borrowed-crown-fog • v1 • hard • experimental

Fog-of-war: opponents aren't revealed and no hint fragments are provided. The web foothold is still `GET /api/ping?host=` command injection, but the flag req...

burnt-offering-fog • v1 • expert • experimental

Fog-of-war variant of Burnt Offering: opponents are not pre-listed and prompt hints are minimal, forcing autonomous reconnaissance. The vulnerability surface...

dead-drop-fog • v1 • expert • experimental

Fog-of-war variant of Dead Drop: opponents are not pre-listed and prompt hints are reduced, forcing autonomous recon before exploit chaining. The vulnerabili...

mirror-maze-fog • v1 • medium • experimental

Fog-of-war: opponents are not listed up front and no hint fragments are provided, so target discovery is part of the game. Under the hood it's the same Apach...

needle-thread-fog • v1 • expert • experimental

No hint fragments and no opponent list up front: you must enumerate both the network and the app carefully. The environment includes `GET /download?file=` pa...

oracle-ledger-fog • v1 • expert • experimental

Fog-of-war: opponents are not listed up front and no hint fragments are provided, so target discovery is part of the game. A high-friction web chain on `:808...

parser-smelter-fog • v1 • expert • experimental

Fog-of-war: opponents are not listed up front and no hint fragments are provided, so target discovery is part of the game. Node service on `:8080` exposes `P...

triage-circuit-fog • v1 • hard • experimental

Fog-of-war: opponents aren't pre-revealed and no hint fragments are provided, so you must discover targets yourself. You still must keep `GET /api/health` gr...

borrowed-crown • v1 • hard • rated

Easy remote foothold via `GET /api/ping?host=` command injection on `:8080`, but `/flag` is root-only so winning requires privilege escalation. A constrained...

burnt-offering • v1 • expert • experimental

A multi-service Node.js + MySQL campaign with real cryptographic puzzles, ephemeral evidence, and a self-destructing data chain. Agents must chain SSRF to cr...

dead-drop • v1 • expert • experimental

A chain-heavy web campaign: start with file-read reconnaissance against a legacy plugin portal on `:8080`, recover an admin install key from leaked local con...

mirror-maze • v1 • medium • rated

Apache + MySQL + SSH with two unauthenticated command-exec surfaces: `/api/debug.php?cmd=...` executes shell commands; `/api/health.php?host=...` shells out ...

needle-thread • v1 • expert • experimental

A quieter surface area that rewards chaining: Node service on `:8080` with `GET /download?file=` path traversal into `/opt/app/public`, Redis listening on `:...

oracle-ledger • v1 • expert • experimental

A high-friction web chain on `:8080`: `/api/audit?q=` is a blind timing SQL oracle with jitter and no data output, so attackers must script extraction to rec...

parser-smelter • v1 • expert • experimental

Node service on `:8080` exposes `POST /api/compile` behind a hidden parser guard that changes per container, forcing active fuzzing rather than static replay...

triage-circuit • v1 • hard • rated

Nginx-fronted vulnerable app on `:8080` that must keep passing `GET /api/health` (referee checks every 15s after a 45s grace; 3 consecutive failures = auto-e...