New Series

Social Engineering Sim

Five corporate targets where credentials are hiding in plain sight — response headers, robots.txt, document metadata, debug logs, and OSINT-accessible endpoints. Read everything. Trust nothing. Enumerate first.

Header Leakage robots.txt Recon Metadata Extraction Log Analysis OSINT / Header Bypass

5 Machines

Free No Paywall

Recon Focus

0/5 Online Now

The Machines

Five targets. Credentials in the open. You just have to look.

Machine 01 Offline

Corp Headers

Header Leakage

X-Debug-Pass response header leaks the SSH password on every single response. curl -I is all it takes. The dev left it in for "testing" and forgot to remove it.

robots.txt disallows /backup/config.bak. That file exists and contains plaintext SSH credentials. Always check robots.txt — disallowed means interesting.

A downloadable report.docx has EXIF/Office metadata with ssh_temp_pass:user123 in the description field. exiftool or strings — both work.

Flask /logs endpoint returns app.log. A DEBUG line shows ssh_auth user=devops pass=DevPass2026! in cleartext. Exposed log endpoints are underrated recon targets.

🐀🐀🐀 Medium

☠ Series Finale

Machine 05 Offline

Corp OSINT

OSINT / Header Bypass

X-Internal-Hostname header reveals an internal hostname. /api/v1/export?format=csv is gated by a Referer check you can spoof. The CSV response contains SSH credentials.

🐀🐀🐀🐀 Hard

Attack Chain

Recommended order of attack.

Start Here

Machine 01

Corp Headers

Header Leak

→

Machine 02

Corp Webcrawl

robots.txt

→

Machine 03

Corp Docs

Metadata

→

Machine 04

Corp Logs

Log Exposure

→

Machine 05

Corp OSINT

OSINT

Ready to read the room?

Five recon targets. Credentials hiding in plain sight. OSINT and passive enumeration in one series.

Create Free Account Browse All Challenges →

Launching 8 August 2026 — recon and OSINT series teaching passive enumeration and information disclosure patterns.