RatLabs
The XSS Rat Training Grounds
Training machines built by The XSS Rat — from basic enumeration to extreme multi-vector chains. Register once, unlock targets, submit flags, and track your progress on the leaderboard.
Coming Soon
An internal document viewer built in a hurry left its file-inclusion logic wide open. The config file is right there in the web root — PHP just won't show it to you. Figure out how to read source without executing it, recover the credentials, and turn a sudo misconfig into a root shell.
In calculating...
A Jenkins instance was stood up for CI/CD and never locked down. Default credentials open the Groovy Script Console — from there, code execution is a one-liner. Follow the shell through the build server and abuse a sudo wget policy to overwrite your way to root.
In calculating...
An NFS server quietly advertises its shares to anyone who asks — and one of them holds a credential backup. The other exports the root home directory with no_root_squash, trusting that no one outside the team has root on their machine. They were wrong.
In calculating...
13745 points
9990 points
5555 points
5500 points
4655 points
Want to go further?
These labs are built around the same methodology taught in The XSS Rat's courses. If you want the full picture — recon, exploit chains, API hacking, business logic, CNWPP certification and everything in between — the Endless Bundle has 45+ courses, 3 cert paths, weekly live sessions, and every future release included. No subscriptions. No upsells.