Lab Icon

Pwnify - Web Application Penetration Testing

Chain command injection to Linux privilege escalation in a music-app CTF

Hard Released 06 Jun 2026 Free Access Solution Locked
Web Application Security Mass Assignment Command Injection Hash Cracking Password Reuse Linux Privilege Escalation Linux Capabilities Penetration Testing

Pwnify is a full music-streaming app built for web application penetration testing practice. Sign up, build playlists, and upload tracks, then chain real flaws from a first foothold to a user flag and full root. Can you own the whole box?

2
Flags
70
XP
Start Your Challenge

Launch your dedicated machine to begin hacking

~1-2 min setup
Dedicated server
Private instance
Standard power
New here? Here's what to do
1
Click "Start Lab" above You'll get your own private machine with an IP address
2
Explore the target Open the IP in your browser and look for vulnerabilities
3
Find and submit flags Flags are secret text strings hidden in the system - paste them below to score

Ready to hack this lab?

Create a free account to start your own dedicated server, submit flags, and earn XP on the leaderboard.

Start Hacking Free

Related Labs

Labs that share similar skills with this one

Alpwned
Alpwned
Medium 40 XP 96
SQL Injection Authentication Bypass SSH Linux Privilege Escalation
FortiPy
FortiPy
Hard 70 XP 69
Web Application Security SSTI Flask Security SSH Brute Force
Compromised 1
Compromised 1
Medium 40 XP 114
Apache Tomcat Web Application Security WAR Deployment Default Credentials
Hack the Box
Hack the Box
Hard 70 XP 153
Directory Fuzzing X-Forwarded-For Spoofing Bruteforce ffuf
12,000+ Hackers 100+ Labs & Courses Free
Start Hacking Free