RatLabs
Challenge Board
Log in to reveal challenge IPs.
𧩠AD Lab · 2 Machines
A two-machine Active Directory lab. Enumerate the domain controllerβs SMB shares and a vulnerable employee portal, then chain credential leaks across both machines to achieve full domain compromise.
𧩠AD Lab · 2 Machines
A two-machine Active Directory lab focused on MS14-025 (GPP credential harvest). Start with an exposed backup config on the workstation, then pivot to the domain controller via SYSVOL to decrypt the service account password and achieve root.
𧩠AD Lab · 3 Machines
A three-machine Active Directory lab focused on network pivoting. Only the domain controller is exposed to the internet. Players must chain SMB credential harvesting on the DC, SSH tunnelling, unrestricted file-upload RCE on the internal web server, and MySQL credential extraction on the internal database to fully compromise all three machines.
Limited: online now
Ends in calculating...
A forgotten nameserver sits exposed on the network, its zone transfer restrictions never configured. What secrets does its DNS database hold β and can you leverage them to walk right through the front door?
Limited: online now
Ends in calculating...
The web server proudly serves its directory tree to anyone who asks. Hidden among the exposed files lies a credential that opens more than just a web page. Look closer β the index never lies.
An enterprise directory left open to anonymous queries. Someone forgot to lock the front gate β walk the tree, extract what was never meant to be public, and forge your path all the way to root.
The database administrator forgot the most important rule: always set a root password. Tap into the exposed data store, recover what was left in plaintext, and pivot your way to full control.
A Redis instance stands wide open β no authentication, no firewall, just raw access to an in-memory data store. The question isn't whether you can read it. The question is: can you turn a cache into a root shell?
An rsync daemon quietly exposes its modules to the world, no credentials required. Dig through the synchronized data, recover what was meant to stay private, and ride the drift all the way to root.
Two file-sharing services, two attack surfaces. Pivot between SMB and FTP to piece together the credentials that bridge your path to root. Neither service alone holds the answer β the key is in the crossing.
Limited: online now
Ends in calculating...
The mail server helpfully confirms which users exist β and the sysadmin made sure some of them have terrible passwords. Enumerate the recipients, guess the passphrase, and deliver yourself a shell.
A network management agent leaks far more than just metrics. Walk the MIB tree, read what the community string reveals, and follow the trail of exposed data straight to a root prompt.
A TFTP server meant for network booting inadvertently serves up configuration files to anyone who asks the right filename. One leaked config is all you need β find the foothold, then find the path out.
CorpTech's internal AI assistant has its maintenance credentials baked directly into its system prompt. It's chatty, helpful, and completely unaware of what prompt injection means. Talk to it β carefully.
An internal employee portal shipped to production without a security review. Three unpatched vulnerabilities sit in the same PHP codebase β SQL injection, command injection, and an unrestricted file upload. Chain them to own the box.
The XSS Rat's personal research platform: a PHP blog engine with a dangerous API and a secrets-laden internal service. Chain stored XSS through to SSRF, extract admin credentials from an internal endpoint, and abuse a sudo GTFOBin to root. Nothing about this box is accidental β every quirk is a clue.
Deep beneath the city streets runs the RatHole β a forgotten server maintained by a rodent who never learned to secure his FTP. Anonymous upload is wide open, the web root is shared, and a janky cleanup cron runs every minute as root. Leave your tools at the surface. You won't need anything fancy down here.
π Launching soon
In calculating...
An internal document viewer built in a hurry left its file-inclusion logic wide open. The config file is right there in the web root β PHP just won't show it to you. Figure out how to read source without executing it, recover the credentials, and turn a sudo misconfig into a root shell.
π Launching soon
In calculating...
An NFS server quietly advertises its shares to anyone who asks β and one of them holds a credential backup. The other exports the root home directory with no_root_squash, trusting that no one outside the team has root on their machine. They were wrong.
A forgotten web server hides its admin panel behind a port-knocking sequence left in a public config file. Find the knock, open the gate, grab the cleartext credentials the sysadmin left in the page source, and follow one GTFOBin straight to root.
π Launching soon
In calculating...
A Jenkins instance was stood up for CI/CD and never locked down. Default credentials open the Groovy Script Console β from there, code execution is a one-liner. Follow the shell through the build server and abuse a sudo wget policy to overwrite your way to root.
π Launching soon
In calculating...
An Elasticsearch node sits on the network with no authentication. Someone stored application users and plain-text API tokens directly in the index. Extract the credentials, pivot to shell, and abuse a sudo curl policy to overwrite your way to root.
π Launching soon
In calculating...
Anonymous FTP grants access to a home directory backup where the sysadmin's bash history was accidentally included β and a password was typed in the clear. SSH right in and let sudo nmap hand you root interactively.
π Launching soon
In calculating...
Four hops. SNMP community string to domain admin. Correlate MIB leakage with LDAP enumeration, crack a Kerberoastable service account offline, use the hash to access SYSVOL, and chain to DCSync. Nothing is safe β the forest falls.
π Launching soon
In calculating...
A PHP login form uses loose comparison to validate authentication tokens. Pass the right type β not the right value β to bypass the gate entirely. From inside the admin panel, abuse a misconfigured sudo tee policy to overwrite /etc/passwd and claim root.
π Launching soon
In calculating...
An anonymous FTP share holds a forgotten network capture from a maintenance session. Credentials were replayed in cleartext. Extract them, SSH in, and discover an internal Redis instance bound to localhost β the same CONFIG SET technique that works externally works here too.
An internal reporting tool renders user-supplied report names directly into a Jinja2 template. The developer forgot that f-strings and template engines don't mix well β what goes in as a name can come out as root.
DocuParse is an internal XML invoice processor. The developer enabled external entity loading for 'flexibility' and left a PHP config file with SSH credentials in the web root. One crafted invoice is all it takes.
Jailkey is an internal authentication API built on a custom JWT library. The developer left a 'none' algorithm shortcut in for testing and never removed it. Guest tokens are free β admin tokens are just a decode-and-reforge away.
HexVault is a classified document management system used by a fictional intelligence contractor. The attack surface is wider than it looks, and the path to root requires chaining multiple weaknesses together β no single step gets you far on its own. Enumerate carefully, think about what each component trusts, and follow the data.
No challenges match the selected filters.
β Infection Chain
Find hidden fragment codes scattered across machines and unlock The Burrow β a secret area for those who dig deep.