Apsis
Apsis is a Mojave-based commercial rocket manufacturer. Quote requests flow through a public contact form into an admin triage panel, with rocket specs served from a customer-facing API.
The Scenario
Apsis is a Mojave-based commercial rocket manufacturer building small-payload launchers for Tier-2 commercial customers. Their stack spans a marketing site with a customer contact form, a rocket-specifications API, and an internal admin panel where the ops team triages incoming quote requests.
After a competitor publicly referenced internal pricing details that were never made public, leadership suspects an attacker may have penetrated the customer-quote workflow. You've been brought in for an external assessment — start at the public site as an anonymous attacker and determine whether the contact form, admin triage panel, or quoting database can be reached.
Lab Intel
Synopsis
Apsis have enlisted your services to assess their commercial rocket manufacturing platform after a competitor publicly referenced internal quote details. The chain spans a public marketing site, an admin triage panel, and a hardened-but-misconfigured MySQL backend.
Architecture
A medium-difficulty multi-service lab built on six containers — an nginx gateway, two PHP/Apache surfaces (public marketing site and admin panel), a FastAPI rocket-specs service, a Puppeteer-driven headless Chrome admin bot, and a MySQL backend hardened with secure_file_priv. The chain combines stored XSS exfiltration via a real headless browser bot, captured-cookie session reuse, and a SQL-injection-to-PHP-web-shell pivot that's forced (because LOAD_FILE is blocked) to write rather than read.
Who It's For
Built for intermediate testers comfortable chaining XSS with backend exploitation. You should have prior experience with cookie-based session attacks, UNION-based SQL injection, and basic PHP execution patterns. Familiarity with how MySQL's secure_file_priv constrains file primitives is a plus.
Skills You'll Practice
- Stored XSS payload crafting and DOM exfiltration
- HTTP cookie capture and reuse for session hijacking
- UNION-based SQL injection enumeration
- Understanding of MySQL file primitives (LOAD_FILE vs INTO OUTFILE)
- Basic PHP web shell deployment
What You'll Gain
- Stored XSS sink identification across HTML escaping inconsistencies
- Cookie exfiltration to an out-of-band listener
- SQLi-to-RCE via INTO OUTFILE when LOAD_FILE is blocked
- Multi-service attack chaining: web → bot → admin → DB → shell