Introduction
In this lab, we will learn about web application penetration testing, which is a crucial aspect of information security. Web applications are widely used in various domains, making their security a top priority. The lab aims to provide hands-on experience in identifying and exploiting vulnerabilities in a vulnerable web application hosted on a target machine. The objective is to gain an understanding of common web application vulnerabilities and the techniques used to exploit them.
Setting up the Environment
In this step, we will set up the lab environment and familiarize ourselves with the tools and target system.
First, we need to get the ID of the Kali Linux image, which can be displayed by double-clicking the xfce terminal on the desktop and running the following command:
docker images
we need to start the Kali Linux container, which will be our attack machine. Open a terminal and run the following command:
docker run -ti --network host image-id bash
This command will start a new Kali Linux container and allow you to interact with its shell.
Next, re-entering a new terminal, we need to start the target machine, which is a vulnerable system called Metasploitable2. Run the following command to start the virtual machine:
sudo virsh start Metasploitable2
Wait for the target machine to start, it may take 1-3 minutes.
Once the virtual machine is running, verify that you can ping the target machine from the Kali Linux container:
ping 192.168.122.102
Reconnaissance and Information Gathering
In this step, we will perform reconnaissance and gather information about the target system using various techniques.
First, we scan the target machine using the nmap tool within the Kali Linux container to identify open ports and running services:
nmap -sV -sC -oN nmap_scan.txt 192.168.122.102
This command will perform a TCP connect scan (-sC) to determine which ports are open, and a version scan (-sV) to identify the service and version running on each open port. The output will be saved to a file named nmap_scan.txt (-oN).
Scanning takes a while. After the scan is complete, review the nmap_scan.txt file to identify potential attack vectors based on the open ports and services using the cat command:
cat nmap_scan.txt
Next, we will perform directory and file enumeration on the target web server using the gobuster tool:
gobuster dir -u http://192.168.122.102 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 30 -o gobuster_scan.txt
This command will brute-force directories and files on the target web server using the specified wordlist (-w). The -t option specifies the number of concurrent threads, and the -o option saves the output to a file named gobuster_scan.txt.
Analyze the gobuster_scan.txt file to identify any interesting directories or files that could potentially provide additional information or attack vectors.
Exploiting Vulnerabilities
In this step, we will attempt to exploit vulnerabilities identified in the previous step.
Based on the information gathered from the nmap and gobuster scans, identify potential vulnerabilities in the target system. Metasploitable2 includes the vulnerable Mutillidae training application, so in this step we will test a real page from that application instead of using a placeholder URL.
One common vulnerability found in web applications is SQL injection. The user-info.php page in Mutillidae accepts the username parameter in the query string, which gives us a concrete target for sqlmap inside the Kali Linux container.
sqlmap -u "http://192.168.122.102/mutillidae/index.php?page=user-info.php&username=admin&password=admin&user-info-php-submit-button=View+Account+Details" -p username --batch --risk=3 --level=5 --random-agent --dbs
This command tests a real Mutillidae endpoint on the target VM. The -u option supplies the full vulnerable URL, -p username tells sqlmap which parameter to focus on, --batch runs non-interactively, --risk=3 and --level=5 enable deeper testing, --random-agent rotates the user-agent string, and --dbs asks sqlmap to enumerate database names when exploitation succeeds.
Depending on the vulnerability you are attempting to exploit, you may need to use different tools or techniques. Refer to the documentation and resources for the specific vulnerability and tool.
Post-Exploitation and Privilege Escalation
In this step, we will use the service exposure discovered during reconnaissance to confirm shell access on the target system and capture basic post-exploitation evidence.
The nmap scan of Metasploitable2 typically shows TCP port 1524 open. On this VM, that service provides a root shell, so we can connect to it directly from the Kali Linux container instead of assuming that a separate reverse shell already exists.
Run the following command in the Kali Linux container:
printf 'id\nuname -a\nexit\n' | nc 192.168.122.102 1524
This sends three commands to the exposed shell service on the target VM. The id command confirms the account that the service gives you, uname -a records the kernel information, and exit closes the shell cleanly after the output is printed in your terminal.
If the connection works, you should see output that includes uid=0(root) and the Metasploitable2 kernel details. That output is enough to demonstrate successful shell access during the post-exploitation phase.
In a real assessment, you would document this exposed service as a critical finding because it grants immediate privileged access without any additional exploit chain.
Summary
In this lab, we learned about web application penetration testing and gained hands-on experience in identifying and exploiting vulnerabilities in a vulnerable web application hosted on a target machine. We covered reconnaissance, web application enumeration, SQL injection testing with sqlmap, and basic post-exploitation validation.
The lab provided a controlled environment to practice real-world scenarios and develop skills in web application security. By following the steps, we learned how to set up the lab environment, perform reconnaissance and information gathering, test a real Mutillidae endpoint for SQL injection, and confirm shell access through an exposed service on the target system.
This lab has equipped us with practical knowledge and experience in web application penetration testing, which is essential for securing web applications and identifying potential vulnerabilities before they can be exploited by malicious actors.
