Install these before you start:
- Docker (required)
- A terminal
- A web browser
- Burp Suite Community Edition (recommended for evidence/screenshots)
curl(recommended, usually preinstalled on macOS/Linux)
Follow these steps in order.
For easier management, you can use Docker Desktop to load images and run containers instead of the terminal. Docker Desktop provides a graphical interface to:
- Start/stop containers
- View logs
- Manage images
- Monitor resource usage
To use Docker Desktop:
- Open Docker Desktop from the Start Menu (Windows) or Applications (macOS).
- Wait until Docker Desktop shows it is running.
- Use the "Images" tab to load your
.tarfile (eitheracme-support.tarorwindows_vuln_lab.tar). - Use the "Containers" tab to start the lab container using the compose file.
You can still use the terminal for advanced commands, but Docker Desktop makes it easier to manage and troubleshoot containers.
You will receive the following files from your instructor:
acme-support.tar— the lab Docker image (built on macOS)windows_vuln_lab.tar— the lab Docker image (built on Windows)docker-compose.yml— the container configuration
Place all files in the same folder on your machine (e.g. acme-lab/).
Important: If you encounter issues loading or running acme-support.tar (especially on Windows), use windows_vuln_lab.tar instead. Some students have reported problems with the macOS image on Windows. To use the Windows version, substitute windows_vuln_lab.tar wherever you see acme-support.tar in the instructions below.
You must have Docker running before using docker compose.
macOS:
- Open Docker Desktop from Applications.
- Wait until it shows "Docker Desktop is running".
Windows:
- Open Docker Desktop from Start Menu.
- Wait until it shows "Engine running".
Linux (systemd):
sudo systemctl start docker
sudo systemctl enable dockerIf your user is not in the docker group (Linux), either:
- Run Docker commands with
sudo, or - Add your user to the group:
sudo usermod -aG docker $USERThen log out/in.
Run:
docker version
docker compose version
docker infoIf these fail, Docker is not fully running yet.
From the folder containing your lab files:
docker load -i acme-support.tar
# If you have issues, try:
docker load -i windows_vuln_lab.tarYou should see output like Loaded image: acme-support:latest or Loaded image: windows_vuln_lab:latest.
docker compose upKeep this terminal open while the lab is running.
Stop:
Ctrl + C
docker compose downRestart:
docker compose upThis generates a new instance identity and new flag values:
docker compose down
rm -rf labdata
docker compose upOn Windows PowerShell:
docker compose down
Remove-Item -Recurse -Force .\labdata
docker compose upYou are assessing an intentionally vulnerable web application running locally via Docker.
Your goal is to complete all four required attacks in sequence and retrieve the final flag in the format FLAG{...}.
The application's hint system at /hints will guide you through each step. You must unlock each stage by proving you completed it before you can progress to the next.
- This environment is for training only.
- Run it locally on a private network only.
- Do not deploy it publicly.
- Do not attack systems outside this lab.
You must complete all four attacks in order. Each step builds on the previous one.
- Information Disclosure — Extract a secret token from the application's response headers
- API Discovery — Find and enumerate hidden API documentation
- Path Traversal — Read a sensitive internal file by exploiting an unsafe file endpoint
- XXE (XML External Entity) — Use a malicious XML payload to read a protected server-side file and retrieve the final flag
Submit one ZIP file containing:
flag.txt
instance_id.txt
writeup.md (or PDF)
evidence/
Include the following sections in writeup.md. Keep responses concise — bullet points are fine.
| Attack # | Vulnerability Type | Endpoint(s) Targeted | Tool Used | What Was Gained |
|---|---|---|---|---|
| 1 | Information Disclosure | |||
| 2 | API Discovery | |||
| 3 | Path Traversal | |||
| 4 | XXE |
For each step, briefly answer the prompts below in 2–4 bullet points.
Step 1 - Information Disclosure:
- What endpoint you targeted
- What value you found and where it appeared
Step 2 - API Discovery:
- How you located the API documentation
- What endpoints it listed
Step 3 - Path Traversal:
- What request you crafted
- What file you read and what it revealed
Step 4 - XXE and Flag Retrieval:
- How you crafted your XML payload
- How you retrieved the resolved content
- The final
FLAG{...}you obtained
For each of the four attacks, provide:
- One request artifact
- One response artifact
Minimum total: 8 evidence artifacts.
Accepted evidence types:
- Burp Repeater screenshot with full request visible
- Burp exported request/response
curlcommand plus output- Browser screenshot plus matching network request details
File naming format:
evidence/attack1_request.png
evidence/attack1_response.png
evidence/attack2_request.png
evidence/attack2_response.png
evidence/attack3_request.png
evidence/attack3_response.png
evidence/attack4_request.png
evidence/attack4_response.png
At the end of your writeup, include:
- Exact contents of
labdata/instance_id.txt - Your final
FLAG{...}
- 4 required attacks completed: 50 points
- Evidence quality (8 required artifacts): 30 points
- Chain explanation clarity: 20 points
Deductions:
- Fewer than 4 attacks completed: maximum 59%
- Correct flag but weak/missing evidence: maximum 69%
- Missing request/response evidence pair: -10 per missing pair
docker: command not found:
Docker is not installed correctly or your terminal needs a restart.
Cannot connect to the Docker daemon:
Docker Desktop/Engine is not running.
Error response from daemon: No such image:
Run docker load -i acme-support.tar before running docker compose up.
port is already allocated or address already in use for 8090:
Stop the process using port 8090, then rerun.
Container starts but app not reachable:
Check the logs in the terminal running docker compose up. Confirm the URL is exactly http://localhost:8090.