Jason is an easy box where we’ll practice exploiting insecure deserialization in NodeJS. To make it a little more interesting, this is a blind vulnerability, meaning we’ll have to find some other way besides checking if our input is reflected back to us to verify code execution.

Kiba is a quick and fun challenge where we’ll attack a vulnerability in a popular open source data visualization application called Kibana to get remote code execution and gain shell access on the host.