🏴 Challenge scoreboard
Exploit each bug to capture its flag. Some flags are hidden in data/files you extract (submit them below); others are awarded automatically the moment you land the attack. Lost? see the attack index.
0 / 6 flags captured
- ⬜ SQL injection — dump the hidden
secretstable - ⬜ Source disclosure — read a PHP file via the attachment viewer
- ⬜ Path traversal — break out of
/assets - ⬜ Broken access control — reach the admin panel
- ⬜ Stored XSS — land a script tag in a review
- ⬜ Open redirect — bounce a victim off-site