https://github.com/mufeedvh/l33tmario
Mario the game but you rescue the princess by hacking.
https://github.com/mufeedvh/l33tmario
Last synced: 8 months ago
JSON representation
Mario the game but you rescue the princess by hacking.
- Host: GitHub
- URL: https://github.com/mufeedvh/l33tmario
- Owner: mufeedvh
- License: mit
- Created: 2020-05-19T06:25:40.000Z (about 6 years ago)
- Default Branch: master
- Last Pushed: 2022-02-12T10:59:46.000Z (over 4 years ago)
- Last Synced: 2025-07-01T14:06:50.744Z (about 1 year ago)
- Language: PHP
- Size: 3.69 MB
- Stars: 22
- Watchers: 3
- Forks: 4
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
L33T Mario
Mario the game but you rescue the princess by hacking.

## What's L33T Mario?
L33T Mario is a web game/application where you as Mario have to rescue the princess just like the classic but you play it by hacking. It's a vulnerable web game where you exploit several vulnerabilites to proceed through levels and eventually rescue the princess, each level getting harder and harder.
It's made for a YouTube video and to help **beginners** learn **Web Application Security** with a little nostalgia and fun.
## The Code
It's written in one night and I haven't even bothered to document or clean the code, just pushed it to master when it finally worked 😂! I mean you still can understand what's going on but playing the game is the main point.
I will work on cleaning & documenting the code later on when I add more levels/vulnerabilities to the game.
## How To Setup
Currently Linux is the only compatible operating system.
**Apache Setup:**
```bash
$ cd /var/www/html/
$ git clone https://github.com/mufeedvh/l33tmario.git
$ cd l33tmario/
$ ./setup.sh
```
**Using Docker:**
```bash
$ git clone https://github.com/mufeedvh/l33tmario.git
$ cd l33tmario/
$ docker-compose up -d
$ curl -I http://127.0.0.1 # to test
```
## Vulnerabilities Covered
- [x] IDOR (Insecure Direct Object Reference)
- [x] XSS (Cross-site Scripting)
- [x] Information Disclosure
- [x] Broken Access Control
- [x] Command Injection
- [x] LFI (Local File Inclusion)
- [ ] SSTI (Server-side Template Injection)
- [ ] SSRF (Server-side Request Forgery)
- [ ] XXE (XML External Entity)
- [ ] Open Redirect
- [ ] SQL Injection
- [ ] DOM Clobbering
**More vulnerabilities and the pending ones will be covered in later levels/versions.**
## Contribution
Ways to contribute
- Suggest a level idea
- Add a new level
- Clean the code
- Report any unintentional vulnerabilities
- Fix something and open a pull request
- Help me document the code
- Spread the word
## License
Licensed under the MIT License, see LICENSE for more information.