Share
## https://sploitus.com/exploit?id=F636864E-B593-516C-8160-0B460DC129EC
# ๐Ÿ•ถ๏ธ Dark Market Simulator

> **An intentionally vulnerable CTF-style web application for learning offensive and defensive security.**

---

## โš ๏ธ Legal Disclaimer

This project is a **100% fictional, sandboxed educational environment**. All listings, users, and data are fabricated. No real transactions, real credentials, or real exploits against live systems are involved. This is a **Capture The Flag (CTF)** platform designed for cybersecurity education.

---

## ๐ŸŽฏ What Is This?

Dark Market Simulator is a dark-web-aesthetic marketplace deliberately seeded with classic web vulnerabilities. Users ("hackers") browse fictional listings, discover hidden attack surfaces, exploit them, and collect cryptographic flags โ€” all in a safe, local or containerized environment.

It serves three audiences:

| Role | What They Get |
|------|--------------|
| **Student** | Hands-on practice with OWASP Top 10 in a realistic UI |
| **Instructor** | A ready-made CTF platform with a logging dashboard |
| **Researcher** | A honeypot-style analytics layer for studying attack patterns |

---

## โœจ Feature Overview

### ๐Ÿ›’ Fake Marketplace UI
- Browse fictional listings (database dumps, zero-days, tools โ€” all fake)
- BTC-style pricing, seller ratings, comment threads
- Dark UI aesthetic with Tor-style branding

### ๐Ÿ’ฃ Intentional Vulnerabilities (CTF Challenges)
| Flag | Vulnerability | Technique |
|------|--------------|-----------|
| ๐Ÿด Flag 1 | SQL Injection | `' OR 1=1 --` login bypass |
| ๐Ÿด Flag 2 | Broken Auth | JWT secret brute-force |
| ๐Ÿด Flag 3 | Stored XSS | Script injection via comments |
| ๐Ÿด Flag 4 | IDOR | Accessing other users' orders |
| ๐Ÿด Flag 5 | Path Traversal | Reading server config files |
| ๐Ÿด Flag 6 | SSRF | Internal network probing |

### ๐Ÿ–ฅ๏ธ Hacker Mode Terminal
- Toggle-able side panel that transforms the UI
- Context-aware hints injected per page
- Simulated terminal with fake `nmap`, `sqlmap` output

### ๐Ÿ“Š Logging Dashboard
- Every exploit attempt is logged (payload, endpoint, timestamp)
- Visual heatmap of most-targeted endpoints
- Export logs as JSON/CSV for academic reporting

### ๐Ÿ† Flag & Scoreboard System
- Cryptographic flags in `DMS{...}` format
- Real-time global leaderboard (or class-specific)
- Per-flag point values and difficulty ratings

---

## ๐Ÿ—‚๏ธ Repository Structure

```
dark-market-sim/
โ”œโ”€โ”€ README.md                    # This file
โ”œโ”€โ”€ ARCHITECTURE.md              # System design & data flow
โ”œโ”€โ”€ SKILL.md                     # Coding standards & AI assistant context
โ”œโ”€โ”€ CTF_CHALLENGES.md            # Vulnerability design specs
โ”œโ”€โ”€ API_SPEC.md                  # REST API reference
โ”œโ”€โ”€ SECURITY_NOTES.md            # Safe deployment guidelines
โ”‚
โ”œโ”€โ”€ server/                      # Node.js + Express backend
โ”‚   โ”œโ”€โ”€ app.js
โ”‚   โ”œโ”€โ”€ routes/
โ”‚   โ”‚   โ”œโ”€โ”€ auth.js              # Intentionally vulnerable auth
โ”‚   โ”‚   โ”œโ”€โ”€ listings.js
โ”‚   โ”‚   โ”œโ”€โ”€ admin.js
โ”‚   โ”‚   โ””โ”€โ”€ flags.js
โ”‚   โ”œโ”€โ”€ middleware/
โ”‚   โ”‚   โ”œโ”€โ”€ logger.js            # Attack attempt logger
โ”‚   โ”‚   โ””โ”€โ”€ hintInjector.js
โ”‚   โ”œโ”€โ”€ db/
โ”‚   โ”‚   โ”œโ”€โ”€ schema.sql
โ”‚   โ”‚   โ””โ”€โ”€ seed.js
โ”‚   โ””โ”€โ”€ utils/
โ”‚       โ””โ”€โ”€ flagGenerator.js
โ”‚
โ”œโ”€โ”€ client/                      # Vanilla HTML/CSS/JS frontend
โ”‚   โ”œโ”€โ”€ index.html
โ”‚   โ”œโ”€โ”€ assets/
โ”‚   โ”‚   โ”œโ”€โ”€ css/
โ”‚   โ”‚   โ”‚   โ”œโ”€โ”€ dark-theme.css
โ”‚   โ”‚   โ”‚   โ””โ”€โ”€ terminal.css
โ”‚   โ”‚   โ””โ”€โ”€ js/
โ”‚   โ”‚       โ”œโ”€โ”€ hacker-mode.js
โ”‚   โ”‚       โ”œโ”€โ”€ terminal.js
โ”‚   โ”‚       โ””โ”€โ”€ scoreboard.js
โ”‚   โ””โ”€โ”€ pages/
โ”‚       โ”œโ”€โ”€ login.html
โ”‚       โ”œโ”€โ”€ market.html
โ”‚       โ”œโ”€โ”€ listing.html
โ”‚       โ”œโ”€โ”€ dashboard.html       # Admin/logging (protected)
โ”‚       โ””โ”€โ”€ scoreboard.html
โ”‚
โ”œโ”€โ”€ docker/
โ”‚   โ”œโ”€โ”€ Dockerfile
โ”‚   โ””โ”€โ”€ docker-compose.yml
โ”‚
โ””โ”€โ”€ docs/
    โ”œโ”€โ”€ screenshots/
    โ””โ”€โ”€ writeups/                # Solution writeups (instructor-only)
```

---

## ๐Ÿš€ Quick Start

### Prerequisites
- Node.js โ‰ฅ 18
- npm โ‰ฅ 9
- SQLite3 (bundled via `better-sqlite3`)

### Installation

```bash
git clone https://github.com/yourname/dark-market-sim.git
cd dark-market-sim
npm install
npm run db:seed       # Seeds fake listings, users, flags
npm run dev           # Starts on http://localhost:3000
```

### Docker (Recommended for Isolation)

```bash
docker-compose up --build
# App: http://localhost:3000
# Dashboard: http://localhost:3000/admin  (admin:admin123)
```

---

## ๐Ÿ”ง Environment Variables

```env
PORT=3000
NODE_ENV=development
DB_PATH=./server/db/market.sqlite
JWT_SECRET=supersecret          # Intentionally weak โ€” part of Flag 2
ADMIN_PASSWORD=admin123
FLAG_SALT=DMS_INTERNAL_SALT
SESSION_SECRET=notverysecret
```

---

## ๐Ÿงช Tech Stack

| Layer | Technology | Why |
|-------|-----------|-----|
| Backend | Node.js + Express | Fast, approachable, wide tooling |
| Database | SQLite (better-sqlite3) | Zero-config, portable, easy to inspect |
| Auth | JWT + express-session | Allows realistic JWT vulnerability |
| Frontend | Vanilla HTML/CSS/JS | No framework overhead, max transparency |
| Containerization | Docker + Compose | Safe isolation for deployment |
| Logging | Winston + SQLite | Structured logs, queryable |

---

## ๐Ÿ“š Academic Use

This project can be cited/documented as:

> "Designed and deployed a purpose-built vulnerable web application modeled on real-world dark marketplace architecture, implementing OWASP Top 10 vulnerabilities as gamified CTF challenges with a real-time attack logging and analytics dashboard."

---

## ๐Ÿ“„ License

MIT License โ€” for educational use only.