This document provides instructions for setting up a hack environment using Docker containers. It discusses pros and cons of different options like using a real server, cloud services, or virtual machines. Docker is recommended for its ease of use, templates, and ability to run on multiple platforms. Example Dockerfiles and Docker Compose files are provided to set up environments like IIS, Nginx, LEMP stacks, and vulnerable apps. Specific vulnerabilities like Heartbleed and DHClient RCE are demonstrated using Docker images. Finally, Docker images for security tools like Kali Linux and REMnux are mentioned.

1. How to create your
own hack environment
By Sumedt Jitpukdebodin

2. # whoami
:~ # Sumedt Jitpukdebodin
:~ # Cyber Ops Consultant @ Horangi
:~ # Technical @ OWASP Thailand, Admin @ 2600Thailand
:~ # Google me :)

3. # why ~
:~ # Learn system administrator jobs
:~ # Learn offensive and defensive
• Do PoC from public exploit
• Analysis vulnerabilities and analysis
• Create your own challenges and make people fun with it :)
:~ # Do the lab for DevSecOps
:~ # Simulate the real world situation.
:~ # Do something weird :p

4. # How
• Create with your own machine (server)
• Create with cloud service
• Create with VM and container

5. # Differentiate
Price
(Start)
Pros Cons
Real Server 30000
- Powerful machine
- Can do everything you
want
- You own it
- Longterm solution
- Have to maintain by
yourself
Cloud Service 500~/month
- Short-term solution
- Easy to setup
- Real world environment
- Scalable
- Easy to custom
- Limit images
- High price for longterm
- Have some restriction

6. # why Docker
• Easy to setup and maintain
• Easy to find template
• Easy to modify
• Can run on multi-platform
• Strong community

7. # Install Docker on Ubuntu
16.04.2
:~ # sudo apt-get update
:~ # sudo apt-get install apt-transport-https ca-certificates
curl software-properties-common
:~ # sudo add-apt-repository "deb [arch=amd64] https://
download.docker.com/linux/ubuntu $(lsb_release -
cs) stable”
:~ # sudo apt-get update
:~ # sudo apt-get install docker-ce docker-compose

8. Example Docker image for
IIS (Windows)
# escape=`
FROM microsoft/windowsservercore:1803
RUN powershell -Command `
Add-WindowsFeature Web-Server; `
Invoke-WebRequest -UseBasicParsing -Uri "https://
dotnetbinaries.blob.core.windows.net/servicemonitor/2.0.1.3/ServiceMonitor.exe"
-OutFile "C:ServiceMonitor.exe"
EXPOSE 80
ENTRYPOINT ["C:ServiceMonitor.exe", "w3svc"]

9. Example Docker image for
Nginx (Linux)
FROM debian:jessie
MAINTAINER Diego Najar
# Variables
ENV NGINX_VERSION 1.10.1-1~jessie
ENV nginx_conf /etc/nginx/nginx.conf
ENV php_conf /etc/php5/fpm/php.ini
ENV fpm_conf /etc/php5/fpm/php-fpm.conf
ENV fpm_pool /etc/php5/fpm/pool.d/www.conf
# Packages installation
RUN echo "deb http://nginx.org/packages/debian/ jessie nginx" >> /etc/apt/sources.list &&
apt-get update &&
apt-get install --no-install-recommends --no-install-suggests -y --force-yes ca-
certificates nginx nginx-module-xslt nginx-module-geoip nginx-module-image-filter nginx-
module-perl nginx-module-njs gettext-base php5-fpm supervisor
RUN sed -i -e "s/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g" ${php_conf} &&
sed -i -e "s/listen = 127.0.0.1:9000/listen = /var/run/php-fpm.sock/g" ${fpm_pool}
EXPOSE 80 443

10. # Start Docker
:~ # docker build -t nginx-phpfpm docker-nginx-php-fpm
:~ # docker run -itd -p 80:80 nginx-phpfpm:latest
:~ # docker ps
:~ # docker exec <name> /etc/init.d/nginx restart

11. Example Docker Compose
for LEMP
version: ‘3'
networks:
LEMP:
services:
nginx:
image: nginx:stable-alpine
container_name: LEMP_nginx
ports:
- "8080:80"
volumes:
- ./code:/code
- ./nginx/default.conf:/etc/nginx/conf.d/default.conf
depends_on:
- php
networks:
- LEMP
mariaDB:
image: mariadb:latest
container_name: LEMP_mariaDB
volumes:
- ./database:/var/lib/mysql:rw
ports:
- "3306:3306"
depends_on:
- nginx
environment:
- MYSQL_ROOT_PASSWORD=654321
networks:
- LEMP
php:
image: php:7-fpm-alpine
container_name: LEMP_php
volumes:
- ./code:/code
ports:
- "9000:9000"
networks:
- LEMP
phpmyadmin:
image: phpmyadmin/phpmyadmin
container_name: LEMP_phpMyAdmin
ports:
- "8183:80"
environment:
PMA_ARBITRARY: 1
depends_on:
- mariaDB
networks:
- LEMP

12. # Vulnerable OWASP
Docker Images
• DVWA (https://github.com/infoslack/docker-dvwa)
• Juice Shop (https://hub.docker.com/r/bkimminich/juice-shop/)
• Vulnerable Wordpress by WPScan Team (https://hub.docker.com/r/
wpscanteam/vulnerablewordpress/)
• Mutillidae 2 (https://hub.docker.com/r/citizenstig/nowasp/)
• OWASP WebGoat (https://hub.docker.com/r/danmx/docker-owasp-
webgoat/)
• OWASP NodeGoat (https://github.com/owasp/
nodegoat#option-3---run-nodegoat-on-docker)

13. # Specific Vulnerabilities
• Apache Struts2 - CVE-2017-5638 (https://hub.docker.com/r/
piesecurity/apache-struts2-cve-2017-5638/)
• Shellshock - CVE-2014-6271 (https://github.com/Zenithar/docker-
shellshockable)
• Heartbleed - CVE-2014-0160 (https://hub.docker.com/r/hmlio/
vaas-cve-2014-0160/)
• Sambacry - CVE-2017-7494 (https://hub.docker.com/r/
vulnerables/cve-2017-7494/)
• DHClient RCE - CVE-2018-1111 (https://github.com/knqyf263/
CVE-2018-1111)

14. # Multi Vulnerable Docker
• https://hub.docker.com/u/vulnerables/

15. # Start Heartbleed Docker
:~ # docker pull hmlio/vaas-cve-2014-0160
:~ # docker run -d -p 8443:443 hmlio/vaas-cve-2014-0160
:~ # nmap -sV -p 8443 --script=ssl-heartbleed localhost
:~ # git clone https://github.com/mpgn/heartbleed-PoC
:~ # python2 heartbleed-exploit.py localhost 8443

16. # Start DHClient-RCE
Docker
:~ # git clone https://github.com/knqyf263/CVE-2018-1111
:~ # docker-compose up -d
• Attacker
:~ # docker-compose exec attacker bash
:~ # ./scripts/attack.sh
• Victim
:~ # docker-compose exec victim bash
:~ # ./scripts/victim.sh

17. Demo time

18. # Docker for Security
Officer
• Kali Linux (https://www.kali.org/news/official-kali-linux-
docker-images/)
• SIFT (https://github.com/kost/docker-sift)
• REMNux (https://hub.docker.com/r/remnux/)

19. How about real world
scenario?

20. AWS
• AWS EC2
• Active Directory
• IIS
• SQL Server
• WAF
• NGFW
• AWS S3
• Real sh*t scenario

25. Step of demo#2
• Pwn client with any method (in this demo, I used psexec
but actually can be any client side attack method)
• Dump password and enumerate information inside client
• Create Socket Server on Attacker and forward package to
client via session of Metasploit for pivoting network
• Pwn Windows AD on AWS with psexec by using
credential of domain user.

27. Demo time#2

28. Can we do anything else?
• Vulnhub
• HackTheBox
• PentesterLab
• Many Vulnerability VM/docker from many vendor.
• CTF
• etc.

29. Thank you