Skip to content
/ vmGoat Public

VMGoat is a project that deploys cyber security scenarios on cloud infrastructure.

License

BSD-4-Clause license
4 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

andrew-aiken/vmGoat

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

63 Commits
.github
.github
 
 
base
base
 
 
scenarios
scenarios
 
 
src
src
 
 
.dockerignore
.dockerignore
 
 
.gitignore
.gitignore
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 
install.sh
install.sh
 
 

Repository files navigation

vmGoat

GitHub commits since latest release GitHub Downloads (all assets, all releases) GitHub Repo stars

VMGoat is a project that deploys cyber security scenarios on cloud infrastructure.

Warning

Never use production cloud credentials when using this tool!

This project attempts to minimize the blast radius of malicious scenarios through containerization and code review. But you are encouraged to review all code that you run.

This project will deploy one or more virtual machines to a cloud provider (AWS) and then run Ansible against it to create a custom challenge. I created this project because I originally wanted to publish a TryHackMe, room but my original scenario has not been reviewed over a year after I submitted it.

This project is not for deploying insecure cloud resources (check out CloudGoat for that), but instead for configuring virtual environments.

Install

For the scenarios to be deployed you will need Docker installed and have an AWS profile configured (AWS CLI not required).

# Downloads the deployment binary
curl https://raw.githubusercontent.com/andrew-aiken/vmGoat/refs/heads/main/install.sh | bash

# Setups a file that contains your IP whitelist
./vmGoat config allowlist

# Setup the AWS profile and region
./vmGoat config aws

Running Locally

If you don't want to add the additional overhead of having Docker installed you can run the application locally.

You will need Ansible and passlib installed and then add --local to commands that would use docker (create, destroy, purge)

git clone git@github.com:andrew-aiken/vmGoat.git

cd vmGoat
sh ./install.sh

./vmGoat create --local XYZ

Running from Scratch

In addition to the local dependencies, you will also need Golang installed. By default, the binary attempts to run inside a container built by GitHub CI. To run it directly on your local machine, be sure to include the --local flag.

git clone git@github.com:andrew-aiken/vmGoat.git

cd vmGoat

go build -C src -o ../vmGoat cmd/vmGoat/main.go
./vmGoat create --local XYZ

Running Entirely in Docker

docker volume create vmGoat

docker run --rm -it --entrypoint bash \
    -v vmGoat:/.config/vmGoat/ \
    -v $HOME/.aws:/root/.aws/:ro \
    --workdir /mnt/ \
    -e VMGOAT_LOCAL=true \
    ghcr.io/andrew-aiken/vmgoat:latest

Then run all commands like you normally would except run the binary from /vmGoat and with the --local flag. The settings will persist across deployments of the container.

Scenarios

GitOops

Difficulty: 7/10

In this scenario you discover an unprotected version control system, then using the new access discover a misconfiguration in a continuous deployment system that leads to privileged command execution.

About

VMGoat is a project that deploys cyber security scenarios on cloud infrastructure.

Resources

Readme

License

BSD-4-Clause license

Contributing

Contributing

Security policy

Security policy
Activity

Stars

4 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 12

0.2.0 Latest
Jun 23, 2025
+ 11 releases

Packages

 
 
 

Contributors 2

Languages