WEBVERSE

Loading...

Pixel Pivot
hardPro

Pixel Pivot

Pixel Pivot is an indie game studio portal with a build pipeline, playtest coordination, team chat, and a self-hosted Git repository.

sqliotp-brute-forcecredential-reusecredential-leak-in-chatapi-key-in-git-historycommand-injectionmulti-service
pythonfastapisqlitenginxdocker
Unlock with Pro

The Scenario

PixelPivot is an indie game studio's internal portal that coordinates builds, playtest invites, and asset delivery between contractors and QA.

A contractor account was flagged for suspicious activity right after a major patch, and the studio is worried their build pipeline and internal chat tooling may be exposed. You've been asked to validate the studio's "internal-only" assumptions and show what a motivated attacker could access starting from the public-facing app.

Lab Intel

Synopsis

Pixel Pivot have enlisted your services to assess their indie game studio's internal portal after a contractor account was flagged for suspicious activity following a major patch release. The studio needs you to validate their assumption that build pipeline tooling, team chat, and source control are safely isolated from external access.

Architecture

A hard-difficulty lab with five services -- an nginx reverse proxy, a FastAPI web portal, a team chat application, a self-hosted Gitea instance, and an internal API -- all networked behind a single entry point. The attack path is a seven-stage chain that starts with SQL injection, moves through OTP brute-forcing and credential reuse, pivots across chat and Git history, and culminates in command injection against an internal endpoint.

Who It's For

Designed for experienced penetration testers who want to practice realistic multi-service pivoting across diverse application types. You should be comfortable with SQL injection techniques, credential analysis, and basic Git operations before starting this lab.

Skills You'll Practice

  • Proficiency with SQL injection (authentication bypass and UNION-based extraction)
  • Understanding of OTP and password reset flow weaknesses
  • Familiarity with Git version control and commit history inspection
  • Experience with credential reuse and cross-service pivoting
  • Basic command injection techniques

What You'll Gain

  • SQL injection authentication bypass
  • UNION-based credential extraction
  • OTP brute-force exploitation
  • Cross-service credential reuse
  • Git commit history secret recovery
  • Internal API command injection

Ready to hack Pixel Pivot?

Upgrade to Pro to unlock this lab and the full library.

View Pro Plans