Mission Briefing
Welcome to the Hacking News ethical lab. This environment mirrors a modern content delivery stack so you can rehearse offensive techniques while documenting defensive countermeasures. Work methodically, capture everything, and always stay within the provided scope—this lab exists to celebrate responsible disclosure.
Recon
Fingerprint the lab stack, enumerate services, and capture telemetry for later replay.
Initial Access
Use the provided injection points to land a low-priv foothold without breaking the app.
Privilege Escalation
Map the FastAPI surface, pivot into the admin API, and demonstrate containment hardening steps.
Post-Ex / Reporting
Generate an ethical disclosure packet with repeatable payloads and defensive guidance.
Live-fire Surfaces
Article search
Attack vector: Jinja templating context + SQL LIKE
Try SSRF payloads and boolean-based injection techniques with throttled delays.
RSS ingestion
Attack vector: Feed parsing, XML entity expansion, metadata scraping
Craft feeds that surface XXE and sandbox escape opportunities in a controlled environment.
Admin log viewer
Attack vector: Authenticated HTMX endpoint
Observe websocket-less HTMX patterns for request smuggling and cache poisoning rehearsals.
Payload Encoder Workbench
Generate repeatable payloads for your report without relying on external tooling. The workbench keeps everything client-side and is safe to demonstrate during workshops.