Practice Arena

An opaque decision engine can be persuaded to reveal its inner logic if you understand how it thinks.

An e-prescription system was pulled from a telehealth platform after reports that unauthorized prescriptions were being issued. Forensics recovered the authorization binary, but the validation logic is unlike anything the analysts have seen — the decompiler output is useless. Something else is running inside this binary. Figure out what it's checking.

A custom communication protocol stands between you and privileged access to an orbital system.

Encrypted industrial commands reveal patterns that can be turned against the system itself.

Attack a Linear Congruential Generator used to seed genome sequencing tokens.

Exploit SSRF in a clinical data gateway to pivot to internal healthcare services.

Bypass AI-powered triage safety filters to extract sensitive patient data.

A high-security database won’t reveal its secrets directly, but it reacts just enough to careful probing.

Exploit NoSQL injection in a health data API to enumerate patient records.

A debugging feature meant for engineers quietly weakens the system’s core trust mechanism.

A smart city interface struggles to agree on which device it’s actually talking to.

A medical device manufacturer distributed a firmware validation tool to hospital IT departments. The tool checks a maintenance passphrase before granting access to ventilator diagnostics. A security researcher flagged that the authentication logic looks custom-built rather than using standard cryptographic libraries. Recover the passphrase.

Decrypt tampered audit log entries to reconstruct evidence of unauthorized access.

An autonomous system trusts user input a little too much, with consequences for who’s really in control.

A rural clinic's patient records were encrypted before transmission to the regional health authority. The encryption was implemented by a volunteer developer who prioritized speed over security. We have the public key and one encrypted record. Recover the contents before the outbreak response window closes.

Recover plaintext prescription data by exploiting a reused-key XOR cipher.

A neglected industrial control panel exposes more than it should to anyone who knows how to speak to it properly.

Discover an insecure direct object reference leaking patient portal records.

Use HTTP parameter pollution to bypass access controls in an electronic health record system.

An outdated piece of infrastructure still remembers how it was first set up, and it never forgot its secrets.

Inject commands into a wellness chatbot to exfiltrate internal configuration.

Trigger an integer overflow in a medical dosage calculator to uncover hidden functionality.

A logistics dashboard tells a clean public story, but the real picture is hiding just beneath the surface.

Analyze temperature sensor data to identify a break in the vaccine cold chain.