A comprehensive, containerized penetration testing lab with realistic network segmentation, vulnerable applications, and CTF challenges.
Perfect for: Security researchers, pentesters, students, CTF players, and anyone learning offensive security.
hacking-lab/
โโโ web-apps/ # Vulnerable web applications
โโโ network-targets/ # Network service targets (SSH, FTP)
โโโ privesc/ # Privilege escalation targets
โโโ advanced-targets/ # AD, Docker escapes, CVE targets, CTF flags
โโโ databases/ # 6 vulnerable database systems
โโโ api-targets/ # Modern API vulnerabilities
โโโ cicd-targets/ # CI/CD pipeline security
โโโ docker-compose.yml # Master compose file (runs all services)
Services are segmented into isolated networks to simulate real environments:
- DMZ Network (172.20.0.0/24) - Public web apps
- Internal Network (172.21.0.0/24) - Databases and backend
- API Network (172.22.0.0/24) - API services
- Vuln Network (172.25.0.0/24) - Exploitable targets
- Admin Network (172.24.0.0/24) - Crown jewels (AD, flags)
- CI/CD Network (172.23.0.0/24) - Build systems
Pivoting required! Not all networks can talk to each other directly.
docker-compose up -dcd web-apps && docker-compose up -d
cd network-targets && docker-compose up -d
cd privesc && docker-compose up -d
cd advanced-targets && docker-compose up -d| Service | Port | URL | Description |
|---|---|---|---|
| DVWA | 8081 | http://localhost:8081 | Damn Vulnerable Web Application |
| Juice Shop | 8082 | http://localhost:8082 | OWASP Juice Shop |
| bWAPP | 8083 | http://localhost:8083 | Buggy Web Application |
| WebGoat | 8084 | http://localhost:8084/WebGoat | OWASP WebGoat |
| Mutillidae | 8085 | http://localhost:8085 | OWASP Mutillidae II |
| Service | Port | Credentials | Description |
|---|---|---|---|
| SSH | 2222 | root:root | Vulnerable SSH server |
| FTP | 2121 | ftpuser:ftp123 | Vulnerable FTP server |
| Service | Ports | Description |
|---|---|---|
| Metasploitable2 | 8021 (FTP) 8022 (SSH) 8086 (HTTP) |
Multiple privilege escalation vectors |
| Service | Ports | Description |
|---|---|---|
| Active Directory | 389, 636, 88 | Full AD environment with DC and client |
| Docker Escape | - | Container breakout challenges |
| Struts RCE | 8090 | CVE-2017-5638 Apache Struts |
| Log4Shell | 8091 | CVE-2021-44228 Log4j2 RCE |
| Spring4Shell | 8092 | Spring Data Commons RCE |
| CTF Flags | - | 4 progressive flags (100-1000 pts) |
| Service | Port | Credentials | Type |
|---|---|---|---|
| MongoDB | 27017 | admin:password | NoSQL injection |
| Redis | 6379 | weakpass | RCE potential |
| PostgreSQL | 5432 | postgres:postgres | SQL injection |
| MySQL | 3307 | root:root | SQL attacks |
| Elasticsearch | 9200 | none | Data exposure |
| CouchDB | 5984 | admin:admin | Admin exploits |
| Service | Port | Type | Vulnerabilities |
|---|---|---|---|
| Pixi | 8096 | REST | OWASP API Top 10 |
| crAPI | 8097 | REST | BOLA, BFLA, SSRF |
| DVGA | 8098 | GraphQL | Injection, DoS |
| REST API Goat | 8099 | REST | Full API security |
| Kong Gateway | 8100/8101 | Gateway | Misconfigurations |
| Service | Port | Credentials | Purpose |
|---|---|---|---|
| Jenkins | 8110 | (see container) | Script console RCE |
| Gitea | 8111 | (configure) | Git service |
| GitLab | 8112 | root:Passw0rd! | Pipeline injection |
| Drone CI | 8114 | - | Pipeline security |
| Docker Registry | 5000 | none | Image tampering |
| SonarQube | 8115 | admin:admin | Code exposure |
Services are isolated into different networks simulating real environments:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ DMZ (172.20.0.0/24) โ
โ โ Public web apps, CVE targets โ
โ โ Entry point for attacks โ
โโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Limited Access
โโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Internal (172.21.0.0/24) โ
โ โ Databases, backend services โ
โ โ Requires pivoting from DMZ โ
โโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Restricted
โโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Admin (172.24.0.0/24) โ
โ โ Active Directory, Docker escape, Flags โ
โ โ Crown jewels - final objective โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Isolated Networks:
โข API Network (172.22.0.0/24) - API services
โข Vuln Network (172.25.0.0/24) - SSH/FTP targets
โข CI/CD Network (172.23.0.0/24) - Build systems
Path 1: Web โ Internal โ Admin
- Exploit web app in DMZ (SQL injection)
- Pivot through Log4Shell (dual-homed)
- Access internal databases
- Extract AD credentials
- Compromise Domain Controller
Path 2: Vuln โ Internal โ Admin
- Brute force SSH (vuln_network)
- Pivot via Metasploitable2 bridge
- Lateral movement to internal
- Reach admin network
Path 3: Direct Container Escape
- Compromise Jenkins (privileged)
- Exploit Docker socket
- Container breakout to host
- Access all networks
SSH Tunneling:
ssh -L 3306:172.21.0.5:3306 root@localhost -p 2222ProxyChains:
ssh -D 1080 root@localhost -p 2222
proxychains nmap -sT 172.21.0.0/24Metasploit Routing:
meterpreter > run autoroute -s 172.21.0.0/24Capture 4 progressive flags worth 1,000 points total:
- FLAG 1 (100 pts) - Web exploitation in DMZ
- FLAG 2 (200 pts) - Credential discovery & reuse
- FLAG 3 (500 pts) - Container escape & privilege escalation
- FLAG 4 (1000 pts) - Active Directory domain takeover
Each flag contains hints for the next objective and tells a story of network compromise.
- Docker & Docker Compose
- 8GB+ RAM recommended
- 50GB disk space
docker compose up -dcd web-apps && docker compose up -d
cd databases && docker compose up -d
cd api-targets && docker compose up -d
cd cicd-targets && docker compose up -ddocker compose ps
docker compose logs -f <service_name>docker compose down
docker compose down -v # Also remove volumes- Start with DVWA (set security to low)
- Practice SQL injection, XSS, command injection
- Try basic SSH/FTP brute forcing
- Explore database default credentials
- Exploit real CVEs (Struts, Log4Shell)
- Practice API vulnerabilities (BOLA, injection)
- Set up SSH tunnels for pivoting
- Kerberoast Active Directory
- Complete full attack chain (DMZ โ Admin)
- Container escape via Docker socket
- Golden Ticket attacks in AD
- CI/CD pipeline compromise
- Supply chain attacks
- โ Expose these services to the internet
- โ Run on production networks
- โ Use these credentials anywhere else
- โ Leave services running when not in use
- โ Use only in isolated lab environments
- โ Run on localhost or VM
- โ Stop services after practice
- โ Use for educational purposes only
- โ Practice ethical hacking
These tools are for educational purposes only. Only test systems you own or have written permission to test. Unauthorized access to computer systems is illegal.
All images have been validated. If you encounter issues:
docker compose config --images # List all images
docker compose pull # Pull all imagesdocker compose logs <service> # Check logs
docker compose restart <service> # Restart specific serviceVerify network isolation:
docker exec lab_dvwa ping lab_pixi # Should FAIL (different networks)
docker exec lab_metasploitable2 ping <ip> # Should work (dual-homed)Reduce running services or increase Docker resources:
docker stats # Monitor resource usage- OWASP Top 10
- OWASP API Security Top 10
- HackTricks
- PayloadsAllTheThings
- GTFOBins
- Active Directory Attack Cheatsheet
Found an issue? Have a suggestion? Feel free to:
- Open an issue
- Submit a pull request
- Share your attack writeups
- Use
docker compose psto check running services - Use
docker compose logs <service>to view logs - Use
docker compose downto stop all services - Use
docker compose down -vto remove volumes too