Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.cveplayground.com/llms.txt

Use this file to discover all available pages before exploring further.

Challenges sit next to guided labs in the sidebar. They are the same idea on harder mode. A vulnerable app, a real CVE behind it, but no five step walkthrough. You get a target, a difficulty rating, and a flag to capture.

What a challenge looks like

The challenges catalog is a grid, similar to the labs catalog. Each card shows:
  • The CVE ID and a title.
  • A difficulty badge: Easy, Medium, or Hard.
  • A status indicator: open or solved.
  • The XP on offer.
There is no brief, no locate, no patch walkthrough. You launch the sandbox, you exploit the bug, you submit the flag. That is it.

Difficulty versus severity

A challenge’s difficulty rating is not the same as a CVE’s severity. Difficulty is about how much work the bug takes to demonstrate end to end on this specific target:
  • Easy: one or two requests. You should be able to do this in a single session.
  • Medium: a chain. Multiple steps, possibly multiple vulnerabilities composed together.
  • Hard: substantial. Custom tooling helps. Time blocks of several hours are reasonable.
A critical severity CVE can be an easy challenge. A medium severity bug can be a hard one. Read the difficulty rating, not the severity.

Launching the challenge sandbox

Same as a lab sandbox. Click launch, wait for the container, open the URL in a new tab. The container is private to you, has the same time budget as a lab sandbox, and is destroyed when you stop it or when the budget expires. Each new launch is a clean container. If you make a mess of the file system or break the app, restart and try again.

Capturing the flag

A flag is a short string the platform plants somewhere inside the sandbox that only an attacker who has actually exploited the bug can reach. Sometimes it is a file on disk. Sometimes a value in a database. Sometimes a response from a specific endpoint that the bug unlocks. The flag format is consistent across the platform: a recognisable prefix followed by a hex string. When you see it, you will know. To submit, paste the flag into the flag submit form on the challenge detail page and click submit. The platform tells you immediately whether it is correct.

First blood

The first person to submit the correct flag for a challenge gets first blood. Their handle and the timestamp lock in on the challenge page for everybody to see. First blood is not a leaderboard category of its own. It is just a banner on the challenge page that says you got there first. It does not affect XP.

What if the flag does not work

A few common reasons:
  • The flag was copied with trailing whitespace. Trim it.
  • The challenge was solved against a stale state. Restart the sandbox and pull the flag again.
  • The flag is from the wrong challenge. Easy mistake if you have several tabs open.
If you are confident the flag is right and it is being rejected, send the challenge CVE ID and the flag (or its first few characters) to support.

Why challenges exist alongside labs

Labs teach. Challenges test. After you have done a few labs in a class of vulnerability (say, prototype pollution), the next thing is to handle one with the walkthrough removed. The challenge in the same class is exactly that exercise. The bug is still there. The sandbox is still real. The hand holding is gone. Both modes earn XP. Both feed the leaderboard. You will know when you are ready to switch from labs to challenges, because the lab questions start feeling obvious.

Guided labs

The walkthrough format.

Leaderboard and profile

First blood, XP, rankings.