Intro

I have wanted a more portable lab setup for a while now. I like to work from coffee shops and frequently switch between my laptop and desktop.

Until now I’ve been running Kali in a VM on each of my machines, but each environment is another one to customize and maintain. It’s hard to keep them in sync.

I use pCloud for shared file storage storage across environments, but I wanted to go a step further and build a single lab I could use anywhere, so I finally decided to see how I can make Docker work for my hacking workflow.

Not only does it give me the performance benefits of not needing a full VM, it makes it very easy to run the same toolkit across many machines, or even in a cloud VPS. I really like that level of flexibility and convenience.

My current methodology only includes a couple of GUI applications (Burp Suite, Wireshark, and Ghidra), all of which can run directly on my host. I even stick to Burp’s built in Chromium browser for webapp testing as it’s a convenient way to keep only relevant traffic running through the proxy. I’m fine managing those manually for now, or perhaps I’ll circle back later and set up a VNC server on the lab to allow for use of desktop/GUI tools in the lab as well.

CTF Workflow

One thing that seemed tricky at first but ended up being pretty simple would be figuring out the networking for my CTF workflow.

I prefer connecting to the TryHackMe and HackTheBox VPNs from inside my lab rather than from my host. (And when using Docker, this avoids the need to expose extra ports at the time the container starts for things like reverse shells, ftp, etc.)

But in that case, how could I use Burp outside of the lab and still have my traffic ultimately routing through the VPN?

The solution was simply to set up an SSH server in the lab which would allow it to serve as a SOCKS proxy.

It works like this:

  1. I start my lab container which has SSH pre-configured and running.
  2. I open an SSH connection to my lab with ssh hacklab. (The install.sh script that comes with hacklab installs the configuration needed for this shortcut to work. It is equivalent to running ssh root@localhost -p 2222 -D 1337. The -D flag enables dynamic port forwarding.)
  3. In Burp Suite I enabled SOCKS proxying through localhost:1337.
  4. This allows me to still access the private IP/port of my CTF target from my host, and Burp will tunnel the traffic through my SSH connection into my lab and out to the private CTF network as long as that connection remains open.

Pretty cool!

And for the reverse flow where I want to capture traffic from a CLI tool running the lab in Burp, all I have to do is point the tool to host.docker.internal (which resolves to the host’s internal IP) and port 8080 (or whatever Burp is listening on) and traffic will go from the tool → out to Burp on the host → back through the SOCKS proxy → and out through the CTF VPN.

Finally, for data persistence I mount .data from the host to /data in the lab. This allows for easy file sharing between my host and lab, as well as data persistence between usage.

Let’s See It

Hacklab is available via my github profile at: https://github.com/6rian/hacklab