Skip to content

adip-offensec/LinuxChainLab

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
scripts
scripts
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
Vagrantfile
Vagrantfile
 
 
php-reverse-shell.php
php-reverse-shell.php
 
 

Repository files navigation

Linux Attack Chain Lab

A multi-stage penetration testing lab built with Vagrant and VirtualBox.

Lab Overview

This lab contains 3 machines (cb01, cb02, cb03) connected via a private network:

Machine IP Role Challenge
cb01 192.168.56.101 Web Server File Upload → Reverse Shell
cb02 192.168.56.102 Artifactory Server Default Credentials → Cron Exploitation
cb03 192.168.56.103 Target Server SSH Pivot → Library Hijack → Ansible Vault

Prerequisites

  • VirtualBox (version 6.1+)
  • Vagrant (version 2.2+)
  • At least 4 GB RAM (6 GB recommended)
  • 30 GB free disk space

Quick Start

# Navigate to the lab directory
cd /home/adip/LinuxChainLab

# Start all VMs (takes 15-25 minutes on first run)
vagrant up

# Check VM status
vagrant status

Attack Path Walkthrough

Step 1: Initial Access (cb01)

  1. Browse to http://192.168.56.101/
  2. Upload php-reverse-shell.php (edit IP/port first!)
  3. Start listener: nc -lvnp 4444
  4. Access shell at http://192.168.56.101/uploads/php-reverse-shell.php

Step 2: Pivot via Cron Job (cb01 → cb02)

  1. Find cron: /etc/cron.d/update-job
  2. Target cb02: 192.168.56.102:8081
  3. Credentials: admin:password
  4. Upload malicious update.sh to Artifactory
  5. Wait for cron execution → get shell as dev on cb01

Step 3: Lateral Movement (cb01 → cb03)

  1. Get SSH key: /home/dev/.ssh/id_rsa
  2. Connect: ssh -i id_rsa dev@192.168.56.103

Step 4: Privilege Escalation (cb03)

  1. Examine setuid binary: /usr/local/bin/status
  2. Check library: ldd /usr/local/bin/status
  3. Create malicious library in /opt/custom/lib/
  4. Run binary → get root shell

Step 5: Capture the Flag

  1. Find vault: /root/ansible/secret.txt
  2. Decrypt: ansible-vault decrypt --vault-password-file /root/ansible/vault_pass.txt /root/ansible/secret.txt
  3. FLAG: FLAG{Ansible_Vault_Decrypted}

Credentials

Service Username Password
cb01 dev user dev devpassword
cb02 Artifactory admin password
cb03 dev user dev devpassword
Ansible vault (password file) vaultpassword

Network Access

After vagrant up, access the lab:

  • Attacker (host): Use 192.168.56.1 or your VirtualBox host-only adapter IP

VM Management

# SSH into machines
vagrant ssh cb01
vagrant ssh cb02
vagrant ssh cb03

# Stop all VMs
vagrant halt

# Destroy all VMs
vagrant destroy -f

# Rebuild a specific VM
vagrant destroy cb01 -f && vagrant up cb01

Troubleshooting

  • Vagrant not starting? Ensure VirtualBox is installed and running
  • Network issues? Check VirtualBox host-only adapter is configured
  • Artifactory slow? First start can take 5+ minutes
  • SSH issues? Run vagrant reload to regenerate keys

Files Included

LinuxChainLab/
├── Vagrantfile              # VM configuration
├── php-reverse-shell.php    # Pre-configured reverse shell
├── README.md                # This file
└── scripts/
    ├── cb01-setup.sh       # Web server setup
    ├── cb02-setup.sh       # Artifactory setup
    └── cb03-setup.sh       # Target server setup

Clean Up

vagrant destroy -f

For educational purposes only. Use on systems you own or have permission to test.

About

A multi-stage Linux attack chain lab with Vagrant and VirtualBox

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages