🐀🐀🐀🐀 0 pts earned

GraphLeak

The ops team's internal GraphQL API was never meant to be externally accessible — but here we are. Introspection is enabled. Fields that should require authentication don't. And the JWT library has a configuration the developer clearly didn't read the RFC for.

Target IP Log in to reveal

User Flag Pending

Root Flag Pending

Community

Community Hints

Grade A · 1000 pts Grade B · 700 pts Grade C · 400 pts Grade D · 200 pts + 150 credits on accept

Short, stage-specific nudges — directional, spoiler-light, no exact commands.

No community hints yet — be the first to add one!

Community

Community Walkthroughs

Grade A · 2500 pts Grade B · 1750 pts Grade C · 1000 pts Grade D · 500 pts + 300 credits on accept

🔒 Community walkthroughs are spoilers — capture the root flag on this machine to unlock them.