit your page.

A login page redirects users after auth via ?redirect= parameter. Abuse it to redirect to an attacker-controlled site.

An XML parser accepts user input without disabling external entities. Inject an XXE payload to read /etc/flag from the server.

A Java application deserializes user-supplied objects. Craft a malicious serialized object to achieve remote code execution.

A PHP page includes files based on a parameter: page.php?file=about. Exploit LFI to read sensitive files using PHP filters.

A bank transfer endpoint checks balance before deducting. Send multiple requests simultaneously to exploit the TOCTOU race condition.

An API returns Access-Control-Allow-Origin: * with credentials. Steal the admin token from a cross-origin page.

A CNAME record points to a decommissioned cloud service. Claim the endpoint and serve your own content on the subdomain.

A mobile app bundles its API key in the JavaScript source. Decompile the app and extract the hardcoded secret.

A web app uses Jinja2 templates and reflects user input into the template. Inject a Server-Side Template Injection payload.

The page shows no SQL errors, but responses differ based on true/false conditions. Extract the admin password one character at a time.

The page reads from location.hash and inserts it into the DOM via innerHTML. Craft a URL fragment that executes JavaScript.

The admin panel checks authentication client-side in JavaScript. The API behind it has no auth. Access the admin API directly.

The user profile update API accepts any field. Add "role":"admin" to your update request to escalate privileges.

An API endpoint checks the X-Admin-Key header. Intercept the request and add the correct header to access the admin panel.

An encoded message was intercepted in binary. Decode the binary to ASCII, then decode the result from hex to reveal the flag.

You have shell access as a low-privilege user. Find the SUID binary, exploit it, and read /root/flag.txt.

A Node.js app deep-merges user input into objects. Pollute Object.prototype to inject isAdmin=true on all objects.

A WebSocket chat server has no origin validation. Connect from a malicious page and intercept admin messages.

An OAuth implementation does not validate the redirect_uri parameter. Steal the authorization code by redirecting to your server.

The API key comparison uses string equality which returns early on mismatch. Extract the key by measuring response times.

A packet capture contains an HTTP login. Analyze the PCAP data to extract the credentials transmitted in cleartext.

A flag is hidden in the LSB (least significant bits) of an image. Extract the hidden message using steganography techniques.

Malware is exfiltrating data via DNS queries. Analyze the DNS logs to decode the stolen data hidden in subdomain labels.

A popular npm package was compromised. Analyze the malicious code injected in a postinstall script to find the C2 domain.

A JWT uses a "kid" header parameter to select the signing key from a file. Inject a path traversal to use /dev/null as the key.

A GraphQL API has introspection enabled in production. Query the schema to discover hidden admin mutations and extract the flag.

A MongoDB login uses $ne (not equal) operator vulnerability. Bypass authentication by injecting query operators.

A WAF blocks common XSS patterns. Find a bypass using encoding, case variation, or alternative event handlers.

You have root in a Docker container. The Docker socket is mounted inside. Escape to the host by creating a privileged container.

Extract a Kerberos TGS ticket for a service account, then crack its password offline using hashcat.

An IoT device firmware image contains hardcoded credentials. Extract the filesystem and find the default root password.

Ransomware encrypted files using a weak key derivation. The key is derived from the system time at encryption. Reverse the process.