- Green Badge
- Online
- Todo
- Ruby/Sinatra
- Green Badge
- Online
- Todo
- Authentication / Authorization Badge
- Online
- Todo
- Ruby-On-Rails
OAuth2: Client OpenRedirect
This exercise covers the exploitation of an OpenRedirect in the OAuth2 Client
- Green Badge
- Online
- Todo
- 1 video
- Ruby-on-Rails
CVE-2019-5420
This exercise details the exploitation of CVE-2019-5420 to forge a session as another user
- Green Badge
- Online
- Todo
- Ruby/Sinatra
- Green Badge
- Online
- Todo
- GraphQL/Node/Angular/SQLite3
GraphQL: SQL Injection
This exercise covers how to use introspection and a SQL injection to get access to additional information in GraphQL.
- Authentication / Authorization Badge
- Online
- Todo
- Ruby-On-Rails
OAuth2: Authorization Server OpenRedirect
This exercise covers the exploitation of an OpenRedirect in the Authorization Server
- Green Badge
- Online
- Todo
- 2 videos
- Ruby/Sinatra
- Green Badge
- Online
- Todo
- Golang
Gogs RCE II
This exercise covers how to get code execution against the Git self hosted tool: Gogs.
- Green Badge
- Online
- Todo
- 2 videos
- Ruby/Sinatra
JWT VIII
This exercise covers how to use the jku header to bypass an authentication based on JWT.
- Authentication / Authorization Badge
- Online
- Todo
- 1 video
- RoR
SAML: Signature Stripping
This exercise covers the exploitation of a signature stripping vulnerability in SAML
- Green Badge
- Online
- Todo
- GraphQL/Node/Angular
GraphQL Introspection
This exercise covers how to use introspection to get access to additional information in GraphQL.
- Green Badge
- Online
- Todo
- Golang
- Android Badge
- Offline
- Todo
Android 07
This exercise will guide through the process of reversing simple obfuscated Android code
- Android Badge
- Offline
- Todo
Android 06
This exercise will guide through the process of reversing simple obfuscated Android code
- Android Badge
- Offline
- Todo
Android 05
This exercise will guide through the process of reversing simple obfuscated Android code
- Green Badge
- Online
- Todo
- Ruby/Sinatra
Ruby 2.x Universal RCE Deserialization Gadget Chain
This exercise covers how to get code execution by using a Ruby Universal Gadget when an attacker controls the data passed to Marshal.load()
- Offline
- Todo
- ISO (23MB)
CVE-2018-10933: LibSSH auth bypass
This exercise covers how one can bypass the authentication of an SSH server based on libssh to gain a shell on the impacted system
- Android Badge
- Offline
- Todo
- Android Badge
- Offline
- Todo
- 1 video
Android 03
This exercise will guide through the process of extracting simple information from an APK
- Green Badge
- Online
- Todo
- Ruby-on-Rails
From SQL injection to Shell III
This exercise covers how to gain access to an administration interface using SQL injection followed by how to get command execution using ImageTragick
- Android Badge
- Offline
- Todo
- 1 video
Android 02
This exercise will guide through the process of extracting data from a simple database used by an Android app
- Green Badge
- Online
- Todo
- 2 videos
- Ruby-on-Rails
IDOR to Shell
This exercise covers how to get code execution by chaining vulnerabilities in a Ruby-on-Rails application
- Android Badge
- Offline
- Todo
- 1 video
Android 01
This exercise will guide through the process of extracting simple information from an APK
- Orange Badge
- Online
- Todo
Introduction to CSP
This exercise details the exploitation of a XSS in a simple web application that uses Content Security Policy
- Orange Badge
- Online
- Todo
CVE-2018-11235: Git Submodule RCE
This exercise details the exploitation of a vulnerability in Git Sub module that can be used to get command execution
- Blue Badge
- Online
- Todo
Git Information Leak II
This exercise details how to retrieve information from an exposed .git directory on a web server. This time, the directly listing is disabled
- Blue Badge
- Online
- Todo
- 1 video
Git Information Leak
This exercise details how to retrieve information from an exposed .git directory on a web server
- Blue Badge
- Online
- Todo
JWT VII
This exercise covers the exploitation of a website using JWT for session without verifying the signature
- Orange Badge
- Online
- Todo
- 2 videos
CVE-2016-5386: HTTPoxy
This exercise covers the exploitation of HTTPoxy against an old version of Golang
- Blue Badge
- Online & Offline
- Todo
- 1 video
CBC-MAC II
This exercise covers the exploitation of an application using CBC-MAC when an attacker has control over the IV
- Blue Badge
- Online
- Todo
- 1 video
JWT VI
This exercise covers the exploitation of an injection in the kid element of a JWT. This injection can be used to bypass the signature mechanism
- Orange Badge
- Online
- Todo
CVE-2018-6574: go get RCE
This exercise covers a remote command execution in Golang's go get command.
- Blue Badge
- Online
- Todo
- 1 video
- Blue Badge
- Online
- Todo
- 1 video
CVE-2018-0114
This exercise details the exploitation of a vulnerability in Cisco's node-jose, a JavaScript library created to manage JWT
- Blue Badge
- Online
- Todo
- 1 video
JWT IV
This exercise covers the exploitation of a vulnerability similar to the recent CVE-2017-17405 impacting Ruby Net::FTP
- Blue Badge
- Online & Offline
- Todo
- 2 videos
CBC-MAC
This exercise covers the exploitation of signature of non-fixed size messages with CBC-MAC
- Blue Badge
- Online
- Todo
- 1 video
- Todo
- PHP
Introduction to code review
This exercise covers the different ways to perform code review. It also contains a simple application to review to help you get started.
- Blue Badge
- Online & Offline
- Todo
- ISO (95MB)
- Java/Struts
S2-052
This exercise covers the exploitation of the Struts S2-052 vulnerability
- Authentication / Authorization Badge
- Online
- Todo
- 1 video
- RoR
SAML: Introduction
This exercise covers the exploitation of a signature stripping vulnerability in SAML
- Yellow Badge
- Online
- Todo
- PHP
CVE-2016-10033: PHPMailer RCE
This exercise covers a remote code execution vulnerability in PHPMailer
- Yellow Badge
- Online & Offline
- Todo
- 2 videos
- PHP
- Yellow Badge
- Online & Offline
- Todo
- Tomcat/Struts
- Yellow Badge
- Online
- Todo
- Rails
CVE-2016-2098
This exercise covers a remote code execution vulnerability in Ruby-on-Rails when using render on user-supplied data
- Offline
- Todo
- PHP/Git
CVE-2014-4511: Gitlist RCE
This exercise explains how you can exploit a vulnerability published in 2014 in Gitlist.
- Capture-The-Flag Badge
- Online
- Todo
- PHP/Apache/Mysql
- Capture-The-Flag Badge
- Online
- Todo
- Python
Werkzeug DEBUG
This challenge was written for Ruxcon CTF 2015 and cover the Debug mode of Werkzeug/Flask
- Capture-The-Flag Badge
- Online & Offline
- Todo
- ISO (25MB)
- PHP
Padding Oracle
This exercise covers an attack against CBC mode. This attack can be used to decrypt data and re-encrypt arbitrary data
- Capture-The-Flag Badge
- Online
- Todo
- Python
Unickle
This challenge was written for Ruxcon CTF 2015. It's an SQL injection mixed with a remote code execution.
- Capture-The-Flag Badge
- Online
- Todo
- Rails
- Capture-The-Flag Badge
- Online
- Todo
- Python
- Serialize Badge
- Online
- Todo
- Rails
CVE-2013-0156
This exercise covers the exploitation of a code execution in Ruby-on-Rails using XML and YAML.
- Yellow Badge
- Online & Offline
- Todo
- 2 videos
- PHP
JSON Web Token II
This exercise covers the exploitation of an issue with some implementations of JWT
- Serialize Badge
- Online & Offline
- Todo
- Java/Tomcat
- Serialize Badge
- Online & Offline
- Todo
- 1 video
- Java
ObjectInputStream
This exercise covers the exploitation of a call to readObject in a Spring application
- Serialize Badge
- Online & Offline
- Todo
- 1 video
- Java
- Intercept Badge
- Online & Offline
- Todo
- HTTP/TLS
- Intercept Badge
- Online & Offline
- Todo
- 1 video
- HTTP/TLS
- Intercept Badge
- Online & Offline
- Todo
- HTTP/TLS
Man-in-the-Middle III
This exercise covers how to intercept an HTTPs connection with hostname verification.
- Intercept Badge
- Online & Offline
- Todo
- 2 videos
- HTTP/TLS
- Intercept Badge
- Online & Offline
- Todo
- 1 video
- HTTP
- Offline
- Todo
- Tomcat/Struts
Struts devMode
This exercise covers how to get code execution when a Struts application is running in devMode
- White Badge
- Online & Offline
- Todo
- 2 videos
- PHP/Apache/Mysql
- Orange Badge
- Online & Offline
- Todo
- PHP/Apache/Mysql
Cross-Origin Resource Sharing
This exercise covers Cross-Origin Resource Sharing and how it can be used to bypass CSRF protection if misconfigured.
- Serialize Badge
- Online & Offline
- Todo
- 6 videos
- PHP/Apache/Mysql
API to Shell
This exercise covers the exploitation of PHP type confusion to bypass a signature and the exploitation of unserialize.
- White Badge
- Online & Offline
- Todo
- 1 video
- Python
Pickle Code Execution
This exercise covers the exploitation of Python's pickle when used to deserialize untrusted data
- Yellow Badge
- Online & Offline
- Todo
- ISO (294MB)
- Java/Play
Play XML Entities
This exercise covers the exploitation of a XML entities in the Play framework.
- White Badge
- Online & Offline
- Todo
- ISO (19MB)
- 1 video
- CGI/Apache/Bash
CVE-2014-6271/Shellshock
This exercise covers the exploitation of a Bash vulnerability through a CGI.
- Yellow Badge
- Online & Offline
- Todo
- ISO (280MB)
- 1 video
- Java/Play
Play Session Injection
This exercise covers the exploitation of a session injection in the Play framework. This issue can be used to tamper with the content of the session while bypassing the signing mechanism
- White Badge
- Online & Offline
- Todo
- ISO (191MB)
- 2 videos
- Tomcat/Apache
CVE-2007-1860: mod_jk double-decoding
This exercise covers the exploitation of CVE-2007-1860. This vulnerability allows an attacker to gain access to unaccessible pages using crafted requests. This is a common trick that a lot of testers miss.
- Orange Badge
- Online & Offline
- Todo
- ISO (178MB)
- PHP/Apache/Mysql
XSS and MySQL FILE
This exercise explains how you can use a Cross-Site Scripting vulnerability to get access to an administrator's cookies. Then how you can use his/her session to gain access to the administration to find a SQL injection and gain code execution using it.
- White Badge
- Online & Offline
- Todo
- ISO (169MB)
- 2 videos
- PHP/Apache
Electronic Code Book
This exercise explains how you can tamper with an encrypted cookies to access another user's account.
- Offline
- Todo
- ISO (353MB)
- Ruby/Rack
Web for Pentester II
This exercise is a set of the most common web vulnerabilities.
- Offline
- Todo
- ISO (170MB)
- PHP/Apache/Mysql
From SQL Injection to Shell II
This exercise explains how you can, from a blind SQL injection, gain access to the administration console. Then once in the administration console, how you can run commands on the system.
- Offline
- Todo
- ISO (162MB)
- Python
CVE-2012-6081: MoinMoin code execution
This exercise explains how you can exploit CVE-2012-6081 to gain code execution. This vulnerability was exploited to compromise Debian's wiki and Python documentation website
Web for Pentester
This exercise is a set of the most common web vulnerabilities.
- Offline
- Todo
- ISO (221MB)
- Tomcat/Axis2
Axis2 Web service and Tomcat Manager
This exercice explains the interactions between Tomcat and Apache, then it will show you how to call and attack an Axis2 Web service. Using information retrieved from this attack, you will be able to gain access to the Tomcat Manager and deploy a WebShell to gain commands execution.
- Offline
- Todo
- ISO (170MB)
- PHP/Apache/Mysql
CVE-2008-1930: Wordpress 2.5 Cookie Integrity Protection Vulnerability
This exercise explains how you can exploit CVE-2008-1930 to gain access to the administration interface of a Wordpress installation.
- Offline
- Todo
- ISO (162MB)
- PHP/PostgreSQL
From SQL Injection to Shell: PostgreSQL edition
This exercise explains how you can from a SQL injection gain access to the administration console. Then in the administration console, how you can run commands on the system.
- Offline
- Todo
- ISO (318MB)
- Ruby/Rack
Rack Cookies and Commands injection
After a short brute force introduction, this exercise explains the tampering of rack cookie and how you can even manage to modify a signed cookie (if the secret is trivial). Using this issue, you will be able to escalate your privileges and gain commands execution.
- Offline
- Todo
- ISO (184MB)
- Linux
Linux Host Review
This exercise explains how to perform a Linux host review, what and how you can check the configuration of a Linux server to ensure it is securely configured. The reviewed system is a traditional Linux-Apache-Mysql-PHP (LAMP) server used to host a blog.
- Offline
- Todo
- ISO (332MB)
- Rails
CVE-2012-2661: ActiveRecord SQL injection
This exercise explains how you can exploit CVE-2012-2661 to retrieve information from a database
- Offline
- Todo
- ISO (172MB (64b))
- PHP/Apache
CVE-2012-1823: PHP CGI
This exercise explains how you can exploit CVE-2012-1823 to retrieve the source code of an application and gain code execution.
- Offline
- Todo
- ISO (171MB)
- PHP/Apache/Mysql
PHP Include And Post Exploitation
This exercise describes the exploitation of a local file include with limited access. Once code execution is gained, you will see some post exploitation tricks.
- White Badge
- Online & Offline
- Todo
- ISO (169MB)
- 1 video
- PHP/Apache/Mysql
- Meetup pack
From SQL Injection to Shell
This exercise explains how you can, from a SQL injection, gain access to the administration console, then in the administration console, how you can run commands on the system.
- Android Badge
- Offline
- Todo
Android 08
This exercise will guide through the process of reversing simple obfuscated Android code to recover encrypted data
© PentesterLab. ALL Rights Reserved. | Terms and conditions | Privacy Policy