The XSS Rat

Premium Machine (Locked)

The XSS Rat's personal research platform: a PHP blog engine with a dangerous API and a secrets-laden internal service. Chain stored XSS through to SSRF, extract admin credentials from an internal endpoint, and abuse a sudo GTFOBin to root. Nothing about this box is accidental — every quirk is a clue.