diff --git a/modules/utilities/unix/container/chroot_debootstrap/secgen_metadata.xml b/modules/utilities/unix/container/chroot_debootstrap/secgen_metadata.xml
index 81e7f290e..64c96d249 100644
--- a/modules/utilities/unix/container/chroot_debootstrap/secgen_metadata.xml
+++ b/modules/utilities/unix/container/chroot_debootstrap/secgen_metadata.xml
@@ -14,7 +14,7 @@
   <read_fact>chroot_dir</read_fact>
 
   <default_input into="chroot_dir">
-    <value>/srv/chroot</value>
+    <value>/opt/chroot</value>
   </default_input>
 
   <requires>
diff --git a/modules/vulnerabilities/unix/misc/nc_backdoor_chroot_esc/secgen_metadata.xml b/modules/vulnerabilities/unix/misc/nc_backdoor_chroot_esc/secgen_metadata.xml
index f5e03ea09..6f2c72787 100644
--- a/modules/vulnerabilities/unix/misc/nc_backdoor_chroot_esc/secgen_metadata.xml
+++ b/modules/vulnerabilities/unix/misc/nc_backdoor_chroot_esc/secgen_metadata.xml
@@ -42,6 +42,11 @@
   <hint>Connect to a port, you will find yourself in a chroot.</hint>
   <solution>Connecting to the right port will give you a root shell. You can misuse /proc to escape.</solution>
 
+  <!-- TODO TEST -->
+  <requires>
+    <module_path>.*chroot_debootstrap</module_path>
+  </requires>
+
   <requires>
     <type>update</type>
   </requires>
diff --git a/scenarios/ctf/hackme.xml b/scenarios/ctf/hackme.xml
new file mode 100644
index 000000000..21deb5952
--- /dev/null
+++ b/scenarios/ctf/hackme.xml
@@ -0,0 +1,161 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+  <name>Hackme</name>
+  <author>Z. Cliffe Schreuders</author>
+  <description>A bunch of servers for you to hack.
+  </description>
+
+  <type>ctf</type>
+  <type>hack-ctf</type>
+  <difficulty>easy</difficulty>
+
+  <system>
+    <system_name>attack_vm</system_name>
+    <base distro="Kali" name="MSF"/>
+
+
+    <input into_datastore="IP_addresses">
+      <!-- 0 attack_vm -->
+      <value>172.16.0.2</value>
+      <!-- 1 hackme_server -->
+      <value>172.16.0.3</value>
+      <!-- 2 hackmetoo_server -->
+      <value>172.16.0.4</value>
+      <!-- 3 hackmethree_server -->
+      <value>172.16.0.5</value>
+    </input>
+
+    <utility module_path=".*iceweasel"/>
+
+    <utility module_path=".*kali_top10"/>
+    <network type="private_network">
+      <input into="IP_address">
+        <datastore access="0">IP_addresses</datastore>
+      </input>
+    </network>
+  </system>
+
+  <!-- a vulnerability that is remotely exploitable for user level access, then can be escalated to root -->
+  <system>
+    <system_name>hackme_server</system_name>
+    <base distro="Debian" type="server"/>
+
+    <utility module_path=".*after_login_message">
+      <input into="strings_to_leak">
+        <encoder type="string_format_encoder">
+          <input into="strings_to_encode">
+            <value>Hackme</value>
+          </input>
+        </encoder>
+        <value>Well done! You hacked this server. It's possible for you to get root from here.</value>
+      </input>
+    </utility>
+
+    <vulnerability read_fact="strings_to_leak" privilege="user_rwx" access="remote">
+      <input into="strings_to_leak">
+        <generator type="flag_generator" />
+      </input>
+    </vulnerability>
+
+    <vulnerability read_fact="strings_to_leak" privilege="root_rwx" access="local">
+      <input into="strings_to_leak">
+        <generator type="flag_generator" />
+      </input>
+    </vulnerability>
+
+    <service/>
+
+    <network type="private_network">
+      <input into="IP_address">
+        <datastore access="1">IP_addresses</datastore>
+      </input>
+    </network>
+  </system>
+
+  <!-- any random vulnerability that is remotely exploitable and can leak a flag, they might not actually end up with shell but they will get the leaked strings, including some extra flags that will need decoding -->
+  <system>
+    <system_name>hackmetoo_server</system_name>
+    <base distro="Debian" type="server"/>
+
+    <utility module_path=".*after_login_message">
+      <input into="strings_to_leak">
+        <encoder type="string_format_encoder">
+          <input into="strings_to_encode">
+            <value>Hackme</value>
+          </input>
+        </encoder>
+        <generator type="ascii_art_generator"/>
+        <value>Well done! You hacked this server. There's some extra flags for you to decode.</value>
+      </input>
+    </utility>
+
+    <vulnerability read_fact="strings_to_leak" access="remote">
+      <input into="strings_to_leak">
+        <generator type="flag_generator" />
+        <!-- 1: random easy encoder -->
+        <encoder type="^(ascii|alpha)_reversible$" difficulty="low">
+          <input into="strings_to_encode">
+            <generator type="flag_generator"/>
+          </input>
+        </encoder>
+
+        <!-- 2: random medium encoder -->
+        <encoder type="^(ascii|alpha)_reversible$" difficulty="medium">
+          <input into="strings_to_encode">
+            <generator type="flag_generator"/>
+          </input>
+        </encoder>
+      </input>
+    </vulnerability>
+
+    <service/>
+
+    <network type="private_network">
+      <input into="IP_address">
+        <datastore access="2">IP_addresses</datastore>
+      </input>
+    </network>
+  </system>
+
+  <!-- user level access, then a medium difficulty ctf style challenge -->
+  <system>
+    <system_name>hackmethree_server</system_name>
+    <base distro="Debian" type="server"/>
+
+    <utility module_path=".*after_login_message">
+      <input into="strings_to_leak">
+        <encoder type="string_format_encoder">
+          <input into="strings_to_encode">
+            <value>Hackme</value>
+          </input>
+        </encoder>
+        <value>Well done! You hacked this server. There is a CTF-style challenge on the server, if you can find it.</value>
+      </input>
+    </utility>
+
+    <vulnerability read_fact="strings_to_leak" privilege="user_rwx" access="remote">
+      <input into="strings_to_leak">
+        <generator type="flag_generator" />
+      </input>
+    </vulnerability>
+
+    <vulnerability read_fact="strings_to_leak" privilege="none" access="local" type="ctf_challenge" difficulty="medium">
+      <input into="strings_to_leak">
+        <generator type="flag_generator" />
+      </input>
+    </vulnerability>
+
+    <service/>
+
+    <network type="private_network">
+      <input into="IP_address">
+        <datastore access="3">IP_addresses</datastore>
+      </input>
+    </network>
+  </system>
+
+</scenario>