A vulnerable financial management application based on Firefly III, designed for RedSentry CTF challenge competition.
- Prerequisites: Docker and Docker Compose installed
- Run the application:
docker-compose up -d
- Wait ~30 seconds for database seeding to complete
- Access the application: http://localhost:8080
- Login with any credentials below
The Docker build seeds comprehensive dummy data for testing. No manual setup required.
- admin@redsentry.com / admin (Primary Admin)
- superadmin@redsentry.com / superadmin (Super Admin)
- root@redsentry.com / root (Root Admin)
- firefly@redsentry.com / firefly (Default Admin)
- john@redsentry.com / john123 (John Doe)
- sarah@redsentry.com / sarah123 (Sarah Smith)
- mike@redsentry.com / mike123 (Mike Johnson)
- lisa@redsentry.com / lisa123 (Lisa Brown)
- david@redsentry.com / david123 (David Wilson)
- emma@redsentry.com / emma123 (Emma Davis)
- testuser@redsentry.com / testuser123 (Test User)
- test@redsentry.com / test
- user@redsentry.com / user
- password@redsentry.com / password
- 123456@redsentry.com / 123456
- guest@redsentry.com / guest
- demo@redsentry.com / Demo123!
- test@example.com / Test123!
- Accounts: 4–10 accounts per user (Checking, Savings, Investment, etc.)
- Transactions: 14+ realistic transactions with historical data
- Budgets: 5 budgets per user with spending limits
- Categories: 10 predefined expense/revenue categories
- Tags: 8 predefined tags for transaction organization
This application contains intentionally placed vulnerabilities for a RedSentry CTF challenge:
- Use standard penetration testing methodologies
- Document your findings and exploitation steps
- Compete to find and exploit all vulnerabilities
- Target: web app served at http://localhost:8080
- In-scope: application endpoints, business logic, client-side behavior
- Out-of-scope: direct DB access, SMTP delivery to real inboxes, attacking host/other containers, DoS
- Goal: identify and exploit listed vulnerability classes and produce a concise report/PoC
- Financial account management
- Transaction tracking
- Budget management
- Bill management
- Category and tag organization
- User management system
Not required for the challenge. Focus on app-level testing with the provided user credentials.
docker-compose down- This is a CTF challenge machine - do not use in production
- Vulnerabilities are intentional for competition purposes
- Compete to find and exploit all vulnerabilities
Challenge: This application contains intentional security vulnerabilities for CTF competition.