Introduction
Welcome to this lab on web server enumeration and basic file access. In this exercise, you will learn fundamental web reconnaissance techniques used to discover and interact with web services.
In this lab, you will simulate a basic web reconnaissance scenario. You will start by performing reconnaissance on a target system to confirm it's online and identify running services. Using the nmap tool, you will discover a web server and enumerate its version. You will then use the curl command to access a flag file that has been placed on the web server.
Upon completion, you will understand how to:
- Verify network connectivity using
ping. - Use
nmapto scan for web services and perform enumeration. - Understand basic web reconnaissance techniques.
- Use
curlto access files on a web server and retrieve a flag.
Let's get started.
Verify Connectivity to Target with Ping
In this step, you will start by confirming that the target system is reachable from your machine. The ping command is a standard utility for testing network connectivity. It sends ICMP Echo Request packets to a host and listens for replies. This is the first and most basic step in any network reconnaissance task.
Your environment includes a target system accessible with the hostname target.
Execute the following command in the terminal to send four packets to the target:
ping -c 4 target
You should see output confirming that four packets were sent and four were received, indicating a stable connection. The IP address may differ, but the result should show 0% packet loss.
PING target (172.17.0.2) 56(84) bytes of data.
64 bytes from target (172.17.0.2): icmp_seq=1 ttl=64 time=0.105 ms
64 bytes from target (172.17.0.2): icmp_seq=2 ttl=64 time=0.069 ms
64 bytes from target (172.17.0.2): icmp_seq=3 ttl=64 time=0.068 ms
64 bytes from target (172.17.0.2): icmp_seq=4 ttl=64 time=0.067 ms
--- target ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3075ms
rtt min/avg/max/mdev = 0.067/0.077/0.105/0.016 ms
With connectivity confirmed, you are ready to proceed with scanning the target.
Scan Open Ports with Nmap
In this step, you will use nmap to scan the target for open ports and identify the services running on them. Nmap is a powerful tool for network exploration and security auditing. This scan will help you find potential points of entry, such as a web server.
We will run a targeted scan on port 80, the standard port for HTTP traffic. We'll also use scripts to gather more information about the service.
Execute the following nmap command in your terminal:
nmap -sV -p 80 --script http-enum target
Let's break down this command:
-sV: Enables version detection, which tries to determine the version of the service running on the port.-p 80: Specifies that we only want to scan port 80.--script http-enum: Runs a script that enumerates directories and files on the web server.target: The hostname of our target machine.
The output will look similar to this:
Starting Nmap 7.80 ( https://nmap.org ) at 2025-09-18 09:40 CST
Nmap scan report for target (172.17.0.2)
Host is up (0.00018s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.41 ((Unix))
|_http-server-header: Apache/2.4.41 (Unix)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.32 seconds
The scan results confirm that port 80/tcp is open and running Apache httpd 2.4.41. This web server is hosting files that we can access in the next step.
Connect to Target via HTTP
In this step, you will interact with the web server using curl to access files. curl is a command-line tool for transferring data with URLs.
First, let's make a standard request to the web server's main page to see what it looks like.
curl http://target
The server should respond with the default Apache page content.
<html>
<body>
<h1>It works!</h1>
</body>
</html>
Now, let's access the flag file that was placed in the web server's root directory. While the file is directly accessible in this setup, let's demonstrate how you would typically access it:
curl http://target/flag.txt
This command will retrieve the flag file directly from the web server's document root.
Explore Target System and Locate Flag
In this final step, you will retrieve and view the flag. The output of the previous curl command should have displayed the flag directly in your terminal.
The expected output from the command is the content of the flag file:
labex{p4th_tr4v3rs4l_w1zardry}
If the output is long or you want to save it for later, you can redirect the output of the curl command to a file. This is a common practice when dealing with larger files.
Run the command again, but this time save the result to a file named flag.txt:
curl http://target/flag.txt > flag.txt
Now, you can view the contents of the downloaded file using the cat command:
cat flag.txt
The terminal will display the flag:
labex{p4th_tr4v3rs4l_w1zardry}
Congratulations! You have successfully identified a web server, accessed the flag file, and captured the flag. Copy the flag value to complete the lab.
Summary
In this lab, you successfully completed a basic web reconnaissance exercise. You learned and practiced the following skills:
- Reconnaissance: You used
pingto verify that the target was online and accessible. - Enumeration: You used
nmapwith version scanning (-sV) and scripting (--script http-enum) to identify an open HTTP port and the specific version of the Apache web server. - File Access: You used
curlto access files on the web server. - Flag Retrieval: You successfully retrieved the flag file from the web server.
This exercise demonstrates basic web reconnaissance techniques that are fundamental to understanding how web servers work and how to interact with them programmatically. These skills are essential for web development, system administration, and security testing.
