⚠ Educational Environment  This is a deliberately vulnerable application for cybersecurity training only.

Cybersecurity Training  ·  Web App Exploitation

First National Bank
CTF Challenge

Explore a realistic intentionally vulnerable banking application. Find 10 hidden flags across SQL injection, XSS, directory traversal, broken access control, and more.

🏦 Launch Bank App 🚩 Submit Flags
scroll
10
Hidden Flags
7
OWASP Categories
100
Total Points
0
Server Required
8+
Kali Tools Used

About the Challenge

A Realistic Target
Built to Be Broken

First National Bank is a full-featured fake banking web application intentionally engineered with ten exploitable vulnerabilities. Every attack vector mirrors real-world findings from professional penetration tests — no contrived toy examples.

The application runs entirely in your browser as a single HTML file. No server, no Docker, no configuration — just open the file and start hacking.

Launch Application Flag Tracker
firstnational_ctf.html
// Simulated SQL query
SELECT * FROM users
WHERE username='admin'--'
 
// Traversal path
GET /docs/../../etc/passwd
 
// XSS payload
?welcome=<script>alert(1)</script>

10 Flags to Find

Vulnerability Coverage

Each flag maps directly to an OWASP Top 10 category and a real-world attack technique.

#01
SQL Injection — Login Bypass
A03:2021 Injection
#02
SQL Injection — Data Dump
A03:2021 Injection
#03
Reflected XSS
A03:2021 Injection
#04
Stored XSS
A03:2021 Injection
#05
Directory Traversal
A01:2021 Access Control
#06
Broken Access Control
A01:2021 Access Control
#07
IDOR
A01:2021 Access Control
#08
Sensitive Data Exposure
A02:2021 Cryptographic
#09
CSRF — Static Token
A01:2021 Access Control
#10
Insecure Password Reset
A07:2021 Auth Failures

Getting Started

How to Play

No installation required. Work through each vulnerability to uncover hidden flags, then submit them on the Flag Submission page for credit.

01
Open the Bank Application
Click Launch Bank App to open firstnational_ctf.html in your browser. No server needed.
02
Explore & Enumerate
View page source (Ctrl+U), inspect forms, check URL parameters. Use Burp Suite or browser DevTools to intercept requests.
03
Exploit the Vulnerabilities
Apply SQLi, XSS, traversal, and other payloads. Each successful exploit reveals a flag in the format FLAG{...}.
04
Submit Your Flags
Navigate to the Flag Submission page and enter each flag to validate and track your progress.

Site Navigation

All Resources

🏦
First National Bank
The vulnerable bank application. Navigate its pages, exploit its weaknesses, and capture all 10 flags. Opens in a new tab.
Launch Application
🚩
Flag Submission
Submit captured flags, track your progress with a live scoreboard, and read per-flag hints when you're stuck.
Open Flag Tracker
🛠
Tools & Reference
Kali Linux tools mapped to each flag, OWASP references, and payload cheat sheets to guide your assessments.
View Reference

Kali Linux Toolkit

Recommended Tools

Each vulnerability in this CTF pairs with industry-standard Kali Linux tools used in real penetration tests.

sqlmap
Automated SQL injection detection and exploitation. Use with Flags #01 and #02.
sqlmap -u "URL" --dbs
Burp Suite
HTTP interception proxy. Essential for Flags #03, #04, #07, #09, #10.
burpsuite &
gobuster
Directory and file enumeration. Useful for Flags #05 and #06.
gobuster dir -u URL -w wordlist
hashcat
Password hash cracking. Crack the MD5 hashes exposed by Flag #02 and #06.
hashcat -m 0 hash.txt rockyou.txt
curl
Command-line HTTP requests. Great for testing CSRF (Flag #09) and traversal (Flag #05).
curl -X POST -d "param=val" URL
wfuzz / hydra
Parameter fuzzing and brute forcing. Target the password reset for Flag #10.
wfuzz -z file,names.txt URL

Ready to Start Hacking?

Open the vulnerable bank application and find your first flag.

🏦 Launch Bank App 🚩 Submit Flags