I built 41 browser hacking levels that walk the entire web attack surface
▲ 7 r/Cybersecurity101+1 crossposts

I built 41 browser hacking levels that walk the entire web attack surface

MIRAGE: L0 to L40, all in your browser. No SSH, no VM, no Kali

What you actually walk through:

  • recon & client-side trust
  • broken access control / IDOR / BOLA
  • BaaS + RLS misconfig (the Firebase/Supabase class)
  • auth, JWT & token abuse
  • the full injection family SQLi, NoSQLi, SSTI, command
  • XSS, SSRF, insecure deserialization, GraphQL
  • and the finale: AI/LLM exploitation direct & stored prompt
  • injection, insecure output handling (markdown-image exfil),
  • excessive - agency / confused-deputy tool abuse, vector-store BOLA. Anchored to - real 2025-2026 CVEs and incidents (yes, EchoLeak-style indirect - injection is in there)

It's live right now: https://breachlab.org/tracks/mirage

u/Middle-Mode3001 — 4 days ago

I built 41 browser hacking levels that walk the entire web attack surface

MIRAGE: L0 to L40, all in your browser. No SSH, no VM, no Kali

What you actually walk through:

  • recon & client-side trust
  • broken access control / IDOR / BOLA
  • BaaS + RLS misconfig (the Firebase/Supabase class)
  • auth, JWT & token abuse
  • the full injection family SQLi, NoSQLi, SSTI, command
  • XSS, SSRF, insecure deserialization, GraphQL
  • and the finale: AI/LLM exploitation direct & stored prompt - injection, insecure output handling (markdown-image exfil), excessive - agency / confused-deputy tool abuse, vector-store BOLA. Anchored to - real 2025-2026 CVEs and incidents (yes, EchoLeak-style indirect - injection is in there)

It's live right now: https://breachlab.org/tracks/mirage

reddit.com
u/Middle-Mode3001 — 4 days ago
▲ 109 r/pwnhub+1 crossposts

I built 41 browser hacking levels that walk the entire web attack surface

Most web CTFs throw you 10 random challenges and call it a day. I wanted the opposite: one linear chain where every level is a real looking product with exactly one intentional flaw and the flaws march in order from "right-click → view source" all the way to indirect prompt injection

MIRAGE: L0 to L40, all in your browser. No SSH, no VM, no Kali

What you actually walk through:

  • recon & client-side trust
  • broken access control / IDOR / BOLA
  • BaaS + RLS misconfig (the Firebase/Supabase class)
  • auth, JWT & token abuse
  • the full injection family — SQLi, NoSQLi, SSTI, command
  • XSS, SSRF, insecure deserialization, GraphQL
  • and the finale: AI/LLM exploitation — direct & stored prompt injection, insecure output handling (markdown-image exfil), excessive agency / confused-deputy tool abuse, vector-store BOLA. Anchored to real 2025-2026 CVEs and incidents (yes, EchoLeak-style indirect injection is in there)

It's live right now: https://breachlab.org/tracks/mirage

u/Middle-Mode3001 — 6 days ago
▲ 194 r/pwnhub+1 crossposts

🔥 BreachLab 2.0 is live

We rebuilt the entire platform. Same mission: learn offensive security by breaking real systems, not watching slideshows.

What's new in 2.0:

  • Full redesign — faster, cleaner, built for operators
  • 13 tracks · 320+ levels — Linux fundamentals → red-team ops
  • Specter — complete OSINT/recon track (passive intel at pro grade)
  • KoTH — live King-of-the-Hill battle arenas
  • Leaderboards — speedruns, first-bloods, weekly resets
  • Achievement roles synced straight to your Discord
  • Verifiable completion certificates

Every level is a live target on real infrastructure. You break in to learn.

Still 100% free.

https://breachlab.org

u/Middle-Mode3001 — 29 days ago

Specter is the third track on BreachLab — 14 levels (L0 → L13). Ephemeral per-session containers, per-player cryptographic flags — a flag leaked in Discord doesn't unlock anything for the leaker.

What's in there:

  • L0–L2: passive recon foundations — WHOIS / DNS / cert transparency / breach DBs / multi-engine dorking / GitHub + Wayback secret hunting with SOC canaries.
  • L3–L5: SPA bundle reverse-engineering, 30-person org chart with Admiralty A1–F6 grading, sock-puppet persona surviving 21-day warmup + 5 SOC probes (one detection burns the operation).
  • L6–L8: geolocate photos to ±50m via shadow azimuth + OSM + biome, deepfake adjudication across 8 forensic axes (Yandex / iris / lighting cone / lipsync — one candidate is Flux + adversarial perturbation), 30-day travel-pattern reconstruction via ADS-B + AIS + Strava heatmap + IATA boarding-pass + timezone fingerprint, with 4 planted counter-OSINT decoys you have to catch.

Every level audited per-brief, solvable via the intended path. Adversarial decoys are not optional — single-source legs are landmines, and persona-burn lockouts (3 burns / 30 min = 3-hour cooldown) make speedruns expensive. If you find a bypass — submit the flag and tell us how.

Ghost (Linux fundamentals + privesc, 23 levels) and Phantom (post-exploitation, 32 levels) come first. Specter is the OSINT discipline track. Free. No signup wall. Scoring on-platform.

https://breachlab.org

Feedback welcome, ideally in the form of a flag

u/Middle-Mode3001 — 2 months ago

Ghost is the first track on BreachLab — the platform I've been building for the last few months. 23 Linux levels, 0 → 22, SSH wargame in the Bandit
lineage but rewritten top to bottom on real containers with real constraints. No writeups online, no hand-holding, no skip buttons.

What's in there:

  • L0-L8: shell fundamentals — pipes, processes, perms, archives, encodings. The stuff every operator should own cold.

  • L9-L15: SUID hunting, log parsing, weird binaries, services on loopback, a shard gatekeeper on a raw TCP port.

  • L16-L22: real privesc chains, SUID helpers you have to reason about, and a graduation box that actually tests whether you learned anything.

Every level has been audited per-brief, solvable via the intended path.
Players have been tearing it apart for weeks and we keep patching — if you find a bypass, submit the flag and tell us how.

Ghost is the entry exam. Clear it and Phantom (32-level post-exploitation
track) unlocks. First 100 operators to beat Phantom get permanent Founding Operative status on the platform.

Free. No signup wall to look around. Scoring is on-platform.

https://breachlab.org

Feedback welcome, ideally in the form of a flag

u/Middle-Mode3001 — 2 months ago