03step · do it for real

A real web app. A hidden .env. Your turn.

You've seen the five beats. Now spawn a sandboxed target and walk PROBE → FUZZ → LEAK → VHOST → OWN with your own hands. Use the flashcards to warm up; the quiz pressure-tests whether the moves stuck.

Sandbox · ready to launch

Spawn web-recon-hidden-assets

You'll get a private target stack — a prod Flask app on target.acme.test and a debug-mode dev vhost on the same IP. The flag lives in a .env file the staging build serves as a static asset. Find it.

intermediate 300 xp ~45 min Flask · ffuf · 256 MB · cap-drop ALL

1Map the attack surface (headers, robots, ffuf)

2Discover the dev vhost from the leaked source

3Read the .env via Host header spoofing — submit FLAG

★ Warm-up · flashcards & quiz

Question

…

click to reveal · ← → keys to browse

Answer

…

click again to flip back

01 / 12