Parcel
A residential real estate portal with more going on under the hood than it appears.
The Scenario
GridMark is an Austin-based property listing startup that launched in 2023. The platform
lets home buyers browse, search, and save listings across the city.
A recent internal audit flagged part of the platform as "needs review" — but the ticket
was never prioritised. Meanwhile, the ops team has been taking shortcuts to make their
lives easier.
You've been brought in for a black-box assessment. The application looks clean on the
surface. Dig deeper.
Lab Intel
Synopsis
Enumerate, exploit, and escalate your way to the platform's most sensitive configuration.
Architecture
A realistic property listing web app with a multi-step attack chain requiring enumeration, injection, and credential access.
Who It's For
Pentesters and students comfortable with web application basics who want to practice chaining vulnerabilities across a realistic target.
Skills You'll Practice
- Web application enumeration
- Basic SQL injection concepts
- Reading and interpreting HTTP responses
What You'll Gain
- Identifying injection points beyond obvious inputs
- Blind data extraction techniques
- Offline credential cracking
- Multi-step attack chain execution