🐀🐀 0 pts earned

API Admin

Premium Machine (Locked)

🧩 ExposedAPI

🖧 AD Network — ExposedAPI

🔒 API Users 🔒 API Profile 🔒 API Auth API Admin 🔒 API Fetch

Broken Function Level Authorization — admin routes return 403 to regular users. Adding X-Internal-Request: true header bypasses the check. The admin route exposes SSH credentials. Root via world-writable /etc/cron.d/.

🕐 Launching Soon

Launching in calculating...

Target IP Premium required

User Flag Pending

Root Flag Pending

Community

Community Hints

Grade A · 1000 pts Grade B · 700 pts Grade C · 400 pts Grade D · 200 pts + 150 credits on accept

Short, stage-specific nudges — directional, spoiler-light, no exact commands.

No community hints yet — be the first to add one!

Community

Community Walkthroughs

Grade A · 2500 pts Grade B · 1750 pts Grade C · 1000 pts Grade D · 500 pts + 300 credits on accept

🔒 Community walkthroughs are spoilers — capture the root flag on this machine to unlock them.