Exercises
| Exercise | Avg. Time | Difficulty | Solved by | Tier | |
|---|---|---|---|---|---|
|
|
wp2shell: CVE-2026-63030 & CVE-2026-60137
CVE-2026-63030
CVE-2026-60137
WordPress
Remote Code Execution
This challenge covers gaining a shell on WordPress by chaining CVE-2026-63030 and CVE-2026-60137.
|
-- | 2 | PRO | |
|
|
H2 INIT Parameter RCE II | < 1 Hr. | 6 | PRO | |
|
|
CVE-2026-XX792
This challenge covers the review of a CVE in a typescript codebase and its patch
|
-- | 18 | PRO | |
|
|
CVE-2026-XX957
This challenge covers the review of a CVE in a typescript codebase and its patch
|
< 1 Hr. | 18 | PRO | |
|
|
CVE-2026-XX464
This challenge covers the review of a CVE in a typescript codebase and its patch
|
-- | 18 | PRO | |
|
|
H2 INIT Parameter RCE | < 1 Hr. | 9 | PRO | |
|
|
SAML: Transform RCE
This exercise covers the exploitation of an RCE in SAML by leveraging a vulnerable version of xmlsec
|
< 1 Hr. | 9 | PRO | |
|
|
Web Fundamentals: Proxy | -- | 57 | PRO | |
|
|
Web Fundamentals: Browser Storage | -- | 60 | PRO | |
|
|
Web Fundamentals: WebDAV Introduction | -- | 58 | PRO | |
|
|
Web Fundamentals: WebSockets | -- | 70 | PRO | |
|
|
Web Fundamentals: Same-Origin Policy Introduction | -- | 63 | PRO | |
|
|
Web Fundamentals: CORS Introduction | -- | 65 | PRO | |
|
|
Web Fundamentals: API | -- | 74 | PRO | |
|
|
Web Fundamentals: GraphQL | -- | 68 | PRO | |
|
|
Web Fundamentals: Databases | -- | 78 | PRO | |
|
|
Web Fundamentals: Sessions | -- | 77 | PRO | |
|
|
Web Fundamentals: Server-Side Code | -- | 86 | PRO | |
|
|
Web Fundamentals: Client-Side Code | -- | 86 | PRO | |
|
|
JS Sandbox: static-eval Direct Constructor Access
This exercise covers exploiting the original unpatched static-eval with unrestricted property access on functions.
|
< 1 Hr. | 18 | PRO | |
|
|
JS Sandbox: static-eval Destructuring Parameter Bypass
This exercise covers bypassing static-eval parameter validation using destructured parameters (ObjectPattern).
|
< 1 Hr. | 10 | PRO | |
|
|
JS Sandbox: static-eval Function Property Blocked
This exercise covers bypassing post-2.0 static-eval that blocks member access on functions, using anonymous function bodies.
|
< 1 Hr. | 16 | PRO | |
|
|
JS Sandbox: vm.runInNewContext Null Prototype
This exercise covers escaping vm.runInNewContext when the context is created with Object.create(null) so this.constructor is undefined.
|
< 1 Hr. | 17 | PRO | |
|
|
JS Sandbox: vm.runInNewContext Restricted Globals
This exercise covers escaping vm.runInNewContext when specific safe objects are provided but frozen, using Error objects or Promise callbacks.
|
< 1 Hr. | 15 | PRO | |
|
|
CVE-2026-XX242
This challenge covers the review of a CVE in a python codebase and its patch
|
< 1 Hr. | 42 | PRO | |
|
|
CVE-2026-XX738
This challenge covers the review of a CVE in a python codebase and its patch
|
< 1 Hr. | 38 | PRO | |
|
|
Web Fundamentals: Introduction | < 1 Hr. | 145 | PRO | |
|
|
JS Sandbox: Type Confusion Bypass
This exercise covers bypassing string sanitization by sending an object when the sanitizer expects a string.
|
-- | 20 | PRO | |
|
|
JS Sandbox: AST-Based Filtering
This exercise covers bypassing AST-based sandbox filtering using computed property access or Reflect.get().
|
-- | 20 | PRO | |
|
|
JS Sandbox: Regex Filter Bypass
This exercise covers bypassing regex filters with hex escapes, unicode escapes, or base64 decoding.
|
< 1 Hr. | 24 | PRO |
Showing 1–30 of 753 exercises
Free Labs of the Month