╔══════════════════════════════════════════╗
║ ║
║ APP ASSAULT LAB ║
║ Attacking Common Applications ║
║ ║
║ 11 Vulnerable Apps | 11 CVEs ║
║ 325 Points | Real Exploits ║
║ ║
╚══════════════════════════════════════════╝
A collection of intentionally vulnerable real-world applications for practicing exploitation techniques.
Each application runs a specific vulnerable version with known CVEs and misconfigurations. Enumerate, exploit, and capture the flag from each target.
git clone https://github.com/phantom-offensive/AppAssault.git
cd AppAssault
cp .env.example .env # Customize flags/passwords or use defaults
docker compose up -d
# Wait 3-5 minutes for all services to initialize
# Open scoreboard: http://localhost:9099- Docker + Docker Compose
- 8GB+ RAM (recommended 16GB)
- Kali Linux or equivalent pentest OS
| # | Target | Category | Port | Points | Difficulty |
|---|---|---|---|---|---|
| 1 | WordPress | CMS | 9001 | 20 | Easy |
| 2 | Joomla | CMS | 9002 | 20 | Easy |
| 3 | Gitea | DevOps | 9003 | 25 | Medium |
| 4 | Tomcat | Servlet | 9004/9009 | 30 | Medium |
| 5 | Jenkins | DevOps | 9005 | 30 | Medium |
| 6 | GitLab CE | DevOps | 9006 | 40 | Hard |
| 7 | Splunk | Monitoring | 9007 | 30 | Medium |
| 8 | Apache | CGI | 9012 | 25 | Medium |
| 9 | Bash/CGI | CGI | 9013 | 20 | Easy |
| 10 | phpMyAdmin | Data | 9014 | 35 | Hard |
| 11 | OpenLDAP | Data | 9015 | 15 | Easy |
Total: 325 points | Scoreboard: http://localhost:9099
┌─────────────────────────────────────────────────────────────┐
│ appnet — 10.30.10.0/24 │
│ │
│ CMS DevOps │
│ ├─ wordpress 10.30.10.10 ├─ tomcat 10.30.10.40 │
│ ├─ joomla 10.30.10.20 ├─ jenkins 10.30.10.50 │
│ │ ├─ gitlab 10.30.10.60 │
│ Source Control │ │
│ ├─ gitea 10.30.10.30 Monitoring │
│ │ ├─ splunk 10.30.10.70 │
│ CGI/Legacy │
│ ├─ apache-cgi 10.30.10.80 Data & Services │
│ ├─ shellshock 10.30.10.81 ├─ phpmyadmin 10.30.10.90 │
│ │ ├─ openldap 10.30.10.100 │
│ Scoreboard │
│ └─ scoreboard 10.30.10.200 │
└─────────────────────────────────────────────────────────────┘
For each target:
- Discovery — Port scan, service identification, version detection
- Enumeration — Application-specific enumeration (WPScan, droopescan, etc.)
- Exploitation — Exploit the CVE or misconfiguration
- Post-Exploitation — Read the flag, demonstrate impact
- Submit — Submit flags to scoreboard at http://localhost:9099
- nmap — Service discovery and version detection
- WPScan — WordPress vulnerability scanner
- Metasploit — Exploit framework
- Burp Suite — Web proxy
- curl — HTTP client
- searchsploit — Exploit database search
- nuclei — Vulnerability scanner
- ldapsearch — LDAP enumeration
# Via scoreboard UI
open http://localhost:9099
# Via API
curl -X POST http://localhost:9099/api/submit \
-H "Content-Type: application/json" \
-d '{"flag":"FLAG{...}"}'All applications are intentionally vulnerable. Do NOT expose to the internet. Run locally or in an isolated network for training only.
Opeyemi Kolawole — GitHub
BSD 3-Clause