Leak Lore
Leak Lore is an online collectibles marketplace with order tracking, invoice downloads, seller messaging, and an internal operations dashboard.
The Scenario
LeakLore is an online marketplace for limited-run collectibles where customers track orders, download invoices, and message sellers.
After a spike in support tickets about 'wrong invoices' and 'mystery refunds', the team suspects their account and order tooling is exposing data across user boundaries. At the same time, an internal ops dashboard meant for staff-only triage has started showing up in public browser history screenshots.
You are brought in to simulate a real attacker: begin as a normal internet user, follow the same UI flows a customer would, and determine whether you can observe or influence anything that should be private. Document what a breach would look like in practice and what business impact it would have if exploited at scale.
Lab Intel
Synopsis
Leak Lore have enlisted your services to investigate a spike in support tickets about wrong invoices and mystery refunds on their collectibles marketplace. Internal staff suspect that account and order tooling is leaking data across user boundaries, and that an ops dashboard meant for staff-only use may be publicly accessible.
Architecture
A hard-difficulty multi-service lab with six containers: an nginx reverse proxy, a customer-facing store, a REST API, separate user and admin authentication services, and a production handler. The architecture creates realistic service boundaries that must be crossed through credential reuse, SSRF pivoting, and command injection to reach the final flag.
Who It's For
Built for experienced penetration testers who are comfortable with multi-service architectures and want to practice chaining BOLA, SSRF, and command injection across network boundaries. You should have prior experience exploiting IDOR/BOLA vulnerabilities, crafting SSRF payloads, and bypassing input filters.
Skills You'll Practice
- IDOR and broken object-level authorization (BOLA) exploitation
- SSRF payload crafting and internal service pivoting
- Command injection techniques and filter evasion
- HTTP proxy interception and request analysis
- Credential harvesting and reuse across services
- Understanding of microservice network topologies
What You'll Gain
- BOLA exploitation for cross-user data enumeration
- Credential reuse across authentication boundaries
- SSRF through invoice download endpoints
- Internal backup endpoint discovery via SSRF
- Command injection blacklist bypass techniques
- End-to-end attack chain across six microservices