This won't be a long blog post, just a little pointer to an A/D CTF challenge that I created last year: A damn vulnerable web framework written in bash.
It is a web service built upon a self-made web framework. The best thing: It is completely written in bash and command-line tools.
There are a lot of vulnerabilities to find and to exploit. Have a look and have fun :-)