ARCHER Range Expansion Plan¶
Executive Summary¶
The current lab covers two segments: Metasploitable 2 (Linux services, 2008-era CVEs) and GOAD-Light (Active Directory, Windows lateral movement). This covers roughly 15% of the CVE families an enterprise penetration tester encounters in 2024–2026 engagements.
Key gaps: - No modern web application stack (Confluence, Jenkins, GitLab, Grafana all absent) - No Java middleware (WebLogic, Spring, Log4j — three of the top-10 exploited CVEs) - No CI/CD attack surface (Jenkins pipeline injection, GitLab RCE) - No monitoring/observability (Grafana, Zabbix, Splunk — common lateral pivot targets) - No containerization targets (Docker socket exposure, Kubernetes RBAC) - No mail stack (Roundcube, Exim — frequent initial access vectors)
All recommendations below are deployable for free in under 30 minutes on the existing Kali Docker host or via a single additional Ubuntu VM.
Priority Table¶
| Service | Priority | Method | Est. Setup | CVE Families | Status |
|---|---|---|---|---|---|
| Apache Tomcat | CRITICAL | Docker | 5 min | GhostCat, JSP RCE, AJP | Not in lab |
| Apache Log4j 2.x | CRITICAL | Docker | 5 min | Log4Shell (CVE-2021-44228) | Not in lab |
| Apache Struts 2 | CRITICAL | Docker | 5 min | S2-045, S2-057 (Equifax) | Not in lab |
| Oracle WebLogic | CRITICAL | Docker | 10 min | CVE-2020-14882, CVE-2019-2725 | Not in lab |
| Jenkins | CRITICAL | Docker | 5 min | Pipeline RCE, script console | Not in lab |
| Atlassian Confluence | CRITICAL | Docker | 10 min | CVE-2022-26134, CVE-2021-26084 | Not in lab |
| Spring Framework | CRITICAL | Docker | 5 min | Spring4Shell, SpringShell | Not in lab |
| Apache ActiveMQ | CRITICAL | Docker | 5 min | CVE-2023-46604 (ClassInfo RCE) | Not in lab |
| Grafana | HIGH | Docker | 2 min | CVE-2021-43798 path traversal | Not in lab |
| Elasticsearch | HIGH | Docker | 5 min | Unauthenticated RCE (pre-7.x) | Not in lab |
| Redis | HIGH | Docker | 2 min | CVE-2022-0543, SSRF-to-RCE | Not in lab |
| Apache Solr | HIGH | Docker | 5 min | SSRF, RCE via Velocity template | Not in lab |
| phpMyAdmin | HIGH | Docker | 5 min | LFI, SQL exec, auth bypass | Not in lab |
| Roundcube Webmail | HIGH | Docker | 5 min | XSS→RCE, credential harvest | Not in lab |
| Exim MTA | HIGH | Docker | 10 min | CVE-2019-10149 (Ghost RCE) | Not in lab |
| GitLab CE | HIGH | Docker | 15 min | CVE-2021-22205 (ExifTool RCE) | Not in lab |
| Splunk Free | HIGH | Docker | 10 min | Command injection, SSRF | Not in lab |
| Zabbix | HIGH | Docker | 15 min | SQLi, SAML auth bypass | Not in lab |
| HashiCorp Vault | HIGH | Docker | 5 min | Seal bypass, token misconfig | Not in lab |
| Keycloak | HIGH | Docker | 10 min | OIDC bypass, admin console RCE | Not in lab |
| OpenSSH (versioned) | HIGH | Docker | 5 min | CVE-2023-38408, regreSSHion | Outdated in lab |
| Apache CouchDB | HIGH | Docker | 5 min | CVE-2017-12635 OS command injection | Not in lab |
| Atlassian Jira | HIGH | Docker | 15 min | SSRF, template injection | Not in lab |
| Cacti | HIGH | Docker | 10 min | SQLi, command injection (2023) | Not in lab |
| Kubernetes (k3s) | HIGH | VM | 20 min | RBAC bypass, pod escape | Not in lab |
| Docker Engine (DinD) | HIGH | Docker | 5 min | Socket exposure, namespace escape | Not in lab |
| WordPress | HIGH | Docker | 5 min | Plugin/theme CVEs, xmlrpc | Not in lab |
| Drupal | HIGH | Docker | 5 min | Drupalgeddon 1/2/3 | Not in lab |
| Samba (modern) | MEDIUM | Docker | 5 min | CVE-2021-44142, WritablePipe | Outdated in lab |
| MongoDB | MEDIUM | Docker | 2 min | No-auth exposure, SSRF | Not in lab |
| Nagios Core | MEDIUM | Docker | 10 min | CVE-2021-37350 SQLi | Not in lab |
| Gitea | MEDIUM | Docker | 5 min | RCE via git hooks | Not in lab |
| Joomla | MEDIUM | Docker | 5 min | PHP unserialize, SQLi | Not in lab |
| OpenLDAP | MEDIUM | Docker | 5 min | Injection, recon target | Not in lab |
| RabbitMQ | MEDIUM | Docker | 5 min | Default creds, HTTP API abuse | Not in lab |
Quick Wins — Under 5 Minutes Each¶
These can be added to the lab right now with a single docker run:
# Redis — unauthenticated RCE via SLAVEOF + master-client
docker run -d --name lab-redis -p 6379:6379 redis:6.0.7
# MongoDB — no-auth, SSRF target
docker run -d --name lab-mongo -p 27017:27017 mongo:4.0
# Grafana — CVE-2021-43798 path traversal (plugin directory)
docker run -d --name lab-grafana -p 3000:3000 grafana/grafana:7.5.11
# phpMyAdmin — auth bypass, SQL exec
docker run -d --name lab-phpmyadmin -p 8081:80 \
-e PMA_ARBITRARY=1 phpmyadmin:5.0.2
# HashiCorp Vault — dev mode (seal bypass, token misconfig)
docker run -d --name lab-vault -p 8200:8200 \
--cap-add=IPC_LOCK vault:1.7.0 vault server -dev
# Roundcube Webmail — credential harvest target
docker run -d --name lab-roundcube -p 8082:80 \
roundcube/roundcubemail:1.4.0
# Prometheus — unauthenticated metric scrape, target discovery
docker run -d --name lab-prometheus -p 9090:9090 prom/prometheus:2.26.0
Category Detail¶
Web / Application Servers¶
Apache Tomcat (CRITICAL)¶
Enterprise prevalence: Near-universal in Java shops. GhostCat (CVE-2020-1938) and JSP upload RCE (CVE-2017-12615) are consistently high-EPSS.
# Vulhub — GhostCat (AJP connector)
git clone https://github.com/vulhub/vulhub
cd vulhub/tomcat/CVE-2020-1938 && docker compose up -d
# Or: Arbitrary JSP write
cd vulhub/tomcat/CVE-2017-12615 && docker compose up -d
CVE families: CVE-2020-1938 (GhostCat), CVE-2017-12615 (PUT RCE), CVE-2019-0232 (Windows CGI)
Apache Struts 2 (CRITICAL)¶
Enterprise prevalence: Still present in financial sector, government portals. S2-045 caused the Equifax breach.
cd vulhub/struts2/CVE-2017-5638 && docker compose up -d # S2-045
cd vulhub/struts2/CVE-2018-11776 && docker compose up -d # S2-057
CVE families: CVE-2017-5638, CVE-2018-11776, CVE-2021-31805
Oracle WebLogic (CRITICAL)¶
Enterprise prevalence: Standard in Oracle-heavy enterprises (banking, insurance, government).
cd vulhub/weblogic/CVE-2020-14882 && docker compose up -d # unauth RCE
cd vulhub/weblogic/CVE-2019-2725 && docker compose up -d # deserialization
CVE families: CVE-2020-14882, CVE-2019-2725, CVE-2017-10271, CVE-2023-21839
Java / Application Frameworks¶
Apache Log4j 2.x — Log4Shell (CRITICAL)¶
Enterprise prevalence: Affects virtually every Java application using Log4j 2.0–2.14. Most critical vulnerability since Heartbleed.
CVE families: CVE-2021-44228, CVE-2021-45046, CVE-2021-45105
Spring Framework / Spring4Shell (CRITICAL)¶
Enterprise prevalence: Default framework for modern Java microservices. Spring4Shell affects every Spring MVC app running on JDK 9+.
cd vulhub/spring/CVE-2022-22965 && docker compose up -d # Spring4Shell
cd vulhub/spring/CVE-2022-22963 && docker compose up -d # SpEL injection
CVE families: CVE-2022-22965, CVE-2022-22963, CVE-2018-1270
CI/CD & DevOps¶
Jenkins (CRITICAL)¶
Enterprise prevalence: Used in virtually every software development shop. Script console + unauthenticated API are top-3 pentest findings in enterprise assessments.
cd vulhub/jenkins/CVE-2018-1000861 && docker compose up -d # RCE
# Or: specific version for Groovy script console access
docker run -d -p 8080:8080 -p 50000:50000 jenkins/jenkins:2.289.1
CVE families: CVE-2018-1000861, CVE-2019-1003000, CVE-2024-23897 (file read)
Atlassian Confluence (CRITICAL)¶
Enterprise prevalence: Standard wiki/documentation platform in mid-to-large enterprises. CVE-2022-26134 was exploited in the wild within hours of disclosure.
cd vulhub/confluence/CVE-2022-26134 && docker compose up -d # OGNL RCE
cd vulhub/confluence/CVE-2021-26084 && docker compose up -d # OGNL pre-auth
CVE families: CVE-2022-26134, CVE-2021-26084, CVE-2019-3396, CVE-2023-22518
GitLab CE (HIGH)¶
Enterprise prevalence: Common in DevOps-mature shops. CVE-2021-22205 (ExifTool RCE via image upload) is a favorite initial access vector.
cd vulhub/gitlab/CVE-2021-22205 && docker compose up -d
# Or specific version:
docker run -d -p 80:80 -p 443:443 gitlab/gitlab-ce:13.10.3-ce.0
CVE families: CVE-2021-22205, CVE-2023-7028 (account takeover)
Apache ActiveMQ (CRITICAL)¶
Enterprise prevalence: Widely deployed for enterprise messaging. CVE-2023-46604 is the most actively exploited CVE of 2023–2024 (CISA KEV).
CVE families: CVE-2023-46604 (ClassInfo deserialization RCE), CVE-2016-3088
Databases & Data Stores¶
Elasticsearch (HIGH)¶
Enterprise prevalence: Default logging/search backend in modern stacks. Pre-7.0 instances have no authentication by default — direct data access and Groovy/Painless script RCE.
cd vulhub/elasticsearch/CVE-2014-3120 && docker compose up -d # Groovy RCE
cd vulhub/elasticsearch/CVE-2015-1427 && docker compose up -d # Groovy sandbox escape
# Modern: unauthenticated 9200
docker run -d -p 9200:9200 -e "xpack.security.enabled=false" elasticsearch:7.6.2
CVE families: CVE-2014-3120, CVE-2015-1427, CVE-2021-22145
Redis (HIGH)¶
Enterprise prevalence: Near-universal cache layer. Unauthenticated access enables SSRF-to-RCE via SLAVEOF (write SSH keys or cron).
cd vulhub/redis/CVE-2022-0543 && docker compose up -d
# Or no-auth instance:
docker run -d -p 6379:6379 redis:6.0.7
CVE families: CVE-2022-0543, unauthenticated SLAVEOF RCE pattern
Apache CouchDB (HIGH)¶
Enterprise prevalence: Used in IoT and document-store applications. CVE-2017-12635 allows creating an admin user via HTTP, leading to OS command execution.
CVE families: CVE-2017-12635, CVE-2018-8007
Monitoring & Observability¶
Grafana (HIGH)¶
Enterprise prevalence: Standard dashboarding in every DevOps environment. CVE-2021-43798 (plugin directory traversal) allows reading arbitrary files — common for reading Grafana DB secrets and pivoting.
docker run -d -p 3000:3000 grafana/grafana:7.5.11
# CVE-2021-43798: curl http://localhost:3000/public/plugins/alertlist/../../../etc/passwd
CVE families: CVE-2021-43798, CVE-2023-6152 (auth bypass)
Zabbix (HIGH)¶
Enterprise prevalence: Widespread in infrastructure-heavy enterprise and government networks. SAML auth bypass (CVE-2022-23131) and SQLi are common findings.
git clone https://github.com/zabbix/zabbix-docker
cd zabbix-docker && docker compose -f docker-compose_v3_alpine_mysql_latest.yaml up -d
CVE families: CVE-2022-23131 (SAML bypass), CVE-2021-27927 (CSRF→RCE), CVE-2013-2490 (SQLi)
Splunk Free (HIGH)¶
Enterprise prevalence: Industry-standard SIEM. Frequently deployed with default creds or misconfigured REST API. Arbitrary command execution via search scripted inputs.
docker run -d -p 8000:8000 -p 8089:8089 \
-e SPLUNK_START_ARGS="--accept-license" \
-e SPLUNK_PASSWORD="changeme" \
splunk/splunk:8.2.0
CVE families: CVE-2022-32158, CVE-2023-40597 (path traversal), search command injection
Mail Servers¶
Roundcube Webmail (HIGH)¶
Enterprise prevalence: Common webmail frontend for self-hosted mail. XSS→RCE via malicious HTML email; credential harvesting via session hijack.
CVE families: CVE-2023-43770 (XSS), CVE-2024-37383 (XSS→RCE), credential harvest chain
Exim MTA (HIGH)¶
Enterprise prevalence: Default MTA on many Linux distributions. CVE-2019-10149 "The Return of the WIZard" — local or remote privilege escalation depending on config.
docker run -d --name lab-exim ubuntu:20.04 bash -c \
"apt update && apt install -y exim4 && exim4 -bdf"
# Pin to 4.92 for CVE-2019-10149
CVE families: CVE-2019-10149, CVE-2020-28017 through 28026 "21Nails"
Identity & Authentication¶
Keycloak (HIGH)¶
Enterprise prevalence: Standard SSO/OIDC broker in cloud-native environments. Admin console RCE, OIDC token validation bypass.
docker run -d -p 8080:8080 \
-e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin \
quay.io/keycloak/keycloak:15.0.2 start-dev
CVE families: CVE-2023-0091, CVE-2022-4361 (open redirect), admin console abuse
HashiCorp Vault (HIGH)¶
Enterprise prevalence: Central secrets management in cloud-native shops. Seal bypass, token privilege escalation, unauthenticated dev-mode access.
CVE families: CVE-2021-3024 (Shamir key bypass), CVE-2023-0620 (token persistence)
Containers & Orchestration¶
Docker Engine — socket exposure (HIGH)¶
Enterprise prevalence: Exposed Docker socket is a near-universal container escape path. Misconfigured API (port 2375/2376) allows arbitrary container creation → host root.
docker run --privileged -d -p 2375:2375 \
-v /var/run/docker.sock:/var/run/docker.sock docker:20.10-dind
CVE families: CVE-2019-5736 (runc escape), CVE-2021-41091 (overlay fs), socket exposure pattern
Kubernetes via k3s (HIGH)¶
Enterprise prevalence: Ubiquitous in cloud environments. RBAC misconfigurations, pod escape via hostPath, anonymous API server access.
CVE families: CVE-2021-25741 (symlink escape), CVE-2022-3294 (node IP spoofing), RBAC bypass patterns
Network Infrastructure¶
Apache HTTP Server (HIGH)¶
Enterprise prevalence: Still extremely common as a reverse proxy and static file server. Path traversal RCEs (CVE-2021-41773) are reliable and easy to demonstrate.
cd vulhub/httpd/CVE-2021-41773 && docker compose up -d # path traversal + RCE
cd vulhub/httpd/CVE-2021-42013 && docker compose up -d # bypass for 41773 fix
CVE families: CVE-2021-41773, CVE-2021-42013, CVE-2017-9798 (Optionsbleed)
Squid Proxy (MEDIUM)¶
Enterprise prevalence: Widely used as a forward/caching proxy in corporate environments. Buffer overflow and SSRF CVEs enable lateral movement.
CVE families: CVE-2020-25097 (request smuggling), CVE-2021-46784 (buffer overflow)
Proposed Network Segmentation¶
For realistic lateral movement, add these subnets to the GOAD VirtualBox network:
192.168.56.0/24 — existing (Metasploitable, GOAD-Light, attacker)
172.20.0.0/16 — new: "Corporate Web" tier (Confluence, Jira, Jenkins, Grafana)
172.21.0.0/16 — new: "Database" tier (Elasticsearch, Redis, MongoDB, Postgres)
172.22.0.0/16 — new: "DevOps" tier (GitLab, Nexus, Harbor, Vault)
Pivot chain: Kali → Corporate Web (initial access) → Database tier (data exfil) → DevOps tier (supply chain / CI persistence)
Implementation Order (5-Day Plan)¶
| Day | Services | Rationale |
|---|---|---|
| 1 | Tomcat, Log4j, Struts2, ActiveMQ | Highest EPSS; all vulhub one-liners |
| 2 | Jenkins, Confluence, Spring4Shell | CI/CD + collaboration; OGNL/pipeline RCE coverage |
| 3 | Grafana, Redis, Elasticsearch, Splunk | Monitoring tier; lateral pivot practice |
| 4 | Roundcube, Exim, Keycloak, Vault | Auth + mail; credential chain scenarios |
| 5 | Kubernetes (k3s VM), GitLab, Zabbix | Container escape + supply chain |
Resource Requirements¶
| Category | RAM | Disk | Notes |
|---|---|---|---|
| Docker services (Day 1–4) | +4 GB | +20 GB | All run on existing Kali Docker host |
| Kubernetes (k3s) | +2 GB | +10 GB | Separate Ubuntu 22.04 VM |
| GitLab CE | +4 GB | +10 GB | Can share k3s VM or run on new VM |
| Total additional | ~10 GB | ~40 GB | All free, no licenses required |
Existing lab (Metasploitable2 + GOAD-Light): ~8 GB RAM, ~40 GB disk After expansion: ~18 GB RAM, ~80 GB disk
Coverage Gap Closure¶
After implementing CRITICAL + HIGH priority services above, ARCHER eval coverage expands:
| ATT&CK Technique | Before | After |
|---|---|---|
| T1190 Exploit Public-Facing App | vsftpd, Samba, distcc | +Tomcat, Confluence, Struts, Log4j, WebLogic |
| T1059 Command Injection | Apache (OWASP-BWA) | +Jenkins pipeline, Spring SpEL, CouchDB |
| T1552 Unsecured Credentials | Basic post-exploit | +Vault seal bypass, Redis keyspace, Grafana DB |
| T1068 Privilege Escalation | Linux kernel (VM) | +Docker socket escape, k8s pod escape |
| T1078 Valid Accounts | Basic web auth | +Keycloak OIDC, Confluence admin |
| T1090 Proxy/Tunnel | Ligolo/SSH | +Squid SSRF chain, k8s API pivot |