░▒▓██ INTENTIONALLY VULNERABLE ██▓▒░ 01001000 01000001 01000011 01001011 ___ ___ _ _ _____ ___ ___ _____ ___ _ _ _ ___ ___ _____ __ | _ \ __| \| |_ _| __/ __|_ _| / __| /_\ | \| | \| _ )/ _ \ \/ / | _/ _|| .` | | | | _|\__ \ | | \__ \/ _ \| .` | |) | _ \ (_) > < |_| |___|_|\_| |_| |___|___/ |_| |___/_/ \_\_|\_|___/|___/\___/_/\_\ > 60+ MISSIONS · WEB · NET · CRYPTO · REVERSE · CLOUD · MOBILE
An intentionally vulnerable Flask application for pentest & CTF training.
60+ missions across web, network, crypto, forensics, reverse, cloud, and mobile.
Quick Start · Missions · Run Modes · Contributing · License
⚠️ This application is intentionally insecure. Run it only in isolated environments (localhost, VM, or disposable container). Never expose it to the public internet.
Most "vulnerable by design" apps cover a single surface — web only (DVWA, Juice Shop), network only (Metasploitable), or one topic. Pentest Sandbox bundles a realistic lab that spans:
- Modern web vulns — SSTI, JWT abuse, GraphQL / NoSQL injection, deserialization, race conditions
- Network-layer missions backed by real TCP / UDP services
- Crypto, forensics, and reverse engineering with actual artifacts (pcaps, ELF binaries,
.pyc,.apk) - Cloud security — IAM privilege escalation, Terraform state, Kubernetes misconfig
- Mobile tracks — ADB, APK reversing, mobile header manipulation
Every mission has a hidden FLAG_*, progressive hints, and a dedicated route implementing the intentional vulnerability. Submit flags via the in-app dashboard or POST /internal/metrics — the check is a literal string compare with no rate limiting (by design).
git clone https://github.com/eustormy/Pentest_Sandbox.git
cd Pentest_Sandbox
docker-compose up --buildApp → http://localhost:5000 · UDP mission → :9999 · HTTP fingerprint → :8080
./start_native.shInstalls deps with pip --break-system-packages, seeds the DB, and launches Gunicorn on port 5000.
pip install -r requirements.txt
python seed.py # one-time DB seed (idempotent)
python run.py # Flask (5000) + HTTP (8080) + UDP (9999)./install-mobile.shvagrant up| Category | Examples |
|---|---|
| 🌐 Web | SQLi, XSS, SSRF, XXE, SSTI, IDOR, CSRF, Mass Assignment |
| 🔐 Auth & JWT | Broken auth, PIN brute-force, JWT none alg, weak-secret cracking |
| 📤 Upload & RCE | File upload RCE, command injection, SUID root read |
| 🧩 APIs | GraphQL introspection, GraphQL SQLi, MQTT topic interception |
| ☁️ Cloud | IAM privesc, Terraform state leak, Kubelet secret exposure |
| 🔑 Crypto | Caesar, poly-cipher, JWT decode, JS obfuscation |
| 🧬 Reverse | ELF binary cracking, APK manifest secrets, .pyc recovery |
| 🕵️ Forensics | PCAP analysis, DNS exfil, DB reconstruction, Git history secrets |
| 🖧 Network | HTTP fingerprinting (TCP 8080), UDP discovery (9999), Gobuster |
| 📱 Mobile | ADB remote access, header manipulation, APK manifest secrets |
| 🧰 Misc | Data privacy spoofer, IP spoofing, race conditions, Docker breakout |
Example flag names (not the actual values — those are hidden in the routes):
FLAG_BROKEN_AUTH_ADMIN FLAG_JWT_NONE_ALG_BYPASS FLAG_CAESAR_CIPHER_SOLVED
FLAG_FILE_UPLOAD_RCE FLAG_GRAPHQL_SQLI_SUCCESS FLAG_KUBELET_EXPOSED_SECRET
FLAG_ELF_BINARY_CRACKED FLAG_DOCKER_BREAKOUT_ROOT FLAG_MQTT_TOPIC_INTERCEPTED
Total missions seeded: 57 (and growing).
| Mode | Command | Best for |
|---|---|---|
| Docker | docker-compose up --build |
First run, isolated lab |
| Native | ./start_native.sh |
Kali / Linux — full tooling available |
| Dev | python run.py |
Building / debugging missions |
| Termux | ./install-mobile.sh |
Android / NetHunter |
| Vagrant | vagrant up |
Reproducible VM provisioning |
Seeded by seed.py:
| User | Password | Role |
|---|---|---|
| admin | admin123 | admin |
| user | password | normal |
| staff | sunshine | normal (weak — for brute-force missions) |
app/
__init__.py create_app() factory
models.py SQLAlchemy models
routes.py 90+ routes in a single blueprint
config.json Intentionally-leaked DB creds (XXE target)
static/ CSS + mission artifacts (pcaps, .pyc, .zip, ELF, PNGs)
templates/ Jinja2 templates per mission
utils/custom_parser.py Intentionally-weak eval wrapper (SSTI / RCE)
run.py Dev entrypoint — Flask + HTTP:8080 + UDP:9999
services.py Background services (used by Docker entrypoint)
seed.py Idempotent DB seed (users, products, missions, hints)
entrypoint.sh Docker entrypoint: seed → Gunicorn
start_native.sh Native Kali launcher
install-mobile.sh Termux / NetHunter setup
Dockerfile python:3.9-slim + iputils-ping
docker-compose.yml Exposes 5000/TCP + 9999/UDP, persists instance/
Vagrantfile Ubuntu 20.04 VM provisioner
requirements.txt Python dependencies
instance/ Runtime SQLite DB (gitignored)
| Variable | Default | Purpose |
|---|---|---|
SECRET_KEY |
random per-process | Flask session signing |
DATABASE_URL |
sqlite:///instance/shop.db |
SQLAlchemy DB URI |
Mission ideas, fixes, and improvements are welcome. See CONTRIBUTING.md for mission format, style guide, and PR workflow. Starter tasks are labeled good first issue.
This project follows the Contributor Covenant.
MIT. Intentionally-vulnerable software — use only in authorized, isolated environments.