VMGoat is a project that deploys cyber security scenarios on cloud infrastructure.
Warning
Never use production cloud credentials when using this tool!
This project attempts to minimize the blast radius of malicious scenarios through containerization and code review. But you are encouraged to review all code that you run.
This project will deploy one or more virtual machines to a cloud provider (AWS) and then run Ansible against it to create a custom challenge. I created this project because I originally wanted to publish a TryHackMe, room but my original scenario has not been reviewed over a year after I submitted it.
This project is not for deploying insecure cloud resources (check out CloudGoat for that), but instead for configuring virtual environments.
For the scenarios to be deployed you will need Docker installed and have an AWS profile configured (AWS CLI not required).
# Downloads the deployment binary
curl https://raw.githubusercontent.com/andrew-aiken/vmGoat/refs/heads/main/install.sh | bash
# Setups a file that contains your IP whitelist
./vmGoat config allowlist
# Setup the AWS profile and region
./vmGoat config awsIf you don't want to add the additional overhead of having Docker installed you can run the application locally.
You will need Ansible and passlib installed and then add --local to commands that would use docker (create, destroy, purge)
git clone [email protected]:andrew-aiken/vmGoat.git
cd vmGoat
sh ./install.sh
./vmGoat create --local XYZIn addition to the local dependencies, you will also need Golang installed.
By default, the binary attempts to run inside a container built by GitHub CI.
To run it directly on your local machine, be sure to include the --local flag.
git clone [email protected]:andrew-aiken/vmGoat.git
cd vmGoat
go build -o vmGoat cmd/vmGoat/main.go
./vmGoat create --local XYZdocker volume create vmGoat
docker run --rm -it --entrypoint bash \
-v vmGoat:/.config/vmGoat/ \
-v $HOME/.aws:/root/.aws/:ro \
--workdir /mnt/ \
-e VMGOAT_LOCAL=true \
ghcr.io/andrew-aiken/vmgoat:latestThen run all commands like you normally would except run the binary from /vmGoat and with the --local flag.
The settings will persist across deployments of the container.
Difficulty: 7/10
In this scenario you discover an unprotected version control system, then using the new access discover a misconfiguration in a continuous deployment system that leads to privileged command execution.