These are the step-by-step hands-on exercises currently documented for the active pbx2 scenario.
Use the scenario docs and ./scripts/testing-run-all.sh --scenario pbx2 as the source of truth when you need to confirm the current repo behavior.
When an exercise opens a testing or attacker shell and tells you to use /work, that path maps to the repository's artifacts/ directory. Files you save there remain available on the host after the container exits.
| # | Exercise | Topic |
|---|---|---|
| 1 | INVITE-Based SIP Enumeration | Classify routable, known-but-unregistered, and invalid extensions from unauthenticated INVITE responses |
| 2 | Traffic Analysis & Packet Capture | Capture plaintext SIP and RTP from the default background call flow |
| 3 | Online SIP Credential Cracking | Brute-force the weak password on extension 1000 |
| 4 | SIP Digest Leak | Exploit extension 2000 to capture digest material |
| 5 | Offline SIP Credential Cracking | Crack the leaked SIP digest offline with john |
| 6 | RTP Bleed Attack | Probe the exposed RTP range and recover leaked media packets |
| 7 | RTP Flood / Recording Growth | Inflate recording size by flooding the media target during a call |
| 8 | SIP Flood | Send repeated unauthenticated SIP requests and confirm the edge does not throttle them |
| 9 | FreeSWITCH Lua SQL Injection | Use a malicious called SIP URI to query the route for the hidden internal-only 9000 HAL path through an unsafe Lua freeswitch.Dbh query on 2001 |
| 10 | Automated FreeSWITCH Lua SQLite Exfiltration with sqlmap | Use sip-sqlmap-harness and sqlmap to fingerprint SQLite and dump did_routes through the Lua freeswitch.Dbh SQL injection |