IsmailTP/Curse-of-the-Infinite-Gold-CTF

# Curse of the Infinite Gold An Egyptian-themed web exploitation challenge focused on business logic flaws, improper input validation, and vulnerable financial transactions. ## Challenge Information * **Category:** Web Security * **Difficulty:** Medium * **Author:** Ismail TP ## Description Curse of the Infinite Gold is a Capture The Flag (CTF) challenge where players explore the tomb of Pharaoh Khafra and attempt to obtain the legendary Golden Ankh. The application includes a merchant system where players can purchase items using in-game gold. However, hidden weaknesses in the transaction logic allow attackers to manipulate the system and gain unlimited wealth. The challenge is designed to teach players how improper server-side validation can lead to serious business logic vulnerabilities. ## Features * Egyptian-themed interactive challenge * Merchant and economy system * Vulnerable purchasing workflow * Logic flaw exploitation * Real-world inspired financial vulnerability * Beginner-friendly exploitation path * API request manipulation ## Concepts Covered * Business logic vulnerabilities * Improper input validation * Negative quantity exploitation * Financial transaction flaws * API manipulation * Server-side trust issues * Request tampering ## Technologies Used * Python * Flask * HTML/CSS/JavaScript * REST API ## Skills Practiced * API testing * Request interception * Input validation analysis * Business logic exploitation * Burp Suite workflow * Web exploitation methodology ## Setup Instructions ### Clone Repository git clone https://github.com/IsmailTP/curse-of-the-infinite-gold.git cd curse-of-the-infinite-gold ### Install Dependencies pip install -r requirements.txt ### Run the Challenge python app.py ## Screenshots Add challenge screenshots here. Suggested screenshots: * Merchant interface * Purchase system * API requests * Modified payload * Golden Ankh unlock screen ## Educational Purpose This project was created for ethical cybersecurity education and hands-on security training purposes only. Do not use these techniques against systems without proper authorization.