Web applications are among the most exposed and frequently overlooked attack surfaces in a network. When left misconfigured, especially with default credentials and poor file handling mechanisms, they become an easy entry point for attackers. In this lab, we walk through a full exploitation chain against vulnerable linux-based machine running web application. Specifically, you will:

• Perform host and service enumeration using Nmap

• Identify and exploit default credentials

• Bypass file upload restrictions to gain remote code execution

• Establish a reverse shell and escalate privileges to a local user

• Exploit a misconfigured cron job to gain full root access

Whether you're an aspiring penetration tester or a blue teamer looking to understand attacker workflows, this lab will guide you through a realistic attack path — from recon to root step by step.

Optional: You can connect to this lab using a VPN to run all your tools from your own Kali machine. 

Machine Type: Linux

Machine Difficulty: Medium

Target IP Address: [To be discovered later]

LAN Subnet: 192.168.20.0/24

Let’s get started hacking

The first step is to locate the target computer’s IP address on the local network

Goal: Identify the Target IP address

Tool: netdiscover

Auto-scans your local subnet for active hosts using ARP requests

Open your terminal and type following command:

┌──(hacker㉿kali)-[~]
└─$ sudo netdiscover -r 192.168.0.0/16

netdiscover will show you a list of IP addresses for all active devices it finds on your local network.

Question: What is the IP address of the Target machine?

Our initial step in any penetration testing is reconnaissance, gathering information about the target.

Goal: To descover open ports and running services

Tool: nmap

Powerful open-source tool used for network discovery and security auditing.

Your first task is to enumerate services running on open ports using Nmap 

Command:

┌──(hacker㉿kali)-[~]
└─$ nmap -sV -sC -A <TARGET_IP>

• -sV: Enables version detection.
• -sC: Runs a set of default scripts from Nmap’s scripting engine (NSE)
• -A: Enables aggressive scan mode

Above command will scan only top 1000 ports, to avoid missing obscure open services it's good to perform comprehensive nmap scan with -p- option (This will scan all 65535 TCP Ports)

Keep In Your Mind: While -A is useful for thorough recon, it’s more noisy and slower - not ideal for stealthy scans.

Question: Which TCP ports are open on the target?

As we dicovered that port 80 open, next step is to visit that website hosted on the Apache2 server. This helps us understand what kind of application it is and how it functions.

Goal: To identify the web application running on the target and understand its basic purpose.

Simply navigate to the IP in your browser:

http://<TARGET_IP>/

Upon visiting the IP address, we discover that the target is running G**, a web-based application used for managing IT assets and services. This is a known application, which is good for us, as it means we can look up information about it.

Question: What is the name of the web-based application hosted on the target server?

One of the most common security mistakes is leaving default usernames and passwords unchanged on new software installations.

Goal: Gain access to the GLPI application using default credentials.

Use a search engine (like Google) to look for "GLPI default credentials". This is a standard step to find common factory-set logins.

You will find that a common default username/password for GLPI is g***:g***.

Navigate to:

http://<TARGET_IP>/

Upon trying these credentials we successfully log in as a S*** A**** user. This gives us extensive control over the web application.

Advice: Always check for default credentials on any discovered web application.

Question: What level of access is granted when logging into the GLPI web application using the default credentials? Ans: S***-A***

Once logged into the GLPI application as a Super Admin, your first step as a Penetration Tester is to explore the system and understand its structure. Navigating through the platform, you'll come across a section labeled Assistance → Tickets. While reviewing the available tickets, one titled "No intranet access" stands out, you’ll find it mentions an internal domain - this appears to be the domain of a company intranet or shared file server.

1- Mapping the Internal Hostname:

To access this internal domain from your machine, you’ll need to map its domain to an IP address using your /etc/hosts file. This is a common technique used in internal network environments.

Open the /etc/hosts file and add the following line:

┌──(hacker㉿kali)-[~]
└─$ sudo nano /etc/hosts

[TARGET_IP]       i******.****.****

2- Accessing the Intranet Web Page:

http://i*****.***.***

You should see a file upload page.

Goal: Upload PHP web shell to the GLPI application.

In your terminal type follwoing command:

┌──(hacker㉿kali)-[~]
└─$ echo '<?php system($_GET["cmd"]); ?>' > webshell.php

Above command creates a PHP file named webshell.php that lets you run commands on the server through the browser.

• <?php system($_GET["cmd"]); ?>: Means that anything you pass in the URL as ?cmd= will be executed as a system command. For example:

http://<DOMAIN_NAME>/*****/*****/webshell.php?cmd=whoami

Will run the whoami command on the server and return the result in your browser.

Back on the file upload page, try uploading the webshell.php file. You'll notice that the application blocks the upload of .php files!

Question: What is the domain name of the shared server?

In the previous step, we discovered a file upload feature on an internal intranet server. While we attempted to upload a basic PHP web shell, the application rejected the file.

Goal: Bypass file type restrictions

Tool: burpsuite 

A powerful web application testing tool used to intercept, analyze, and modify HTTP requests and responses.

Step 1: Configuring the Browser and Burp Proxy

1. In your browser, configure the proxy settings to point to Burp's default proxy (usually 127.0.0.1:8080):

   Settings → Network Settings → Manual Proxy Configuration

2. Set HTTP and HTTPS proxy to 127.0.0.1, port 8080. Now, all browser requests will pass through Burp Suite, allowing you to inspect and manipulate them.
3. Open Burp Suite and navigate to the Proxy tab.
4. Ensure Intercept is set to On.

Step 2: Intercept the Upload Request

1. Go back to the file upload page in your browser

2. Upload the .php web shell again.

You now have full control to modify this upload request.

Step 3: Send the Request to Repeater

What is Repeater?

Burp tool that allows you to manually resend and modify HTTP requests multiple times.

Right-click on the intercepted request and choose "Send to Repeater".