RatLabs
Release Schedule
8 weeks · 8 new targets · 8 retirements. Every Friday a new machine drops and an old one leaves rotation.
| Week | Date | New Machine | Retiring |
|---|---|---|---|
| Week 1 | May 9 | Easy Porthaven | 🔴 Easy Retrogate |
| Week 2 | May 16 | Medium Glasswork | 🔴 Hard Keyspace |
| Week 3 | May 23 | Medium Sharehouse | 🔴 Easy Bootleak |
| Week 4 | May 30 | Medium Irongrep | 🔴 Easy Axferia |
| Week 5 | Jun 6 | Easy Shellcast | 🔴 Easy Listeria |
| Week 6 | Jun 13 | Insane Darkpulse Premium | 🔴 Medium Postmark |
| Week 7 | Jun 20 | Medium Foxhole | 🔴 Medium Rootbase |
| Week 8 | Jun 27 | Hard Tracewire Premium | 🔴 Medium Driftsync |
Launching Soon
An internal document viewer built in a hurry left its file-inclusion logic wide open. The config file is right there in the web root — PHP just won't show it to you. Figure out how to read source without executing it, recover the credentials, and turn a sudo misconfig into a root shell.
Launches calculating…
A Jenkins instance was stood up for CI/CD and never locked down. Default credentials open the Groovy Script Console — from there, code execution is a one-liner. Follow the shell through the build server and abuse a sudo wget policy to overwrite your way to root.
Launches calculating…
An NFS server quietly advertises its shares to anyone who asks — and one of them holds a credential backup. The other exports the root home directory with no_root_squash, trusting that no one outside the team has root on their machine. They were wrong.
Launches calculating…
An Elasticsearch node sits on the network with no authentication. Someone stored application users and plain-text API tokens directly in the index. Extract the credentials, pivot to shell, and abuse a sudo curl policy to overwrite your way to root.
Launches calculating…
Anonymous FTP grants access to a home directory backup where the sysadmin's bash history was accidentally included — and a password was typed in the clear. SSH right in and let sudo nmap hand you root interactively.
Launches calculating…
Four hops. SNMP community string to domain admin. Correlate MIB leakage with LDAP enumeration, crack a Kerberoastable service account offline, use the hash to access SYSVOL, and chain to DCSync. Nothing is safe — the forest falls.
Launches calculating…
A PHP login form uses loose comparison to validate authentication tokens. Pass the right type — not the right value — to bypass the gate entirely. From inside the admin panel, abuse a misconfigured sudo tee policy to overwrite /etc/passwd and claim root.
Launches calculating…
An anonymous FTP share holds a forgotten network capture from a maintenance session. Credentials were replayed in cleartext. Extract them, SSH in, and discover an internal Redis instance bound to localhost — the same CONFIG SET technique that works externally works here too.
Launches calculating…
Leaving Rotation
A Redis instance stands wide open — no authentication, no firewall, just raw access to an in-memory data store. The question isn't whether you can read it. The question is: can you turn a cache into a root shell?
Retires calculating…
Deep beneath the city streets runs the RatHole — a forgotten server maintained by a rodent who never learned to secure his FTP. Anonymous upload is wide open, the web root is shared, and a janky cleanup cron runs every minute as root. Leave your tools at the surface. You won't need anything fancy down here.
Retires calculating…
A TFTP server meant for network booting inadvertently serves up configuration files to anyone who asks the right filename. One leaked config is all you need — find the foothold, then find the path out.
Retires calculating…
The XSS Rat's personal research platform: a PHP blog engine with a dangerous API and a secrets-laden internal service. Chain stored XSS through to SSRF, extract admin credentials from an internal endpoint, and abuse a sudo GTFOBin to root. Nothing about this box is accidental — every quirk is a clue.
Retires calculating…
A forgotten nameserver sits exposed on the network, its zone transfer restrictions never configured. What secrets does its DNS database hold — and can you leverage them to walk right through the front door?
Retires calculating…
The web server proudly serves its directory tree to anyone who asks. Hidden among the exposed files lies a credential that opens more than just a web page. Look closer — the index never lies.
Retires calculating…
The mail server helpfully confirms which users exist — and the sysadmin made sure some of them have terrible passwords. Enumerate the recipients, guess the passphrase, and deliver yourself a shell.
Retires calculating…
The database administrator forgot the most important rule: always set a root password. Tap into the exposed data store, recover what was left in plaintext, and pivot your way to full control.
Retires calculating…
Two file-sharing services, two attack surfaces. Pivot between SMB and FTP to piece together the credentials that bridge your path to root. Neither service alone holds the answer — the key is in the crossing.
Retires calculating…
A network management agent leaks far more than just metrics. Walk the MIB tree, read what the community string reveals, and follow the trail of exposed data straight to a root prompt.
Retires calculating…
An rsync daemon quietly exposes its modules to the world, no credentials required. Dig through the synchronized data, recover what was meant to stay private, and ride the drift all the way to root.
Retires calculating…