174 lines
6.8 KiB
Markdown
174 lines
6.8 KiB
Markdown
# insecure.newploit.com — PocketPentester Vuln Lab
|
|
|
|
Deliberately vulnerable PHP target for shaking down every arsenal module in
|
|
PocketPentester. Runs as a local docker-compose stack.
|
|
|
|
> [!WARNING]
|
|
> Do NOT expose this to the public internet. It has intentional RCE, SQLi,
|
|
> LFI, SSRF, open redirect, CORS misconfig, weak JWT, leaked secrets and
|
|
> more. Keep it on a private bridge network only.
|
|
|
|
---
|
|
|
|
## Quick start
|
|
|
|
```bash
|
|
cd vuln-lab
|
|
docker compose up --build -d
|
|
```
|
|
|
|
Add the hostname to your hosts file so the `insecure.newploit.com` SNI /
|
|
Host header works:
|
|
|
|
**Linux / macOS** → `/etc/hosts`
|
|
```
|
|
127.0.0.1 insecure.newploit.com
|
|
```
|
|
|
|
**Windows** → `C:\Windows\System32\drivers\etc\hosts`
|
|
```
|
|
127.0.0.1 insecure.newploit.com
|
|
```
|
|
|
|
**Android (testing from PocketPentester on device)** — set your phone's
|
|
Wi-Fi DNS to the dev machine, or just use the host's LAN IP directly:
|
|
```
|
|
http://192.168.x.x:8080/ (or whatever your dev box IP is)
|
|
```
|
|
|
|
Smoke-test from the host:
|
|
```bash
|
|
curl http://insecure.newploit.com:8080/
|
|
curl http://insecure.newploit.com:8080/.env
|
|
curl "http://insecure.newploit.com:8080/search.php?q=<svg/onload=alert(1)>"
|
|
```
|
|
|
|
---
|
|
|
|
## Open ports
|
|
|
|
| Host port | Service | Notes |
|
|
|-----------|-------------------|--------------------------------------------|
|
|
| 8080 | Apache 2.4 + PHP | main web app (→ container 80) |
|
|
| 8443 | Apache TLS | snakeoil cert for ssl_scan (→ 443) |
|
|
| 3306 | MariaDB 10.11 | root:toor, also dbuser:dbpass123 |
|
|
|
|
---
|
|
|
|
## Module → endpoint map
|
|
|
|
Everything below is already wired. Point the tool at `insecure.newploit.com`
|
|
(or `http://<host>`) and it should fire.
|
|
|
|
### RECON
|
|
|
|
| Arsenal module | Where it hits |
|
|
|------------------|------------------------------------------------------------------|
|
|
| `port_scan` | 3306 / 8080 / 8443 open (host-mapped ports) |
|
|
| `httpx` | Title `Newploit :: insecure test lab`, Server `Apache/2.4.57 …` |
|
|
| `banner` | Apache + MySQL banners expose full version |
|
|
| `ssl_scan` | Self-signed CN=insecure.newploit.com on :443 |
|
|
| `dns_tools` | (local hosts entry) |
|
|
|
|
### EXPLOIT
|
|
|
|
| Arsenal module | Endpoint(s) that fire |
|
|
|------------------|------------------------------------------------------------------|
|
|
| `sqli` | `/search.php?q=…`, `/profile.php?id=…`, `/login.php` POST |
|
|
| `xss` | `/search.php?q=<payload>` (reflected, unescaped) |
|
|
| `jwt` | `/api/auth.php` — `alg:none` accepted, HS256 secret = `secret` |
|
|
| `xploiter` | see template-by-template table below |
|
|
| `autopwn` | runs the whole chain on `http://insecure.newploit.com/` |
|
|
|
|
### MANUAL
|
|
|
|
| `repeater` | any of the URLs above — try `?q=` with crafted payloads |
|
|
| `dirfuzz` | common wordlist hits `/admin`, `/wp-admin`, `/backup.sql`, … |
|
|
| `admin_finder` | `/admin/`, `/administrator/`, `/wp-admin/`, `/wp-login.php` |
|
|
| `form_brute` | POST `/login.php` — `admin`:`admin123`, `root`:`toor`, … |
|
|
|
|
### UTILITY
|
|
|
|
| `domain_grabber` | not relevant to a single host |
|
|
| `subdomain` | not relevant to a single host (add wildcard DNS if desired) |
|
|
| `takeover` | not relevant |
|
|
| `lan_map` | scan your local net and this container IP will show up |
|
|
|
|
---
|
|
|
|
## Xploiter bundled templates
|
|
|
|
| Template YAML | Vuln endpoint | Trigger |
|
|
|----------------------------|--------------------------------------------|------------------------------|
|
|
| `xpl-env-leak` | `/.env`, `.env.local`, `.env.production` | `APP_KEY=`, `DB_PASSWORD=` |
|
|
| `xpl-git-config` | `/.git/config` | `[core]` + remote URL |
|
|
| `xpl-phpinfo` | `/phpinfo.php` | `<title>phpinfo()` |
|
|
| `xpl-lfi-basic` | `/page.php?page=…` | `../../../../etc/passwd` |
|
|
| `xpl-rce-shellshock` | `/cgi-bin/test.cgi` etc | `() { :; }; echo marker` |
|
|
| `xpl-ssti-jinja2` | `/?name=xplZZZ{{999*777}}ssti` | math eval inside `{{ }}` |
|
|
| `xpl-ssti-twig` | `POST /` body=`name=…{{'x'\|upper}}…` | filter pipe eval |
|
|
| `xpl-open-redirect` | `/redirect.php?url=`, `/go.php?to=`, … | `Location: evil.example` |
|
|
| `xpl-ssrf-basic` | `/fetch.php?url=…169.254.169.254/…` | canned AWS metadata reply |
|
|
| `xpl-wp-debug` | `/wp-content/debug.log` | PHP error lines |
|
|
| `xpl-cors-misconfig` | `/` and `/api/*` | Origin reflection + creds |
|
|
| `xpl-backup-files` | `/backup.sql`, `/backup.zip`, `/db.sql`, … | >512B, non-HTML ctype |
|
|
| `xpl-rce-log4shell` | (not applicable — no JVM) | won't fire |
|
|
|
|
---
|
|
|
|
## Creds cheatsheet (for form_brute / sqli bypass testing)
|
|
|
|
```
|
|
admin / admin123
|
|
root / toor
|
|
user / password
|
|
test / test
|
|
imtaqin / newploit2024
|
|
guest / guest
|
|
```
|
|
|
|
Also in the DB: `api_tokens.token` column has `sk_*` values matching the
|
|
ones in `/.env` so the leak-correlation story is consistent.
|
|
|
|
---
|
|
|
|
## Layout
|
|
|
|
```
|
|
vuln-lab/
|
|
├── docker-compose.yml
|
|
├── db/init.sql
|
|
└── web/
|
|
├── Dockerfile
|
|
├── apache.conf
|
|
├── cgi-bin/ # shellshock targets
|
|
└── www/
|
|
├── index.php # landing + SSTI + CORS
|
|
├── search.php # XSS + SQLi
|
|
├── profile.php # integer SQLi
|
|
├── login.php # SQLi login + form_brute target
|
|
├── page.php # LFI
|
|
├── fetch.php # SSRF (reflects AWS metadata)
|
|
├── redirect.php # open redirect
|
|
├── api/ # JWT + CORS endpoints
|
|
├── admin/ # admin panel
|
|
├── wp-login.php # wordpress decoy
|
|
├── wp-content/debug.log
|
|
├── .env, .env.local, .env.production
|
|
├── .git/config, .git/HEAD
|
|
├── .bash_history, .DS_Store
|
|
├── backup.sql, backup.zip, backup.tar.gz
|
|
├── db.sql, dump.sql, site.zip, www.zip, public_html.zip
|
|
└── robots.txt
|
|
```
|
|
|
|
---
|
|
|
|
## Teardown
|
|
|
|
```bash
|
|
docker compose down -v
|
|
```
|
|
|
|
Built for PocketPentester by imtaqin / tegalsec. Have fun. Don't ship this.
|