Documented practice

Labs

Environments built and documented for hands-on practice: attack, detection, analysis and remediation. Each lab follows a realistic scenario using production-grade tools.

3 labs found

LAB-001Web & API

API Gateway Security Lab

Multi-layered API security architecture on a self-hosted Proxmox hypervisor: API gateway, WAF, identity provider, and observability stack covering the full chain from request ingestion to threat detection.

Attacks covered

SQLi & XSS blocking (Coraza WAF)
JWT validation with JWKS endpoint
Rate limiting: HTTP 429 on breach

APISIXCoraza WAFKeycloakOAuth2/OIDCPrometheusGrafanaDockerProxmox

Detection: Coraza WAF + Grafana

LAB-002Network

Telegram-based Command & Control

Functional C2 implant using Telegram's Bot API as a covert channel. Outbound traffic blends in with legitimate HTTPS to api.telegram.org. Covers the full offensive implementation and network-level Suricata detection.

Attacks covered

Covert C2 over legitimate HTTPS
Remote command execution via Telegram bot
Pull-based C2 (no inbound firewall rules needed)

PythonTelegram Bot APISuricatapfSenseWindows 10Proxmox

Detection: Suricata on pfSense

LAB-003Active Directory

Active Directory Attack & Defense

Intentionally vulnerable AD environment on Proxmox: full attack chain from recon to Domain Admin compromise, then detection implementation. Covers AS-REP Roasting, Kerberoasting, Pass-the-Hash, DCSync, and Golden Ticket.

Attacks covered

AS-REP Roasting + Kerberoasting
Pass-the-Hash + DCSync
Golden Ticket (persistence)

Windows Server 2022Active DirectorypfSenseSuricataBloodHoundImpacketParrot OSProxmox

Detection: Suricata + Windows Event Logs + Sysmon