This series of writeups is going to take you through the “web for pentester” series by pentesterlabs.
Pentesterlabs is a fantastic learning resource to teach you pentesting from the ground up, starting with basic exercises such as Cross Site Scripting (XSS) and SQL injection, and later moving to more complicated topics, dealing with authentication, and specific CVEs.
I highly recommend the “Pro” labs, as they have fantastic content, and a more structured approach to learning, but in this guide i will be covering some of the free exercises that are available on the site.
Web for Pentester
About the challenge
Web for pentester is a series of web application exploitation challenges that covers exercises that primarily affect web applications. These challenges are broken down into the following parts:
- XSS (9 challenges)
- SQL Injection (9 challenges)
- Directory Traversal (3 challenges)
- File inclusion (2 challenges)
- Code Injection (4 challenges)
- Command Injection (3 challenges)
- LDAP Attacks (2 challenges)
- File Upload (2 challenges)
- XML Attacks (2 challenges)
Each of these challenges increase in difficulty as you progress, with different levels employing different filters and protection techniques that need to be bypassed.
Please note that there is an assumed level of competency with software such as virtual box, and burpsuite For a guide on how to set up a new VM in virtualbox, please see Creating a Red Hat Enterprise Linux Virtual Machine. The steps are identical. Burpsuite setup and installation guide coming soon
To run this challenge you will need:
- A testing VM (such as kali linux) ~> this is optional
- A web browser
To get started, go to https://pentesterlab.com/exercises/web_for_pentester/attachments to download the web for pentester installation ISO.
Once downloaded, open your favourite VM software (this guide will use virtualbox) and install the ISO into a new VM.
Note that this ISO does not require much computing power as it simply hosts a web server. my current configuration uses:
- 1 GB Ram
- 16 Mb of VRAM
- 5GB of hard drive space
Networking the VM
Once the VM is installed, it’s time to get the networking sorted so that we can access the web page it serves.
This networking configuration is for setting up the connection between two VMs. Here i will be testing from kali, so i will be configuring the networking to allow connections from kali to web for pentester.
In Virtualbox, open your VM settings, and go to the networking tab.
Here, we will be setting the VM up with two network adapters.
Adapter 1 will be set to
Adapter 2 will be set to
Host-Only Adapter, with the adapter set to
Mimic these settings for the other VM you will be testing from.
When you boot the VM, it will immediately load into a shell for the user “user”.
Run the command
ifconfig to get the machine’s IP address, so that we can use this to connect to the web server in the browser.
My VM is using
Take note of the IP address provided by the VM, and start up your testing machine.
Once loaded, ping the ip address from your testing machine (run
ping <ip address>) to see if you can reach the other machine. If you get a reply, then the networking is configured correctly!
Now that the set up is out of the way, you can load the web application in your browser, by going to
http://<ip address>/, where
<ip address> is the IP of the web for pentester machine.
if successful, you should see:
Congratulations, you are all set up! You can now start the challenge!