Welcome to the expanded SSH Lab. This progressive challenge tests your skills in web exploitation, credential harvesting, lateral movement, and privilege escalation.

1. Start the Lab:

   docker compose up --build -d

2. Access the Dashboard: Open http://localhost:8080.
3. Ports exposed:
   • 8080: Dashboard
   • 8001: Server 1 (WebShell - Vulnerable App)
   • 2201: Server 1 (SSH)
   • 2202: Server 2 (SSH)
   • 2203: Server 3 (SSH)
   • 2204: Server 4 (SSH - The Core)

• Web: Access http://localhost:8001. This is a real interactive ttyd terminal.
• Goal: Find credentials for SSH Access.
• Execution:
  • You are logged in as webuser.
  • Find LEVEL1_PASSWORD in the hidden .env file (cat ~/.env).
  • Use this password to SSH into localhost:2201 as level1.
  • Once logged in via SSH, find id_rsa in level1's .ssh directory.

• Connect: ssh -i id_rsa level2@localhost -p 2202
• Goal: Find the hidden key for Server 3.
• Execution:
  • Check .bash_history for clues.
  • Recover key from /var/backups/.secret.key.
  • Clue: Notice the .ssh/config file which shows that level2 was connecting to server-3.
  • Bonus: The .ssh/known_hosts is already pre-configured for server-3.

• Connect: ssh -i server3_key level3@localhost -p 2203
• Goal: Find credentials for Server 4.
• Execution:
  • Analyze connect_db.py script in the home directory.
  • Extract level4 credentials (purple_unicorn_42).

• Connect: ssh level4@localhost -p 2204
• Goal: Escalate to Root.
• Execution:
  • Run sudo -l.
  • Exploit sudo vim to spawn a root shell (:!/bin/sh).
  • Capture the flag in /root/flag.txt.

docker-compose down