🚩 Capture The Flag

Grand Line CTF β€” Challenge Board

18 vulnerabilities are hidden across this platform. Exploit real weaknesses, capture flags, and prove you can navigate the Grand Line of cybersecurity.

0
Points Earned
0
Challenges Solved
17
Total Challenges
CATEGORY:DIFFICULTY:
πŸ”
SQL InjectionEasy

Wanted: Dead or Alive

100
pts

The Marine HQ search system stores wanted poster data. Rumor has it the query is not quite… sanitized.

TARGEThttp://localhost:3000/searchOpen β†’
sqlierror-basedweb
πŸ“‘
XSSEasy

The Pirate's Echo

75
pts

The Transponder Snail station echoes back every message to confirm delivery. No filtering. No escape.

TARGEThttp://localhost:3000/transponder-snailOpen β†’
xssreflectedweb
πŸ“
LFIMedium

World Govt Archives β€” Classified

150
pts

The Archives let you "view" public documents. But some paths are not meant for public eyes…

TARGEThttp://localhost:3000/archivesOpen β†’
lfipath-traversalweb
πŸ—žοΈ
SSRFHard

News Coo β€” Internal Dispatch

250
pts

News Coo fetches news from external URLs on your behalf. What if it fetched something… internal?

TARGEThttp://localhost:3000/newsOpen β†’
ssrfcloudmetadata
🧭
Open RedirectEasy

Log Pose Redirect

75
pts

The Log Pose navigation system redirects ships to their next destination. Destination is never validated.

TARGEThttp://localhost:3000/log-poseOpen β†’
redirectphishingweb
βš–οΈ
Broken AuthenticationEasy

Marine HQ β€” Unauthorized Entry

100
pts

The Marine database login was configured in a hurry. Someone forgot to change the default credentials.

TARGEThttp://localhost:3000/marine-loginOpen β†’
authdefault-credsweb
πŸ”
JWT ExploitHard

Secret Intel β€” Token Forgery

300
pts

Intel is locked behind a JWT. If you can forge a token with the right role claim, the secret is yours.

TARGEThttp://localhost:3000/secret-intelOpen β†’
jwtauthweb
🏰
Privilege EscalationHard

Marie Jois β€” Gorosei Access

300
pts

Marie Jois is protected. Only Gorosei may enter. But what if you could sign your own clearance?

TARGEThttp://localhost:3000/marie-joisOpen β†’
priv-escjwtauth
πŸ’¬
Stored XSSMedium

Crew Forum β€” Stored Payload

200
pts

The Pirate Forum stores messages from all crew members. What a lovely place to leave a permanent gift.

TARGEThttp://localhost:3000/forumOpen β†’
xssstoredweb
πŸ—ΊοΈ
MisconfigurationEasy

Exposed Treasure Map (.env)

50
pts

Every ship keeps a manifest. Some captains leave it on deck. Check common paths.

TARGEThttp://localhost:3000/.envOpen β†’
reconmisconfigurationsecrets
πŸ“‹
MisconfigurationEasy

The Lost Repository (.git/config)

50
pts

Pirates keep logs of their voyages. Development crews sometimes forget to hide theirs.

TARGEThttp://localhost:3000/.git/configOpen β†’
reconmisconfigurationgit
βš™οΈ
MisconfigurationEasy

Config in the Open (config.json)

50
pts

API keys and database passwords should never live in a public-facing JSON file…

TARGEThttp://localhost:3000/config.jsonOpen β†’
reconmisconfigurationapi-keys
πŸ“¦
MisconfigurationEasy

Unguarded Hold (/uploads)

50
pts

The cargo hold door was left open. Walk right in and see what is being stored.

TARGEThttp://localhost:3000/uploads/Open β†’
recondirectory-listingweb
βš™οΈ
CVE FingerprintMedium

The Admiral's Shipyard (Jenkins)

125
pts

Every response from this server contains a signature. Something old, something vulnerable.

TARGEThttp://localhost:3000/Open β†’
cvefingerprintheaders
πŸ’₯
CVE FingerprintHard

The Devil's Lookup (Log4Shell)

275
pts

A well-known RCE vulnerability lurks in the logging stack. A JNDI lookup is all it takes.

TARGET/api/vuln-lab/log4jOpen β†’
cvelog4jrcejndi
πŸ”Œ
CVE FingerprintMedium

The Plugin Conspiracy

125
pts

An outdated plugin announces its version to the world. That version has a known CVE.

TARGET/api/vuln-lab/wp-pluginOpen β†’
cvewordpressfingerprint
🌐
MisconfigurationMedium

Cross-Origin Heist (CORS)

150
pts

This site allows cross-origin requests from anywhere. From your own page you can steal another user's data.

TARGET/api/*Open β†’
corsmisconfigurationheaders

πŸ”¬ Run Nuclei Against This Site

# Quick scan β€” all categories
.\nuclei_tool\nuclei.exe -u http://localhost:3000 -t .\docker-lab\nuclei-templates\ -duc

# Specific tags
.\nuclei_tool\nuclei.exe -u http://localhost:3000 -tags vulnlab,sqli,xss,ssrf -duc

# JSON output for report
.\nuclei_tool\nuclei.exe -u http://localhost:3000 -t .\docker-lab\nuclei-templates\ -j -o results.json -duc

# Verbose mode (see all requests)
.\nuclei_tool\nuclei.exe -u http://localhost:3000 -t .\docker-lab\nuclei-templates\ -v -duc