HarborLedger
HarborLedger is a shipping reconciliation platform with partner portals, invoice settlement workflows, and an internal operations bridge.
The Scenario
HarborLedger is the reconciliation platform used by a shipping conglomerate and its partners to settle invoices, credits, and proof-of-delivery disputes.
Partner support has been flooded with complaints about "phantom adjustments" and inconsistent account views. Leadership believes the issue isn't just a bug--there may be a security flaw in the workflow. Your mission is to reproduce the exposure, identify what can be accessed, and confirm whether sensitive financial artifacts can be pulled from the system.
Lab Intel
Synopsis
HarborLedger have enlisted your services to investigate reports of phantom adjustments and inconsistent account views on their shipping reconciliation platform. Leadership suspects a security flaw in the partner workflow may be allowing unauthorized access to sensitive financial artifacts.
Architecture
A medium-difficulty single-service lab simulating a shipping reconciliation platform built on Flask with multiple virtual subdomains (portal, auth, API, files). The lab stands out for its realistic partner-onboarding workflow where exposed fixtures and invite-abuse lead to privilege escalation, and an open-redirect-to-SSRF chain unlocks internal operations endpoints.
Who It's For
Suited for intermediate penetration testers comfortable with web application testing who want to practice privilege escalation and SSRF chains. You should have experience with cookie-based auth flows, HTTP header analysis, and basic understanding of how redirect-based attacks work.
Skills You'll Practice
- HTTP proxying and cookie/session manipulation
- Understanding of role-based access control and privilege escalation patterns
- Familiarity with open redirect and SSRF attack concepts
- Ability to read and interpret JSON data fixtures
- Basic knowledge of URL parsing and host validation bypasses
What You'll Gain
- Exposed fixture discovery and invite code harvesting
- Invite-to-role mapping abuse for privilege escalation
- HTTP response header analysis for internal endpoint discovery
- Open redirect to SSRF chaining against host allowlists
- Internal API token extraction from diagnostics endpoints
- Token-authenticated internal export exfiltration