Development of a virtual network with known security vulnerabilities to use for CTF/teaching and to showcase offensive security skills

On 9 December 2021, the world was made aware of a new vulnerability identified as CVE-2021-44228, affecting the Java logging package Log4j. This vulnerability earned a severity score of 10.0 (the most critical designation) and offers the opportunity for hackers to establish Remote Code Execution on hosts that employs software utilizing this Log4j version [1]. The attack was dubbed “Log4Shell”. Despite patches that were made available quickly after its discovery, the sheer danger of this vulnerability is due to how ubiquitous the logging package is. Millions of applications as well as software providers use this package as a dependency in their own code. While an individual may be able to patch their own codebase, other vendors and manufacturers will still need to push their own security updates downstream. Many security researchers have likened this vulnerability to that of Shellshock [2] by nature of its enormous attack surface. In Singapore, the Government was quick to respond to this threat. By 17 December 2021, the Cyber Security Agency (CSA) had held two emergency meetings with all government agencies overseeing the country’s 11 Critical Information Infrastructure (CII) sectors, working to issue directions and technical details to enable immediate patching and steps to minimize the abuse of the exploit [3]. This project is built upon the Log4j vulnerability. It consists of two servers that represent the frontend and backend of a fictional pizza company. It is intended to teach students practical skills on penetration testing by allowing students to utilize various hacking tools to gain administrator access into the network. Besides being used for teaching, this project can also double up as a CTF as the configurations of the network are also ideal for CTF events.