The Labs
Every lab is a fully realized fictional company. Multiple services, real defenses, real exploit chains. Pick your difficulty.
Bomb Threat
An anonymous group calling itself NEXUS has placed a 15-kiloton device under Central London and is demanding $10,000,000 within 24 hours. The detonator is wired to a remote control panel called NEXUS Control — your task is to break in, climb out of the maintenance role you'll land with, and trigger the deactivate endpoint with the right clearance. Their portal is a single-page console with login, MFA, and a "deactivate" button gated behind a clearance level your stolen account doesn't have. Find a way.
ReportVerse
ReportVerse is a SaaS for generating branded PDF reports from "any HTTP data source — internal staging APIs, dashboards behind your firewall, or anything you can point us at." Their marketing copy says the quiet part out loud, and their engineers built exactly what was promised. Generate a few reports, read carefully, and see what the renderer is happy to bring back for you.
Angry Teacher
South Park Elementary's grading portal is held together by a single developer's bad day. You log in as one of Mr. Garrison's struggling students, see all your failing grades, and somewhere on the page is a thread to pull. The teacher's API key is around here somewhere; once you find it, the rest writes itself.
Smoothie
Citrine Juice Co. is a one-bar operation in Boston's South End — six bar stools, a glass case of cold-pressed bottles, and a Saturday-morning regulars list taped to the side of the espresso machine. Margot opened it in 2019 and built the online-ordering site herself a year later. The login form was the last thing she touched before she stopped touching the code.
PhoneVault
PhoneVault's CTO got a tip from a former contractor: "a regular customer account is enough to pull the moderator's session." Two weeks before launch, she's not taking chances. Sign up, look around, and see if you can reach the admin dashboard.
FrostByte
A tech consulting firm's public website and admin systems hide a sophisticated attack chain involving LDAP injection, password reset manipulation, and SQL injection leading to full system compromise.
VoxLink
VoxLink Communications built a streamlined customer portal for their business phone service clients. The portal allows customers to access billing statements, usage reports, and phone system configuration files. They also maintain a comprehensive help system at help.voxlink.local. As a security researcher, you've been asked to test both the main portal and help system. The features seem professional and well-built, but sometimes the most polished interfaces hide the most interesting vulnerabilities. Start by exploring the customer portal and see what other services you can discover.
Hearth
Hearth is a small Brooklyn bakery owned by Mickey, who started with sourdough out of a Bed-Stuy kitchen and grew into a wholesale operation supplying cafes, hotels, and restaurants across the city. The customer-facing storefront lists the day's bakes; the staff CRM — running on its own subdomain — handles wholesale accounts, daily order schedules, and team tasks. Mickey's competitor's tech-savvy cousin claimed at a wedding last weekend that they'd "seen all the customer data." Mickey laughed it off. The next day three of Hearth's biggest wholesale accounts received cold-call pitches from that same competitor. Find the path. Start at the public storefront and end with proof you can read whatever's on Mickey's machine.
NewsForge
NewsForge started as a side project by a local developer who wanted to share tech conference updates and open-source project milestones with the community. The platform grew organically — users can register, browse articles, and use the search feature to find content. The developer was proud of the simple, clean interface and basic functionality. But during a recent security audit, a colleague mentioned they noticed some unusual behavior in the search results. The search seems to return more than just article content. Find what the search is really doing and prove you can access sensitive information.