Blacksite Webapp
Five web applications running inside a classified internal portal. SQLi, command injection, broken file upload, SSTI, and XXE — the classic OWASP top-ten gauntlet, no CTF cheese required.
The Machines
Five apps. Five vulns. Every one a paycheck in the wild.
Classic login bypass via SQLi. Once in, the users table has an ssh_password column. Dump it, log in. Union-based or boolean-blind — your call.
Flask ping endpoint passes user input straight to os.popen(). Inject a shell command, read /etc/motd for the SSH creds the dev left in plaintext.
The upload handler checks extension by filename only. A crafted .php.jpg plus an .htaccess rule gets your webshell executing under Apache. Classic bypass.
Report name field fed directly into render_template_string(). Pop {{config}} first to confirm, then RCE via the subprocess chain. Jinja2 SSTI by the book.
lxml parses user-supplied XML with external entities enabled. Read /home/user/.ssh/id_rsa via a file:// entity reference. RSA key generated fresh at build time.
Attack Chain
Recommended order of attack.
Ready to exploit?
Five web vulns. Five real-world payloads. OSCP web module covered in one series.
Launching 27 June 2026 — web exploitation series covering the OWASP Top 10 attack categories.