🎯 Penetration Testing Lab

A comprehensive Docker-based penetration testing lab featuring vulnerable web applications, network services, and multiple exploitation paths across public and internal networks.

🏗️ Architecture

┌─────────────────────────────────────────────────────────────┐
│                      PUBLIC NETWORK                          │
│                     (172.20.0.0/24)                         │
│                                                              │
│  ┌──────────────────┐         ┌──────────────────┐         │
│  │   Web Server     │         │   FTP Server     │         │
│  │  Port: 8080      │         │   Port: 2121     │         │
│  │  - PHP App       │         │   - Anonymous    │         │
│  │  - 10+ Vulns     │         │   - Sensitive    │         │
│  │  - 3 RCE paths   │         │     Files        │         │
│  │  - Chisel        │         │                  │         │
│  │  - Nmap          │         │                  │         │
│  └────────┬─────────┘         └──────────────────┘         │
│           │                                                  │
└───────────┼──────────────────────────────────────────────────┘
            │ PIVOT REQUIRED
            │
┌───────────┼──────────────────────────────────────────────────┐
│           │         INTERNAL NETWORK                         │
│           │        (10.10.10.0/24)                          │
│           │                                                  │
│  ┌────────▼─────────┐  ┌──────────────┐  ┌──────────────┐ │
│  │  Internal-1      │  │ Internal-2   │  │ Internal-3   │ │
│  │  10.10.10.2      │  │ 10.10.10.3   │  │ 10.10.10.4   │ │
│  │  - Web (80)      │  │ - Web (80)   │  │ - Web (80)   │ │
│  │  - SSH (22)      │  │ - SMB (445)  │  │ - Tomcat     │ │
│  │  - SSH Key       │  │ - Weak Auth  │  │   (8080)     │ │
│  │    Exposed       │  │              │  │ - MySQL      │ │
│  │                  │  │              │  │ - ProFTPD    │ │
│  └──────────────────┘  └──────────────┘  └──────────────┘ │
│                                                              │
└──────────────────────────────────────────────────────────────┘

📋 Prerequisites

Docker Engine 20.10+
Docker Compose 1.29+
At least 4GB RAM
10GB free disk space

🚀 Quick Start

1. Clone or Navigate to Lab Directory

cd /Users/user/Desktop/TechFlow

2. Start the Lab

docker-compose up -d

3. Verify All Services Are Running

docker-compose ps

You should see all 6 containers running:

pentest-db - MySQL database
pentest-web - Main vulnerable web server
pentest-ftp - FTP server
internal-web-ssh - Internal server 1
internal-smb-web - Internal server 2
internal-multi-service - Internal server 3

4. Access the Lab

Public Web Server: http://localhost:8080
FTP Server: ftp localhost 2121 (anonymous access)

🎯 Lab Objectives

Phase 1: Initial Reconnaissance

Enumerate public services
Identify vulnerabilities in the web application
Gain initial access to the web server

Phase 2: Exploitation

Exploit web vulnerabilities for RCE
Extract sensitive information from FTP
Establish persistence

Phase 3: Pivoting

Use chisel or SSH tunneling to access internal network
Scan internal network from compromised web server
Map internal services

Phase 4: Internal Exploitation

Extract SSH key from internal-server-1
Exploit SMB vulnerabilities on internal-server-2
Exploit CVEs on internal-server-3
Achieve root access on all internal servers

🔓 Vulnerability Summary

Public Web Server (10+ Vulnerabilities)

Vulnerability	Severity	Location	RCE
SQL Injection	Critical	Login, Search	❌
Command Injection	Critical	Admin Panel	✅ RCE #1
File Upload	Critical	Upload Page	✅ RCE #2
LFI to RCE	Critical	File Viewer	✅ RCE #3
Stored XSS	High	Comments	❌
Reflected XSS	Medium	Search	❌
IDOR	High	Profile View	❌
Auth Bypass	Critical	SQL Injection	❌
SSRF	High	Admin Panel	❌
Weak Passwords	Medium	MD5 Hashing	❌
Session Issues	Medium	Various	❌

FTP Server

Anonymous access enabled
Sensitive files exposed
Network information leaked

Internal Server 1

SSH private key exposed in web application
Root access via SSH key
Network information disclosure

Internal Server 2

SMB shares with weak authentication
Null session enumeration
Sensitive data in shares

Internal Server 3

Tomcat 8.5.50 - CVE-2020-1938 (Ghostcat)
ProFTPD 1.3.5 - CVE-2015-3306
MySQL - Weak root password (toor)
Tomcat Manager - Default credentials (admin:tomcat)

🛠️ Pre-installed Tools (Web Server)

Access the web server container:

docker exec -it pentest-web /bin/bash

Available tools:

chisel - Tunneling tool (/usr/local/bin/chisel)
nmap - Network scanner
ip - Network configuration
netcat - Network utility
curl/wget - HTTP clients
python3 - Python interpreter for scripting and reverse shells

🔧 Useful Commands

Start the Lab

docker-compose up -d

Stop the Lab

docker-compose down

Reset the Lab (Delete All Data)

docker-compose down -v
docker-compose up -d

View Logs

docker-compose logs -f [service-name]

Access Container Shell

docker exec -it [container-name] /bin/bash

Network Scanning from Web Server

docker exec -it pentest-web nmap -sn 10.10.10.0/24

🌐 Network Information

Public Network (172.20.0.0/24)

Web Server: 172.20.0.x
FTP Server: 172.20.0.x
Database: 172.20.0.x

Internal Network (10.10.10.0/24)

Internal Server 1: 10.10.10.2
Internal Server 2: 10.10.10.3
Internal Server 3: 10.10.10.4

🎓 Learning Paths

Beginner Path

SQL injection in login form
File upload vulnerability
FTP enumeration
Basic network scanning

Intermediate Path

Command injection
LFI to RCE via log poisoning
Chisel tunneling
SSH key extraction
SMB enumeration

Advanced Path

SSRF exploitation
Multi-hop pivoting
CVE exploitation (Ghostcat, ProFTPD)
Custom exploit development
Full network compromise

⚠️ Security Warning

CRITICAL: This lab contains intentionally vulnerable services.

NEVER expose these containers to the internet
ONLY run in isolated lab environments
DO NOT use on production networks
ALWAYS run behind a firewall
FOR EDUCATIONAL PURPOSES ONLY

🐛 Troubleshooting

Containers Won't Start

docker-compose down
docker-compose up -d --force-recreate

Database Connection Issues

docker-compose restart db
docker-compose restart web-server

Port Conflicts

Edit docker-compose.yml and change the host ports:

ports:
  - "8080:80"  # Change 8080 to another port

Can't Access Internal Network

Make sure you've compromised the web server first and are using it as a pivot point.

Permission Denied on File Upload

If you get "Permission denied" errors when uploading files:

Ensure you used ./start-lab.sh which pre-configures permissions.

Manually set permissions on the host:

mkdir -p web-server/www/uploads
chmod 777 web-server/www/uploads

Restart the containers: docker-compose restart web-server

📚 Additional Resources

📝 Hints

For progressive hints without spoilers, see HINTS.md

🏆 Flags

Throughout the lab, you'll find flags in the format: FLAG{description}

Collect all flags to complete the lab!

📄 License

This lab is provided for educational purposes only. Use responsibly.

🤝 Contributing

Found a bug or want to add more vulnerabilities? Feel free to contribute!

Happy Hacking! 🎉

Name		Name	Last commit message	Last commit date
Latest commit History 15 Commits
ftp-server		ftp-server
internal-server-1		internal-server-1
internal-server-2		internal-server-2
internal-server-3		internal-server-3
internal-server-4		internal-server-4
internal-server-5		internal-server-5
web-server		web-server
.gitignore		.gitignore
README.md		README.md
docker-compose.yml		docker-compose.yml
final_verification.txt		final_verification.txt
go_rce.html		go_rce.html
ssh_result.txt		ssh_result.txt
start-lab.sh		start-lab.sh
stop-lab.sh		stop-lab.sh
test.sh		test.sh
verification_results.txt		verification_results.txt
verify_lab.sh		verify_lab.sh

xhzeem/TechFlow-lab

Folders and files

Latest commit

History

Repository files navigation