| 1 |
Trapped Source |
Very Easy |
Client-Side Source Analysis |
7Rocky |
| 2 |
Templated |
Very Easy |
Jinja2 SSTI |
7Rocky |
| 3 |
Flag Command |
Very Easy |
API Exploitation, Command Injection |
7Rocky |
| 4 |
looking glass |
Easy |
SSTI, Command Injection |
7Rocky |
| 5 |
Gunship |
Easy |
Prototype Pollution, AST Injection |
7Rocky |
| 6 |
Toxic |
Easy |
PHP Deserialization, Log Poisoning |
7Rocky |
| 7 |
sanitize |
Easy |
NoSQL Injection |
7Rocky |
| 8 |
baby auth |
Easy |
Authentication Bypass |
7Rocky |
| 9 |
LoveTok |
Easy |
PHP Code Injection |
7Rocky |
| 10 |
TimeKORP |
Easy |
PHP Time Injection, Command Injection |
Medium - Rahul |
| 11 |
KORP Terminal |
Easy |
SQL Injection, Hashcat |
7Rocky |
| 12 |
Neonify |
Easy |
Ruby SSTI, Regex Bypass |
7Rocky |
| 13 |
Slippy |
Easy |
Python Tar Slip, Path Traversal |
7Rocky |
| 14 |
Full Stack Conf |
Easy |
Source Code Analysis |
7Rocky |
| 15 |
CurlAsAService |
Easy |
SSRF, curl Exploitation |
7Rocky |
| 16 |
Wild Goose Hunt |
Easy |
NoSQL Injection, Regex Extraction |
7Rocky |
| 17 |
E.Tree |
Easy |
XPath Injection |
7Rocky |
| 18 |
CandyVault |
Easy |
NoSQL Injection (MongoDB) |
7Rocky |
| 19 |
SpookTastic |
Easy |
XSS, Bot Exploitation |
7Rocky |
| 20 |
Saturn |
Easy |
Path Traversal |
7Rocky |
| 21 |
HTBank |
Easy |
Race Condition, Integer Overflow |
7Rocky |
| 22 |
Watersnake |
Easy |
Java Deserialization, SnakeYAML |
7Rocky |
| 23 |
Lazy Ballot |
Easy |
SQL Injection |
7Rocky |
| 24 |
emoji voting |
Easy |
SQL Injection |
7Rocky |
| 25 |
ProxyAsAService |
Easy |
SSRF, Proxy Bypass |
7Rocky |
| 26 |
baby interdimensional internet |
Easy |
Python Code Injection |
7Rocky |
| 27 |
baby ninja jinja |
Easy |
Jinja2 SSTI |
7Rocky |
| 28 |
baby CachedView |
Easy |
SSRF |
7Rocky |
| 29 |
baby website rick |
Easy |
Source Code Analysis, Cookies |
7Rocky |
| 30 |
baby todo or not todo |
Easy |
IDOR, API Abuse |
7Rocky |
| 31 |
Intergalactic Post |
Easy |
SQL Injection (SQLite) |
7Rocky |
| 32 |
BlinkerFluids |
Easy |
HTML Injection, RCE via PDF |
7Rocky |
| 33 |
Juggling facts |
Easy |
PHP Type Juggling |
7Rocky |
| 34 |
Spookifier |
Easy |
Jinja2/Mako SSTI |
7Rocky |
| 35 |
Red Island |
Easy |
SSRF via Image URL |
7Rocky |
| 36 |
Mutation Lab |
Easy |
CSS Injection, Session Forgery |
7Rocky |
| 37 |
Amidst Us |
Easy |
Python Pickle Deserialization |
7Rocky |
| 38 |
Diogenes' Rage |
Easy |
Race Condition, Coupon Abuse |
MadDevs |
| 39 |
Weather App |
Easy |
SSRF, SQL Injection |
s-3ntinel |
| 40 |
Insomnia |
Medium |
Authentication Bypass, Logic Flaw |
7Rocky |
| 41 |
jscalc |
Medium |
JavaScript Sandbox Escape |
7Rocky |
| 42 |
OnlyHacks |
Medium |
SQL Injection, IDOR |
7Rocky |
| 43 |
Breaking Bank |
Medium |
JWT Exploitation, Race Condition |
7Rocky |
| 44 |
wafwaf |
Medium |
WAF Bypass, SQL Injection |
7Rocky |
| 45 |
GhostlyTemplates |
Medium |
Go Template Injection, SSTI |
7Rocky |
| 46 |
PumpkinSpice |
Medium |
SSTI, Python Template Injection |
7Rocky |
| 47 |
Spellbound Servants |
Medium |
Deserialization, PHP Object Injection |
7Rocky |
| 48 |
HauntMart |
Medium |
SSRF, Internal Service Access |
7Rocky |
| 49 |
0xBOverchunked |
Medium |
HTTP Chunked Encoding, SQLi WAF Bypass |
7Rocky |
| 50 |
Percetron |
Medium |
ML Model Exploitation |
7Rocky |
| 51 |
Testimonial |
Medium |
gRPC Exploitation |
7Rocky |
| 52 |
Horror Feeds |
Medium |
SQL Injection, XSS |
7Rocky |
| 53 |
baby nginxatsu |
Medium |
Nginx Misconfiguration, LFI |
7Rocky |
| 54 |
Spiky Tamagotchi |
Medium |
SQL Injection, Session Hijack |
7Rocky |
| 55 |
Kryptos Support |
Medium |
XSS, Cookie Stealing |
7Rocky |
| 56 |
baby breaking grad |
Medium |
Prototype Pollution |
7Rocky |
| 57 |
Orbital |
Medium |
SQL Injection, LFI |
7Rocky |
| 58 |
Passman |
Medium |
GraphQL Exploitation |
7Rocky |
| 59 |
BatchCraft Potions |
Medium |
Batch Script Injection |
7Rocky |
| 60 |
baby WAFfles order |
Medium |
XXE Injection |
7Rocky |
| 61 |
Cursed Secret Party |
Medium |
Stored XSS, CSP Bypass |
7Rocky |
| 62 |
baby BoneChewerCon |
Medium |
SSTI, Sandbox Escape |
7Rocky |
| 63 |
RenderQuest |
Medium |
Go SSTI, Template Injection |
Medium - Tanish |
| 64 |
Labyrinth Linguist |
Medium |
Apache Velocity SSTI, CVE-2020-13936 |
Medium - Rahul |
| 65 |
CDNio |
Hard |
CDN Bypass, Cache Poisoning |
7Rocky |
| 66 |
NeoVault |
Hard |
Neo4j Injection, Cypher Injection |
7Rocky |
| 67 |
PDFy |
Hard |
PDF Generation SSRF |
7Rocky |
| 68 |
AbuseHumanDB |
Hard |
XSS Chain, Bot Exploitation |
7Rocky |
| 69 |
ExpressionalRebel |
Hard |
Regex ReDoS, Expression Injection |
7Rocky |
| 70 |
TrapTrack |
Hard |
Gopher SSRF, Redis Exploitation |
7Rocky |
| 71 |
Spybug |
Hard |
API Key Leak, Stored XSS |
7Rocky |
| 72 |
Didactic Octo Paddles |
Hard |
JWT None Algorithm, SSTI |
7Rocky |
| 73 |
The Magic Informer |
Hard |
SQL Injection, Prototype Pollution |
7Rocky |
| 74 |
Letter Dispair |
Hard |
XSS, SSRF Chain |
7Rocky |
| 75 |
Userland City |
Hard |
Complex Multi-Stage Exploitation |
7Rocky |