Skip to main content
RETURN_TO_MAIN_DASHBOARD
SECURE_DATA_DUMP // PORT_443TARGET_SYSTEM: SEVEN-SINS
MAY 2026 – PRESENT

SEVENSINS VULNERABLE VM LAB

Offensive CTF Design & Exploitation Lab

01 // PROJECT_SUMMARY

Designed and built a custom CTF VM with 7 flags hidden across intentionally misconfigured FTP, Samba, MySQL, and Apache2 services. Each flag tied to a distinct vulnerability requiring enumeration, exploitation, or privilege escalation to capture.

LinuxSambaMySQLApache2Privilege EscalationCTF Design

SYSTEM_METRICS

HOST_STATUS:STABLE
ROLE_TYPE:SEC_ARCHITECT
REPOSITORIES:GITHUB_SRC

02 // STRIDE_THREAT_MODELING_LOGS

THREAT_CATEGORYEXPLOIT_VECTORMITIGATION_STRATEGY
Elevation of Privilege (STRIDE)Attackers exploit a misconfigured setuid binary or wildcards in root cron jobs to gain root access.Demonstrate privilege escalation paths to teach secure path management and strict sudoers configuration.
Information DisclosureUnauthenticated Samba shares or anonymous FTP logins expose sensitive user hashes or keys.Disable anonymous logins in production systems; bind services only to localhost unless strictly required.
Insecure DeserializationWeb application running on Apache2 accepts unvalidated inputs, leading to Remote Code Execution (RCE).Implement strict input validation and run web services under low-privilege service accounts (www-data).

03 // ARCHITECTURAL_SANDBOX_SCHEMAS

FILE_DUMP // DIAGRAM_NODES.LOG
  • Target Host: Ubuntu Server minimal image, stripped of unnecessary modules.
  • FTP Service (vsftpd): Configured with writable folders for anonymous users containing hint logs.
  • Samba (SMB): Misconfigured shared folder exposing backup scripts.
  • Apache2 Web Application: Running a vulnerable PHP panel with local file inclusion (LFI).
  • Privilege Escalation Vector: System cron job running a backup script writable by a local developer group.

04 // ARCHITECTURE_LESSONS

  • Understanding how system administrators leave trails of misconfiguration during rapid deployments.
  • Constructing privilege escalation chains requires exact file-permission tuning (chmod/chown) to prevent unintended shortcuts.
  • Documenting the walkthrough (write-up) is as critical as designing the exploit itself to educate security practitioners.

05 // TARGET_OUTCOMES

  • Simulated 7 real-world attack vectors in a single laboratory image.
  • Utilized by classmates at CHRIST University for hands-on VAPT training.