Share
## https://sploitus.com/exploit?id=F636864E-B593-516C-8160-0B460DC129EC
# ๐ถ๏ธ Dark Market Simulator
> **An intentionally vulnerable CTF-style web application for learning offensive and defensive security.**
---
## โ ๏ธ Legal Disclaimer
This project is a **100% fictional, sandboxed educational environment**. All listings, users, and data are fabricated. No real transactions, real credentials, or real exploits against live systems are involved. This is a **Capture The Flag (CTF)** platform designed for cybersecurity education.
---
## ๐ฏ What Is This?
Dark Market Simulator is a dark-web-aesthetic marketplace deliberately seeded with classic web vulnerabilities. Users ("hackers") browse fictional listings, discover hidden attack surfaces, exploit them, and collect cryptographic flags โ all in a safe, local or containerized environment.
It serves three audiences:
| Role | What They Get |
|------|--------------|
| **Student** | Hands-on practice with OWASP Top 10 in a realistic UI |
| **Instructor** | A ready-made CTF platform with a logging dashboard |
| **Researcher** | A honeypot-style analytics layer for studying attack patterns |
---
## โจ Feature Overview
### ๐ Fake Marketplace UI
- Browse fictional listings (database dumps, zero-days, tools โ all fake)
- BTC-style pricing, seller ratings, comment threads
- Dark UI aesthetic with Tor-style branding
### ๐ฃ Intentional Vulnerabilities (CTF Challenges)
| Flag | Vulnerability | Technique |
|------|--------------|-----------|
| ๐ด Flag 1 | SQL Injection | `' OR 1=1 --` login bypass |
| ๐ด Flag 2 | Broken Auth | JWT secret brute-force |
| ๐ด Flag 3 | Stored XSS | Script injection via comments |
| ๐ด Flag 4 | IDOR | Accessing other users' orders |
| ๐ด Flag 5 | Path Traversal | Reading server config files |
| ๐ด Flag 6 | SSRF | Internal network probing |
### ๐ฅ๏ธ Hacker Mode Terminal
- Toggle-able side panel that transforms the UI
- Context-aware hints injected per page
- Simulated terminal with fake `nmap`, `sqlmap` output
### ๐ Logging Dashboard
- Every exploit attempt is logged (payload, endpoint, timestamp)
- Visual heatmap of most-targeted endpoints
- Export logs as JSON/CSV for academic reporting
### ๐ Flag & Scoreboard System
- Cryptographic flags in `DMS{...}` format
- Real-time global leaderboard (or class-specific)
- Per-flag point values and difficulty ratings
---
## ๐๏ธ Repository Structure
```
dark-market-sim/
โโโ README.md # This file
โโโ ARCHITECTURE.md # System design & data flow
โโโ SKILL.md # Coding standards & AI assistant context
โโโ CTF_CHALLENGES.md # Vulnerability design specs
โโโ API_SPEC.md # REST API reference
โโโ SECURITY_NOTES.md # Safe deployment guidelines
โ
โโโ server/ # Node.js + Express backend
โ โโโ app.js
โ โโโ routes/
โ โ โโโ auth.js # Intentionally vulnerable auth
โ โ โโโ listings.js
โ โ โโโ admin.js
โ โ โโโ flags.js
โ โโโ middleware/
โ โ โโโ logger.js # Attack attempt logger
โ โ โโโ hintInjector.js
โ โโโ db/
โ โ โโโ schema.sql
โ โ โโโ seed.js
โ โโโ utils/
โ โโโ flagGenerator.js
โ
โโโ client/ # Vanilla HTML/CSS/JS frontend
โ โโโ index.html
โ โโโ assets/
โ โ โโโ css/
โ โ โ โโโ dark-theme.css
โ โ โ โโโ terminal.css
โ โ โโโ js/
โ โ โโโ hacker-mode.js
โ โ โโโ terminal.js
โ โ โโโ scoreboard.js
โ โโโ pages/
โ โโโ login.html
โ โโโ market.html
โ โโโ listing.html
โ โโโ dashboard.html # Admin/logging (protected)
โ โโโ scoreboard.html
โ
โโโ docker/
โ โโโ Dockerfile
โ โโโ docker-compose.yml
โ
โโโ docs/
โโโ screenshots/
โโโ writeups/ # Solution writeups (instructor-only)
```
---
## ๐ Quick Start
### Prerequisites
- Node.js โฅ 18
- npm โฅ 9
- SQLite3 (bundled via `better-sqlite3`)
### Installation
```bash
git clone https://github.com/yourname/dark-market-sim.git
cd dark-market-sim
npm install
npm run db:seed # Seeds fake listings, users, flags
npm run dev # Starts on http://localhost:3000
```
### Docker (Recommended for Isolation)
```bash
docker-compose up --build
# App: http://localhost:3000
# Dashboard: http://localhost:3000/admin (admin:admin123)
```
---
## ๐ง Environment Variables
```env
PORT=3000
NODE_ENV=development
DB_PATH=./server/db/market.sqlite
JWT_SECRET=supersecret # Intentionally weak โ part of Flag 2
ADMIN_PASSWORD=admin123
FLAG_SALT=DMS_INTERNAL_SALT
SESSION_SECRET=notverysecret
```
---
## ๐งช Tech Stack
| Layer | Technology | Why |
|-------|-----------|-----|
| Backend | Node.js + Express | Fast, approachable, wide tooling |
| Database | SQLite (better-sqlite3) | Zero-config, portable, easy to inspect |
| Auth | JWT + express-session | Allows realistic JWT vulnerability |
| Frontend | Vanilla HTML/CSS/JS | No framework overhead, max transparency |
| Containerization | Docker + Compose | Safe isolation for deployment |
| Logging | Winston + SQLite | Structured logs, queryable |
---
## ๐ Academic Use
This project can be cited/documented as:
> "Designed and deployed a purpose-built vulnerable web application modeled on real-world dark marketplace architecture, implementing OWASP Top 10 vulnerabilities as gamified CTF challenges with a real-time attack logging and analytics dashboard."
---
## ๐ License
MIT License โ for educational use only.