Bomb Threat
A terrorist group has armed a remote-detonation device in London and is demanding ransom. Infiltrate the NEXUS Control portal, bypass weak multi-factor auth, and forge an elevated clearance token to deactivate the bomb before the timer hits zero.
The Scenario
An anonymous group calling itself NEXUS has placed a 15-kiloton device under Central London and is demanding $10,000,000 within 24 hours. The detonator is wired to a remote control panel called NEXUS Control — your task is to break in, climb out of the maintenance role you'll land with, and trigger the deactivate endpoint with the right clearance. Their portal is a single-page console with login, MFA, and a "deactivate" button gated behind a clearance level your stolen account doesn't have. Find a way.
Lab Intel
Synopsis
A multi-step authentication portal that accepts SQL injection in its login query, leaks one-time passwords through a debug field in the MFA response, and trusts a custom JWT parser that accepts alg=none tokens with forged clearance claims.
Architecture
A medium-difficulty single-container Node.js + Express service backed by an in-memory SQLite database, fronted by an nginx gateway. The lab strings three weaknesses into one chain: SQL injection (or pre-filled credentials) gets you past the password gate, debug-field information disclosure leaks the OTP that the MFA step then accepts, and a hand-rolled JWT parser skips signature verification whenever the header advertises alg=none — letting you forge a higher-clearance token and call a privileged endpoint.
Who It's For
Built for learners working through JWT implementation flaws and multi-step authentication-bypass chains. You should be comfortable with HTTP requests, JSON, and base64 — prior exposure to the structure of a JWT (header.payload.signature) and to what a signing algorithm does will make this faster, but the lab teaches it either way.
Skills You'll Practice
- Identifying SQL injection in login forms that concatenate user input into queries
- Spotting debug or development-only fields accidentally shipped in API responses
- Recognising the JWT alg=none confusion attack and crafting an unsigned token by hand
- Forging JWT payload claims (role, clearance, subject) to escalate privileges without knowing the signing key
- Chaining unrelated weaknesses across the login → MFA → privileged-action flow into one continuous exploit
What You'll Gain
- Understanding why a single permissive code path in a custom JWT parser collapses the entire auth model
- A mental model for treating MFA, password, and signature checks as independent — one weak link breaks the chain
- Recognition that debug or development metadata leaked in API responses is a first-class attack surface
- Comfort reading and writing base64url-encoded JWT segments by hand without library help
- Awareness of why production code should reject alg=none outright instead of trusting header-declared algorithms