PRO

CVE-2016-10033: PHPMailer RCE

  • Difficulty:

This exercise covers a remote code execution vulnerability in PHPMailer

  PRO

JSON Web Token II

  • Difficulty:

This exercise covers the exploitation of an issue with some implementations of JWT

  PRO

JWT VI

  • Difficulty:

This exercise covers the exploitation of an injection in the kid element of a JWT. This injection can be used to bypass the signature mechanism

  PRO

PCAP 01

  • Difficulty:

  PRO

PCAP 02

  • Difficulty:

  PRO

PCAP 03

  • Difficulty:

  PRO

PCAP 04

  • Difficulty:

  PRO

PCAP 05

  • Difficulty:

  PRO

PCAP 06

  • Difficulty:

  PRO

PCAP 07

  • Difficulty:

  PRO

PCAP 08

  • Difficulty:

  PRO

PCAP 09

  • Difficulty:

  PRO

PCAP 13

  • Difficulty:

  PRO

PCAP 14

  • Difficulty:

  PRO

PCAP 15

  • Difficulty:

  PRO

PCAP 16

  • Difficulty:

  PRO

Git Information Leak II

  • Difficulty:

This exercise details how to retrieve information from an exposed .git directory on a web server. This time, the directly listing is disabled

  PRO

Android 02

  • Difficulty:

This exercise will guide through the process of extracting data from a simple database used by an Android app

From SQL Injection to Shell

  • Difficulty:

This exercise explains how you can, from a SQL injection, gain access to the administration console, then in the administration console, how you can run commands on the system.

  • Offline
  • Todo
  • ISO (171MB)
  • PHP/Apache/Mysql

PHP Include And Post Exploitation

  • Difficulty:

This exercise describes the exploitation of a local file include with limited access. Once code execution is gained, you will see some post exploitation tricks.

  • Offline
  • Todo
  • ISO (172MB (64b))
  • PHP/Apache

CVE-2012-1823: PHP CGI

  • Difficulty:

This exercise explains how you can exploit CVE-2012-1823 to retrieve the source code of an application and gain code execution.

  • Offline
  • Todo
  • ISO (332MB)
  • Rails

CVE-2012-2661: ActiveRecord SQL injection

  • Difficulty:

This exercise explains how you can exploit CVE-2012-2661 to retrieve information from a database

  • Offline
  • Todo
  • ISO (184MB)
  • Linux

Linux Host Review

  • Difficulty:

This exercise explains how to perform a Linux host review, what and how you can check the configuration of a Linux server to ensure it is securely configured. The reviewed system is a traditional Linux-Apache-Mysql-PHP (LAMP) server used to host a blog.

  • Offline
  • Todo
  • ISO (318MB)
  • Ruby/Rack

Rack Cookies and Commands injection

  • Difficulty:

After a short brute force introduction, this exercise explains the tampering of rack cookie and how you can even manage to modify a signed cookie (if the secret is trivial). Using this issue, you will be able to escalate your privileges and gain commands execution.

  • Offline
  • Todo
  • ISO (162MB)
  • PHP/PostgreSQL

From SQL Injection to Shell: PostgreSQL edition

  • Difficulty:

This exercise explains how you can from a SQL injection gain access to the administration console. Then in the administration console, how you can run commands on the system.

  • Offline
  • Todo
  • ISO (170MB)
  • PHP/Apache/Mysql

CVE-2008-1930: Wordpress 2.5 Cookie Integrity Protection Vulnerability

  • Difficulty:

This exercise explains how you can exploit CVE-2008-1930 to gain access to the administration interface of a Wordpress installation.

  • Offline
  • Todo
  • ISO (221MB)
  • Tomcat/Axis2

Axis2 Web service and Tomcat Manager

  • Difficulty:

This exercice explains the interactions between Tomcat and Apache, then it will show you how to call and attack an Axis2 Web service. Using information retrieved from this attack, you will be able to gain access to the Tomcat Manager and deploy a WebShell to gain commands execution.

  • Offline
  • Todo
  • ISO (172MB)
  • 1 video
  • PHP/Apache/MySQL

Web for Pentester

  • Difficulty:

This exercise is a set of the most common web vulnerabilities.

  • Offline
  • Todo
  • ISO (162MB)
  • Python

CVE-2012-6081: MoinMoin code execution

  • Difficulty:

This exercise explains how you can exploit CVE-2012-6081 to gain code execution. This vulnerability was exploited to compromise Debian's wiki and Python documentation website

  • Offline
  • Todo
  • ISO (170MB)
  • PHP/Apache/Mysql

From SQL Injection to Shell II

  • Difficulty:

This exercise explains how you can, from a blind SQL injection, gain access to the administration console. Then once in the administration console, how you can run commands on the system.

  • Offline
  • Todo
  • ISO (353MB)
  • Ruby/Rack

Web for Pentester II

  • Difficulty:

This exercise is a set of the most common web vulnerabilities.

Electronic Code Book

  • Difficulty:

This exercise explains how you can tamper with an encrypted cookies to access another user's account.

XSS and MySQL FILE

  • Difficulty:

This exercise explains how you can use a Cross-Site Scripting vulnerability to get access to an administrator's cookies. Then how you can use his/her session to gain access to the administration to find a SQL injection and gain code execution using it.

CVE-2007-1860: mod_jk double-decoding

  • Difficulty:

This exercise covers the exploitation of CVE-2007-1860. This vulnerability allows an attacker to gain access to unaccessible pages using crafted requests. This is a common trick that a lot of testers miss.

Play Session Injection

  • Difficulty:

This exercise covers the exploitation of a session injection in the Play framework. This issue can be used to tamper with the content of the session while bypassing the signing mechanism

CVE-2014-6271/Shellshock

  • Difficulty:

This exercise covers the exploitation of a Bash vulnerability through a CGI.

Play XML Entities

  • Difficulty:

This exercise covers the exploitation of a XML entities in the Play framework.

  PRO

Pickle Code Execution

  • Difficulty:

This exercise covers the exploitation of Python's pickle when used to deserialize untrusted data

  PRO

Cross-Origin Resource Sharing

  • Difficulty:

This exercise covers Cross-Origin Resource Sharing and how it can be used to bypass CSRF protection if misconfigured.

  PRO

API to Shell

  • Difficulty:

This exercise covers the exploitation of PHP type confusion to bypass a signature and the exploitation of unserialize.

  PRO

JSON Web Token

  • Difficulty:

This exercise covers the exploitation of a signature weakness in a JWT library.

  • Offline
  • Todo
  • Tomcat/Struts
  PRO

Struts devMode

  • Difficulty:

This exercise covers how to get code execution when a Struts application is running in devMode

  PRO

Man-in-the-Middle

  • Difficulty:

This exercise covers how to intercept an HTTP connection.

  PRO

Man-in-the-Middle II

  • Difficulty:

This exercise covers how to intercept an HTTPs connection.

  PRO

Man-in-the-Middle III

  • Difficulty:

This exercise covers how to intercept an HTTPs connection with hostname verification.

  PRO

Man-in-the-Middle IV

  • Difficulty:

This exercise covers how to intercept an HTTPs connection..

  PRO

Man-in-the-Middle V

  • Difficulty:

This exercise covers how to intercept an HTTPs connection..

  PRO

XMLDecoder

  • Difficulty:

This exercise covers the exploitation of an application using XMLDecoder

  PRO

ObjectInputStream

  • Difficulty:

This exercise covers the exploitation of a call to readObject in a Spring application

  PRO

CVE-2016-0792

  • Difficulty:

This exercise covers the exploitation of an Xstream vulnerability in Jenkins

  PRO

CVE-2013-0156

  • Difficulty:

This exercise covers the exploitation of a code execution in Ruby-on-Rails using XML and YAML.

  PRO

CVE-2015-3224

  • Difficulty:

This exercise is a challenge written for Nullcon CTF in 2015

  PRO

Luhn

  • Difficulty:

This challenge was written for Ruxcon CTF 2015. It's an SQL injection with a twist

  PRO

Unickle

  • Difficulty:

This challenge was written for Ruxcon CTF 2015. It's an SQL injection mixed with a remote code execution.

Padding Oracle

  • Difficulty:

This exercise covers an attack against CBC mode. This attack can be used to decrypt data and re-encrypt arbitrary data

  PRO

Werkzeug DEBUG

  • Difficulty:

This challenge was written for Ruxcon CTF 2015 and cover the Debug mode of Werkzeug/Flask

  PRO

ECDSA

  • Difficulty:

This exercise covers the exploitation of a weakness in the usage of ECDSA

  • Offline
  • Todo
  • PHP/Git

CVE-2014-4511: Gitlist RCE

  • Difficulty:

This exercise explains how you can exploit a vulnerability published in 2014 in Gitlist.

  PRO

CVE-2016-2098

  • Difficulty:

This exercise covers a remote code execution vulnerability in Ruby-on-Rails when using render on user-supplied data

  PRO

Struts s2-045

  • Difficulty:

This exercise covers a Remote Code Execution in Struts 2.

  PRO

Cipher block chaining

  • Difficulty:

This exercise details how to tamper with data encrypted using CBC

  PRO

SAML: Introduction

  • Difficulty:

This exercise covers the exploitation of a signature stripping vulnerability in SAML

S2-052

  • Difficulty:

This exercise covers the exploitation of the Struts S2-052 vulnerability

  • Todo
  • PHP

Introduction to code review

  • Difficulty:

This exercise covers the different ways to perform code review. It also contains a simple application to review to help you get started.

  PRO

JWT III

  • Difficulty:

This exercise covers the exploitation of an issue in the usage of JWT token

  PRO

CBC-MAC

  • Difficulty:

This exercise covers the exploitation of signature of non-fixed size messages with CBC-MAC

  PRO

JWT IV

  • Difficulty:

This exercise covers the exploitation of a vulnerability similar to the recent CVE-2017-17405 impacting Ruby Net::FTP

  PRO

CVE-2018-0114

  • Difficulty:

This exercise details the exploitation of a vulnerability in Cisco's node-jose, a JavaScript library created to manage JWT

  PRO

JWT V

  • Difficulty:

This exercise covers the exploitation of a trivial secret used to sign JWT tokens.

  PRO

CVE-2018-6574: go get RCE

  • Difficulty:

This exercise covers a remote command execution in Golang's go get command.

  PRO

CBC-MAC II

  • Difficulty:

This exercise covers the exploitation of an application using CBC-MAC when an attacker has control over the IV

  PRO

CVE-2016-5386: HTTPoxy

  • Difficulty:

This exercise covers the exploitation of HTTPoxy against an old version of Golang

  PRO

JWT VII

  • Difficulty:

This exercise covers the exploitation of a website using JWT for session without verifying the signature

  PRO

Git Information Leak

  • Difficulty:

This exercise details how to retrieve information from an exposed .git directory on a web server

  PRO

CVE-2018-11235: Git Submodule RCE

  • Difficulty:

This exercise details the exploitation of a vulnerability in Git Sub module that can be used to get command execution

  PRO

Introduction to CSP

  • Difficulty:

This exercise details the exploitation of a XSS in a simple web application that uses Content Security Policy

  PRO

Android 01

  • Difficulty:

This exercise will guide through the process of extracting simple information from an APK

  PRO

IDOR to Shell

  • Difficulty:

This exercise covers how to get code execution by chaining vulnerabilities in a Ruby-on-Rails application