I left college with a decent amount of programming experience, mostly in Java, but never really had an opportunity to actually use it.  Sure, I had an <sarcasm>absolute blast</sarcasm> creating everything from calculators, to red-black trees, to web servers while at school, but I was never really able to apply it to something I found fun and interesting.  But one day, as I was trying to find a decent purposely vulnerable web application to use for a capture the flag event… it hit me.  Why the f*** haven’t I just made my own?

And so the adventure began.  One man, one mission.  Fueled by a little determination, a lot of boredom, and even more Red Bull, I set out on a quest to development my own purposely vulnerable web application.  A mission to be the best, like no one ever was…


Now that the Pokemon theme song is stuck in your head, let’s run through what was used to create the application.


Although my primary language is Java, I decided to go with Node.js for the back end programming.  I decided to say f*** it, let’s be a good lifelong learner and do something crazy.  But it all seriousness, Node.js is a great language to learn.  Being able to simply require modules made development much easier to manage.  If you’re not familiar with Node JS, it has a simple module loading system.  These modules are open source, and you can develop your own.  Requiring a module looks something like this:

var sql = require('mysql');

Boom. Done. Now we can do sh*t like…

var connection = sql.createConnection()

And then use that connection to query our database for users, or site content, or the meaning of life (it shockingly returned 42).

I specifically used Express JS while developing the web application.  Express JS is a Node.js web application framework that provides a set of features for web and mobile applications.  Again, all you gotta do is require it, and you’re good to go.

MySQL Database

I mean… we like SQL injections, right? There’s a well documented module for MySQL and it’s very easy to set up.  Then I just got myself MySQL Workbench and went to town.  Nothing fancy, just the best looking database schema you’ve ever seen (jk it was horrible).


Jade is a Node template engine.  If you’ve never used/seen it before, chill… there are HTML -> Jade converters online.  That’s what I did.  It can be a bit of a pain in the ass since it uses white space and indentation as part of its language.  Here’s a little of taste of it:



The Goal

We’ve all played around on one vulnerable web app or another.  Stumbling across SQL injections, executing XSS, and all that other fun stuff.  But I thought it would be fun to do a different take.  Rather than hunting for a butt load of vulnerabilities, the goal is to find a few vulnerabilities and fully exploit them.  On top of that, I decided to make most of the “flags” something that you had to continually hold onto.  Not only are you hunting and exploiting vulnerabilities, you’re also defending the flags you’ve found from other players.  Suddenly, we’ve gone from good ol’ capture the flag to…

King of the Hill

Yup, that’s right!  This vulnerable app isn’t your grandfathers CTF game. It’s a constant uphill battle versus everyone else who’s playing, as well as the website admin.  The game flows a little something like this:

  1. Players must first find out what the hills are by discovering hidden hints.
  2. Once found, the players hunt vulnerabilities related to the hills on the list.
  3. Players earn points by controlling a hill until the end of the game.
  4. There is a final hill that will earn the most points and end the game.

There are some extra little bits of information hidden throughout the application.  The admin also has the ability to lock users, reset their passwords, and watch their traffic.

If you’re interested in taking a look at the code, you can find the full source code on Github.  More technical information can be found in the Git Wiki as well.

Thanks for reading and happy hacking!



Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

About Jean Fleury

Naval officer, privateer, cyber security professional. Traded in my five-ship squadron for a computer and Burp Suite license.


Security Research


, , , , , , ,