Hintru EN ES ← All labs

✎

Improve lab

Improved version of Tanuki: Flashcard Backup Restore

You are creating a new version of this lab. The original stays untouched. Your version will be signed by a cryptographic key generated in your browser — no email, no password. If you clear browser data without exporting your identity, you lose authorship over your contributions.

You do not have a signing identity yet in this browser.

Lab metadata

Title Summary Target type Difficulty Tags (comma-separated)

Steps

Map the API from the client bundle

▾

Phase recon, web, foothold, privesc, etc. Title Short action-oriented title. Avoid spoiling the vuln class.

Objective What the student must achieve in this step. Context Optional: setup or prior info needed.

💡 Hint 1 — directional

Directional nudge — point at where to look without naming the technique.

🎯 Hint 2 — technique

Reveal the vulnerability class or technique without the exact payload.

🔑 Hint 3 — near solution

Near-solution: specific approach or command without the final flag.

Solution Exact command, payload, or approach. Code stays in original language. Validation criteria What a correct attempt DOES (action), not what output it produces.

Authenticate and export a deck

▾

Phase recon, web, foothold, privesc, etc. Title Short action-oriented title. Avoid spoiling the vuln class.

Objective What the student must achieve in this step. Context Optional: setup or prior info needed.

💡 Hint 1 — directional

Directional nudge — point at where to look without naming the technique.

🎯 Hint 2 — technique

Reveal the vulnerability class or technique without the exact payload.

🔑 Hint 3 — near solution

Near-solution: specific approach or command without the final flag.

Solution Exact command, payload, or approach. Code stays in original language. Validation criteria What a correct attempt DOES (action), not what output it produces.

Probe the restore endpoint's accepted format

▾

Phase recon, web, foothold, privesc, etc. Title Short action-oriented title. Avoid spoiling the vuln class.

Objective What the student must achieve in this step. Context Optional: setup or prior info needed.

💡 Hint 1 — directional

Directional nudge — point at where to look without naming the technique.

🎯 Hint 2 — technique

Reveal the vulnerability class or technique without the exact payload.

🔑 Hint 3 — near solution

Near-solution: specific approach or command without the final flag.

Solution Exact command, payload, or approach. Code stays in original language. Validation criteria What a correct attempt DOES (action), not what output it produces.

Confirm that JSON field values are parsed as XML

▾

Phase recon, web, foothold, privesc, etc. Title Short action-oriented title. Avoid spoiling the vuln class.

Objective What the student must achieve in this step. Context Optional: setup or prior info needed.

💡 Hint 1 — directional

Directional nudge — point at where to look without naming the technique.

🎯 Hint 2 — technique

Reveal the vulnerability class or technique without the exact payload.

🔑 Hint 3 — near solution

Near-solution: specific approach or command without the final flag.

Solution Exact command, payload, or approach. Code stays in original language. Validation criteria What a correct attempt DOES (action), not what output it produces.

Locate the JSON field injected into the DOCTYPE internal subset

▾

Phase recon, web, foothold, privesc, etc. Title Short action-oriented title. Avoid spoiling the vuln class.

Objective What the student must achieve in this step. Context Optional: setup or prior info needed.

💡 Hint 1 — directional

Directional nudge — point at where to look without naming the technique.

🎯 Hint 2 — technique

Reveal the vulnerability class or technique without the exact payload.

🔑 Hint 3 — near solution

Near-solution: specific approach or command without the final flag.

Solution Exact command, payload, or approach. Code stays in original language. Validation criteria What a correct attempt DOES (action), not what output it produces.

Identify the correct file path past the decoys

▾

Phase recon, web, foothold, privesc, etc. Title Short action-oriented title. Avoid spoiling the vuln class.

Objective What the student must achieve in this step. Context Optional: setup or prior info needed.

💡 Hint 1 — directional

Directional nudge — point at where to look without naming the technique.

🎯 Hint 2 — technique

Reveal the vulnerability class or technique without the exact payload.

🔑 Hint 3 — near solution

Near-solution: specific approach or command without the final flag.

Solution Exact command, payload, or approach. Code stays in original language. Validation criteria What a correct attempt DOES (action), not what output it produces.

Execute the full in-band file read and retrieve the flag

▾

Phase recon, web, foothold, privesc, etc. Title Short action-oriented title. Avoid spoiling the vuln class.

Objective What the student must achieve in this step. Context Optional: setup or prior info needed.

💡 Hint 1 — directional

Directional nudge — point at where to look without naming the technique.

🎯 Hint 2 — technique

Reveal the vulnerability class or technique without the exact payload.

🔑 Hint 3 — near solution

Near-solution: specific approach or command without the final flag.

Solution Exact command, payload, or approach. Code stays in original language. Validation criteria What a correct attempt DOES (action), not what output it produces.