Intertie
Intertie is a grid operations SaaS provider running four interconnected subdomains — an ops platform, a GraphQL API, a field meter portal, and a dispatch queue.
The Scenario
VoltLatch is a Denver-based electric utility grid operations SaaS provider supporting substations across the western US. Their internet-facing stack spans four subdomains: an operations dashboard, a GraphQL data API, a field meter management portal, and a dispatch coordination system. You have been engaged to assess their external attack surface. Start at app.voltlatch.io and chain every weakness you find until you reach the NERC CIP audit result cached in the dispatch backend.
Lab Intel
Synopsis
VoltLatch operate a multi-subdomain grid operations platform. A JavaScript bundle at the entry point leaks internal hostnames — following those leads exposes a GraphQL scope escalation, a WAF-bypassed SQL injection, a crackable HMAC OTP, and finally a gopher:// SSRF into a Redis cache holding the NERC CIP audit flag.
Architecture
A hard-difficulty lab featuring five interconnected services — an nginx gateway, a Flask operations dashboard, a Flask GraphQL API portal, a Node.js field meter service, and a Flask dispatch system — modelling a realistic utility grid SaaS stack. The six-stage attack chain spans all four application subdomains and requires subdomain discovery, GraphQL enumeration, WAF bypass, SQL injection, OTP cracking, and protocol-level SSRF.
Who It's For
Built for intermediate to advanced penetration testers comfortable working across multiple services and protocols. You should have hands-on experience with GraphQL enumeration, SQL injection, and SSRF before attempting this lab. The OTP brute-force step requires writing a small script.
Skills You'll Practice
- JavaScript source analysis and subdomain enumeration
- GraphQL query construction and field suggestion exploitation
- SQL injection (UNION-based) and WAF evasion via encoding
- HMAC-SHA256 computation for OTP brute-forcing
- SSRF via HTTP and gopher:// protocols
- Redis protocol fundamentals
What You'll Gain
- Subdomain discovery through client-side asset analysis
- GraphQL scope escalation and schema inference without introspection
- Double URL-encoding to bypass input validation rules
- UNION SELECT injection across a multi-table schema
- HMAC-based OTP cracking from a debug field leak
- Blind SSRF port scanning and gopher:// exploitation against Redis