Skip to content

bencemohr/ssh-demo

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

SSH Vulnerability Lab — Attacker/Victim (Educational)

This repository contains a two‑container Docker lab for teaching common server misconfigurations and a safe, simulated Heartbleed‑style memory leak. It runs locally only; nothing is exposed to the internet beyond package downloads during image build.

Safety note: The “heartbleed” service is a tiny Python demo that returns bytes from a local file; it does not ship vulnerable OpenSSL. The SSH weaknesses are intentional, self‑contained misconfigurations inside the victim container.


1) Prerequisites

  • Docker Desktop installed and running
  • Git Bash (Windows) or any terminal (macOS/Linux/WSL/PowerShell)
  • Internet access once to build the images (package install), then everything runs offline

2) Folder structure (expected)

.
├─ docker-compose.yml
├─ attacker/
│  ├─ Dockerfile
│  └─ tools/
│     ├─ wordlist.txt
│     ├─ ssh-helper.sh
│     └─ bleed.py
└─ victim/
   ├─ Dockerfile
   ├─ entrypoint.sh
   ├─ services/
   │  ├─ fake_heartbleed.py
   │  └─ memory.bin
   ├─ ssh/
   │  ├─ sshd_config.level1
   │  ├─ sshd_config.level2
   │  ├─ sshd_config.level3
   │  ├─ sshd_config.level4
   │  └─ sshd_config.level5
   ├─ banners/               # optional, can be empty
   ├─ motd/                  # optional, can be empty
   ├─ users/
   │  ├─ make_users_level1.sh
   │  ├─ make_users_level2.sh
   │  ├─ make_users_level3.sh
   │  ├─ make_users_level4.sh
   │  └─ make_users_level5.sh
   └─ extras/                # optional keys/binaries/hints per level

If the folders don’t exist, create them as above. Ensure all *.sh files are executable on Linux/WSL:
chmod +x victim/entrypoint.sh victim/users/*.sh attacker/tools/*.sh


3) Quick start

Open a terminal in the project root (where docker-compose.yml is).

Windows Git Bash / WSL

DIFFICULTY=1 docker compose up --build -d

Windows PowerShell

$env:DIFFICULTY="1"
docker compose up --build -d

This builds and starts two containers: victim and attacker.


4) Connecting & basic usage

SSH into the victim

Default mapping (edit your docker-compose.yml if different):

ports:
  - "2222:22"     # SSH
  - "8443:8443"   # fake heartbleed server
  # Optionally add: - "2223:2222" (if a level uses SSH port 2222 inside)

Login (Level 1 example):

ssh -o StrictHostKeyChecking=no student@localhost -p 2222
# password: password

Run the Heartbleed demo (from host)

# Linux/WSL/Git Bash:
docker exec -it attacker python3 /tools/bleed.py victim 8443 8000 | grep FLAG

# PowerShell equivalent (no grep):
docker exec -it attacker python3 /tools/bleed.py victim 8443 8000 | Select-String FLAG

You should see a “leak” containing FLAG{...} from a local file inside the victim service.


5) Difficulty levels (1–5)

Start with a level by setting DIFFICULTY before docker compose up:

docker compose down
DIFFICULTY=3 docker compose up --build -d

Level overview (default users/ports):

Level SSH Port (inside) Auth Default user Notes / Goal
1 22 Password student:password Tutorial. Learn SSH, banners/MOTD, basic sudo usage.
2 22 Password student:toor123 Weak crypto/algo hints in MOTD/Banner; learn enumeration.
3 2222 Password admin:admin2024 Non‑standard port, leaked backup creds in /var/backups.
4 22 Key only user dev Find leaked private key; pager escape via sudo less.
5 2222 Key only user ops Weak key passphrase hint + SUID/path hijack demo.

If Level 3/5 uses SSH port 2222 inside, either connect via the extra mapping (e.g., - "2223:2222") and use ssh ... -p 2223, or change your compose ports to suit your host.


6) Verifying configuration (from host)

Check that the selected difficulty applied the expected SSH config:

docker exec -it victim bash -lc 'grep -E "PermitRootLogin|PasswordAuthentication|Port" /etc/ssh/sshd_config'

See the active difficulty:

docker exec -it victim bash -lc 'echo $DIFFICULTY'

View banners/MOTD (if present):

docker exec -it victim bash -lc 'cat /etc/issue.net || true; cat /etc/motd || true'

7) Stopping, changing difficulty, cleaning up

Stop the stack:

docker compose down

Change level (example to Level 4):

DIFFICULTY=4 docker compose up --build -d

Full cleanup for this project only (containers, images, volumes):

docker compose down -v --rmi all

8) Troubleshooting

  • “Permission denied” running entrypoint or user scripts
    Make scripts executable (Linux/WSL/Git Bash):

    chmod +x victim/entrypoint.sh victim/users/*.sh attacker/tools/*.sh
    docker compose up --build -d
  • Port already in use
    Edit docker-compose.yml and change the host port (left side of the mapping), e.g. 2224:22, then docker compose up -d.

  • docker exec says docker: command not found
    You’re inside the container. Run docker exec ... on the host (in your terminal where you used docker compose up).

  • Attacker image failed installing netcat
    Use netcat-openbsd on Ubuntu 24.04, not netcat-traditional.


9) Security & ethics

  • The lab is offline except for package downloads during build.
  • The Heartbleed demo is a safe simulation (fake_heartbleed.py), not a real CVE.
  • Use for education only. Do not expose these containers to the public internet.

10) Handy commands

# See running containers
docker ps

# Follow logs (victim)
docker logs -f victim

# Open a shell inside victim
docker exec -it victim bash

# Rebuild only one service
docker compose build victim
docker compose build attacker

Have fun and hack responsibly!

About

No description, website, or topics provided.

Resources

Stars

0 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors