# insecure.newploit.com — PocketPentester Vuln Lab Deliberately vulnerable PHP target for shaking down every arsenal module in PocketPentester. Runs as a local docker-compose stack. > [!WARNING] > Do NOT expose this to the public internet. It has intentional RCE, SQLi, > LFI, SSRF, open redirect, CORS misconfig, weak JWT, leaked secrets and > more. Keep it on a private bridge network only. --- ## Quick start ```bash cd vuln-lab docker compose up --build -d ``` Add the hostname to your hosts file so the `insecure.newploit.com` SNI / Host header works: ## Exposing it The lab is designed to be run on a home server / LAN box behind a reverse proxy (cloud VPS, Cloudflare Tunnel, ngrok, tailscale funnel, etc). The public domain `insecure.newploit.com` then terminates on :80/:443 on the VPS and forwards to the home container's `8080`/`8443`. Container mapping: | Host port (home) | Container | Use | |------------------|-----------|-----------------------------------| | 8080 | 80 | reverse-proxy HTTP → insecure.newploit.com | | 8443 | 443 | reverse-proxy HTTPS → insecure.newploit.com | | 3306 | 3306 | MariaDB (root:toor / dbuser:dbpass123) | Sample nginx on the VPS: ```nginx server { listen 80; listen [::]:80; server_name insecure.newploit.com; location / { proxy_pass http://:8080; proxy_set_header Host $host; } } server { listen 443 ssl; server_name insecure.newploit.com; ssl_certificate /etc/letsencrypt/live/insecure.newploit.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/insecure.newploit.com/privkey.pem; location / { proxy_pass https://:8443; proxy_ssl_verify off; proxy_set_header Host $host; } } ``` Or if you just want to hit it locally, add to `/etc/hosts`: ``` 127.0.0.1 insecure.newploit.com ``` and use `http://insecure.newploit.com:8080/` directly. Smoke-test from anywhere (once reverse-proxy is live): ```bash curl https://insecure.newploit.com/ curl https://insecure.newploit.com/.env curl "https://insecure.newploit.com/search.php?q=" ``` --- ## Module → endpoint map Everything below is already wired. Point the tool at `insecure.newploit.com` (or `http://`) and it should fire. ### RECON | Arsenal module | Where it hits | |------------------|------------------------------------------------------------------| | `port_scan` | via reverse-proxy: 80/443 public · 3306 only on home LAN | | `httpx` | Title `Newploit :: insecure test lab`, Server `Apache/2.4.57 …` | | `banner` | Apache + MySQL banners expose full version | | `ssl_scan` | Self-signed CN=insecure.newploit.com on :443 | | `dns_tools` | (local hosts entry) | ### EXPLOIT | Arsenal module | Endpoint(s) that fire | |------------------|------------------------------------------------------------------| | `sqli` | `/search.php?q=…`, `/profile.php?id=…`, `/login.php` POST | | `xss` | `/search.php?q=` (reflected, unescaped) | | `jwt` | `/api/auth.php` — `alg:none` accepted, HS256 secret = `secret` | | `xploiter` | see template-by-template table below | | `autopwn` | runs the whole chain on `http://insecure.newploit.com/` | ### MANUAL | `repeater` | any of the URLs above — try `?q=` with crafted payloads | | `dirfuzz` | common wordlist hits `/admin`, `/wp-admin`, `/backup.sql`, … | | `admin_finder` | `/admin/`, `/administrator/`, `/wp-admin/`, `/wp-login.php` | | `form_brute` | POST `/login.php` — `admin`:`admin123`, `root`:`toor`, … | ### UTILITY | `domain_grabber` | not relevant to a single host | | `subdomain` | not relevant to a single host (add wildcard DNS if desired) | | `takeover` | not relevant | | `lan_map` | scan your local net and this container IP will show up | --- ## Xploiter bundled templates | Template YAML | Vuln endpoint | Trigger | |----------------------------|--------------------------------------------|------------------------------| | `xpl-env-leak` | `/.env`, `.env.local`, `.env.production` | `APP_KEY=`, `DB_PASSWORD=` | | `xpl-git-config` | `/.git/config` | `[core]` + remote URL | | `xpl-phpinfo` | `/phpinfo.php` | `phpinfo()` | | `xpl-lfi-basic` | `/page.php?page=…` | `../../../../etc/passwd` | | `xpl-rce-shellshock` | `/cgi-bin/test.cgi` etc | `() { :; }; echo marker` | | `xpl-ssti-jinja2` | `/?name=xplZZZ{{999*777}}ssti` | math eval inside `{{ }}` | | `xpl-ssti-twig` | `POST /` body=`name=…{{'x'\|upper}}…` | filter pipe eval | | `xpl-open-redirect` | `/redirect.php?url=`, `/go.php?to=`, … | `Location: evil.example` | | `xpl-ssrf-basic` | `/fetch.php?url=…169.254.169.254/…` | canned AWS metadata reply | | `xpl-wp-debug` | `/wp-content/debug.log` | PHP error lines | | `xpl-cors-misconfig` | `/` and `/api/*` | Origin reflection + creds | | `xpl-backup-files` | `/backup.sql`, `/backup.zip`, `/db.sql`, … | >512B, non-HTML ctype | | `xpl-rce-log4shell` | (not applicable — no JVM) | won't fire | --- ## Creds cheatsheet (for form_brute / sqli bypass testing) ``` admin / admin123 root / toor user / password test / test imtaqin / newploit2024 guest / guest ``` Also in the DB: `api_tokens.token` column has `sk_*` values matching the ones in `/.env` so the leak-correlation story is consistent. --- ## Layout ``` vuln-lab/ ├── docker-compose.yml ├── db/init.sql └── web/ ├── Dockerfile ├── apache.conf ├── cgi-bin/ # shellshock targets └── www/ ├── index.php # landing + SSTI + CORS ├── search.php # XSS + SQLi ├── profile.php # integer SQLi ├── login.php # SQLi login + form_brute target ├── page.php # LFI ├── fetch.php # SSRF (reflects AWS metadata) ├── redirect.php # open redirect ├── api/ # JWT + CORS endpoints ├── admin/ # admin panel ├── wp-login.php # wordpress decoy ├── wp-content/debug.log ├── .env, .env.local, .env.production ├── .git/config, .git/HEAD ├── .bash_history, .DS_Store ├── backup.sql, backup.zip, backup.tar.gz ├── db.sql, dump.sql, site.zip, www.zip, public_html.zip └── robots.txt ``` --- ## Teardown ```bash docker compose down -v ``` Built for PocketPentester by imtaqin / tegalsec. Have fun. Don't ship this.