The Labs
Every lab is a fully realized fictional company. Multiple services, real defenses, real exploit chains. Pick your difficulty.
Inked
Jill's Tatt Shop books fast and runs lean: a slick public site where clients request appointments, a staff dashboard where the artists triage those requests, and a CRM API tying it together. After a client's contact details turned up somewhere they shouldn't have, Jill brought you in to test the shop's systems end to end. You start on the public site as an anonymous visitor. The staff dashboard lives on its own subdomain and only shows a login. Your objective: get into the staff back office, find your way to whatever it's talking to, and read what the studio is hiding on the box.
ReportVerse
ReportVerse is a SaaS for generating branded PDF reports from "any HTTP data source — internal staging APIs, dashboards behind your firewall, or anything you can point us at." Their marketing copy says the quiet part out loud, and their engineers built exactly what was promised. Generate a few reports, read carefully, and see what the renderer is happy to bring back for you.
Bomb Threat
An anonymous group calling itself NEXUS has placed a 15-kiloton device under Central London and is demanding $10,000,000 within 24 hours. The detonator is wired to a remote control panel called NEXUS Control — your task is to break in, climb out of the maintenance role you'll land with, and trigger the deactivate endpoint with the right clearance. Their portal is a single-page console with login, MFA, and a "deactivate" button gated behind a clearance level your stolen account doesn't have. Find a way.
Angry Teacher
South Park Elementary's grading portal is held together by a single developer's bad day. You log in as one of Mr. Garrison's struggling students, see all your failing grades, and somewhere on the page is a thread to pull. The teacher's API key is around here somewhere; once you find it, the rest writes itself.
Smoothie
Citrine Juice Co. is a one-bar operation in Boston's South End — six bar stools, a glass case of cold-pressed bottles, and a Saturday-morning regulars list taped to the side of the espresso machine. Margot opened it in 2019 and built the online-ordering site herself a year later. The login form was the last thing she touched before she stopped touching the code.
PhoneVault
PhoneVault's CTO got a tip from a former contractor: "a regular customer account is enough to pull the moderator's session." Two weeks before launch, she's not taking chances. Sign up, look around, and see if you can reach the admin dashboard.
FrostByte
A tech consulting firm's public website and admin systems hide a sophisticated attack chain involving LDAP injection, password reset manipulation, and SQL injection leading to full system compromise.
VoxLink
VoxLink Communications built a streamlined customer portal for their business phone service clients. The portal allows customers to access billing statements, usage reports, and phone system configuration files. They also maintain a comprehensive help system at help.voxlink.local. As a security researcher, you've been asked to test both the main portal and help system. The features seem professional and well-built, but sometimes the most polished interfaces hide the most interesting vulnerabilities. Start by exploring the customer portal and see what other services you can discover.
NewsForge
NewsForge started as a side project by a local developer who wanted to share tech conference updates and open-source project milestones with the community. The platform grew organically — users can register, browse articles, and use the search feature to find content. The developer was proud of the simple, clean interface and basic functionality. But during a recent security audit, a colleague mentioned they noticed some unusual behavior in the search results. The search seems to return more than just article content. Find what the search is really doing and prove you can access sensitive information.