Lab Icon

Pwnify - Web Application Penetration Testing

Chain command injection to Linux privilege escalation in a music-app CTF

Hard Updated 06 Jun 2026 Free Access Solution (Pro)
Web Application Security Mass Assignment Command Injection Hash Cracking Password Reuse Linux Privilege Escalation Linux Capabilities Penetration Testing

Pwnify is a full music-streaming app built for web application penetration testing practice. Sign up, build playlists, and upload tracks, then chain real flaws from a first foothold to a user flag and full root. Can you own the whole box?

2
Flags
70
XP
50%
Success Rate

What is web application penetration testing?

Web application penetration testing is the hands-on practice of attacking a real web app the way an adversary would: mapping its features, finding flaws in how it handles input and trust, and chaining those flaws into real impact. The best way to learn it is on a target that behaves like production software, not a stripped-down demo. Pwnify is built for exactly that.

How the Pwnify lab works

Pwnify is a working music-streaming application. You register an account, browse artists and albums, search the catalog, stream tracks in a real audio player, and build playlists you can share. Verified artists get a Studio where they upload their own music. None of it is faked, so every page is fair game for testing.

You begin as an anonymous visitor and finish, if you do it right, as root on the server. Two flags mark your progress: a user flag in a home directory once you land a shell, and a root flag in /root once you take over the host. The path runs through the web app first and then into the Linux machine behind it, so you practice both web application penetration testing and Linux privilege escalation in a single challenge.

What you will practice

This is a Hard lab with several non-obvious steps. You will reach a feature you are not meant to use, turn user input into command execution, recover and crack a stored credential, reuse it to log in, and abuse a misconfigured Linux capability to become root. Each link in the chain is a technique that shows up in real engagements. Work it from the HackerDNA Attack Terminal, take notes as you go, and open the learning tasks if you get stuck.

What You Will Learn

  • Exploit a mass-assignment flaw to reach a hidden privileged feature
  • Achieve remote code execution through OS command injection in media processing
  • Crack a legacy MD5 password hash using rockyou with john or hashcat
  • Pivot through password reuse to gain an SSH foothold and capture the user flag
  • Escalate to root by abusing a Linux cap_setuid file capability
  • Chain web and Linux techniques into a full web-to-root compromise

Prerequisites

Basic Linux commands HTTP and web requests curl or Burp Suite Password hash cracking SSH basics

Ready to hack this lab?

Create a free account and start practicing cybersecurity hands-on.

Start Hacking - It's Free
Start Your Challenge

Launch your dedicated machine to begin hacking

~1-2 min setup
Dedicated server
Private instance
Standard power
New here? Here's what to do
1
Click "Start Lab" above You'll get your own private machine with an IP address
2
Explore the target Open the IP in your browser and look for vulnerabilities
3
Find and submit flags Flags are secret text strings hidden in the system - paste them below to score

Ready to hack this lab?

Create a free account to start your own dedicated server, submit flags, and earn XP on the leaderboard.

Start Hacking Free

Related Labs

Labs that share similar skills with this one

Alpwned
Alpwned
Medium 40 XP 96
SQL Injection Authentication Bypass SSH Linux Privilege Escalation
FortiPy
FortiPy
Hard 70 XP 69
Web Application Security SSTI Flask Security SSH Brute Force
Compromised 1
Compromised 1
Medium 40 XP 114
Apache Tomcat Web Application Security WAR Deployment Default Credentials
Hack the Box
Hack the Box
Hard 70 XP 153
Directory Fuzzing X-Forwarded-For Spoofing Bruteforce ffuf
12,000+ Hackers 100+ Labs & Courses Free
Start Hacking Free