Arcadenal
Arcadenal is a retro arcade startup with a token-based onboarding system, player profiles, and an internal search API.
The Scenario
Arcadenal is a nostalgia-driven arcade startup. To prevent "cheaters" from signing up, they added manual approvals.
One small problem: their dev tooling and backups are still hanging around in production.
Lab Intel
Synopsis
Arcadenal have enlisted your services to assess their token-based onboarding system and player profile management platform. They suspect leftover development tooling and backup files in production may be exposing sensitive data and enabling unauthorized account access.
Architecture
A medium-difficulty single-service lab simulating a retro arcade startup built on Flask with a JSON datastore. What makes it distinctive is the chain from exposed backups to NoSQL-style injection to an insecure upsert that lets you hijack admin accounts through the approval workflow.
Who It's For
Aimed at intermediate penetration testers who have completed beginner web challenges and are ready to chain multiple vulnerabilities together. You should be comfortable with HTTP request interception, manual API exploration, and basic injection techniques.
Skills You'll Practice
- HTTP proxying and request manipulation (Burp Suite or similar)
- Understanding of REST API enumeration and directory brute-forcing
- Basic knowledge of NoSQL/JSON query operators
- Familiarity with authentication and session management concepts
What You'll Gain
- Backup file discovery and sensitive data extraction
- NoSQL query injection against JSON datastores
- Insecure upsert exploitation for account takeover
- Approval token enumeration
- Multi-stage vulnerability chaining