Provisioning your session
You've been issued an authenticated terminal against the cITyOT incident-management API for Kiron. We're spinning up a dedicated instance just for you — nothing you do here will affect anyone else's session.
What you're about to attack
The cITyOT REST + WebSocket API mediates incidents, sealed reports, district feeds, exec briefings, and webhook callbacks to the oversight committee. Your authenticated starting point is the operator account on team01.
Five things in the API are wrong in interesting ways. Each is a real bug a real engineer could ship. You won't need to brute-force anything. Walk the surface, notice what a low-clearance account shouldn't be able to do, and try it. There are no hints for this series of challenges, just you and the API. If you break something, don't worry, your session is isolated and ephemeral. Just close the terminal and click the link in ranges.io again to start fresh.
Flags score automatically the moment the API observes the exploit — you don't need to copy or submit a flag string. Watch the Ranges.io challenge board.