This capstone project involved conducting a web application penetration test as part of the TCM Security Practical Ethical Hacking course. The objective was to simulate a real-world external attacker by identifying, exploiting, and documenting security weaknesses within a vulnerable web application. The engagement followed a structured offensive security methodology, emphasizing manual testing, exploit validation, and professional reporting.
Identify exploitable vulnerabilities and provide remediation guidance.
┌──(kali㉿kali)-[~]
└─$ nikto -h <http://localhost/capstone>
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 127.0.0.1
+ Target Hostname: localhost
+ Target Port: 80
+ Start Time: 2025-12-29 00:16:20 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.54 (Debian)
+ /capstone/: Retrieved x-powered-by header: PHP/7.4.33.
+ /capstone/: Retrieved access-control-allow-origin header: *.
+ /capstone/: The anti-clickjacking X-Frame-Options header is not present. See: <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options>
+ /capstone/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: <https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/>
+ /capstone/: Cookie PHPSESSID created without the httponly flag. See: <https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies>
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OPTIONS: Allowed HTTP Methods: OPTIONS, HEAD, GET, POST .
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /capstone/db.php: This might be interesting: has been seen in web logs from an unknown scanner.
+ 7850 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time: 2025-12-29 00:16:40 (GMT-5) (20 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
ffuf -u <http://localhost/capstone/FUZZ> -w /usr/share/wordlists/dirb/common.txt -e .php -recursion
This command uses ffuf to perform directory and file enumeration against the web application. It fuzzes the FUZZ parameter in the URL using a common directory wordlist to discover hidden or unlinked directories and files. The .php extension is appended to each wordlist entry to identify PHP-based resources. Recursive scanning is enabled so that once a valid directory is discovered, ffuf continues enumeration within that directory to uncover additional endpoints.
┌──(kali㉿kali)-[~/peh/labs]
└─$ ffuf -u <http://localhost/capstone/FUZZ> -w /usr/share/wordlists/dirb/common.txt -e .php -recursion
/'___\\ /'___\\ /'___\\
/\\ \\__/ /\\ \\__/ __ __ /\\ \\__/
\\ \\ ,__\\\\ \\ ,__\\/\\ \\/\\ \\ \\ \\ ,__\\
\\ \\ \\_/ \\ \\ \\_/\\ \\ \\_\\ \\ \\ \\ \\_/
\\ \\_\\ \\ \\_\\ \\ \\____/ \\ \\_\\
\\/_/ \\/_/ \\/___/ \\/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : <http://localhost/capstone/FUZZ>
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt
:: Extensions : .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
:: Progress: [1/9228] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: .htaccess.php [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 0ms]
:: Progress: [41/9228] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors:.hta.php [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 2ms]
:: Progress: [48/9228] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors:.htpasswd [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 1ms]
:: Progress: [55/9228] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors:.htpasswd.php [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 1ms]
:: Progress: [56/9228] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: [Status: 200, Size: 14261, Words: 2458, Lines: 109, Duration: 11ms]
:: Progress: [83/9228] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors:admin [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 0ms]
:: Progress: [580/9228] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors[INFO] Adding a new job to the queue: <http://localhost/capstone/admin/FUZZ>
:: Progress: [884/9228] :: Job [1/2] :: 0 req/sec :: Duration: [0:00:00] :: Errorsassets [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 0ms]
:: Progress: [1005/9228] :: Job [1/2] :: 0 req/sec :: Duration: [0:00:00] :: Error[INFO] Adding a new job to the queue: <http://localhost/capstone/assets/FUZZ>
auth.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 9ms]
:: Progress: [1074/9228] :: Job [1/3] :: 0 req/sec :: Duration: [0:00:00] :: Error:: Progress: [1497/9228] :: Job [1/3] :: 0 req/sec :: Duration: [0:00:00] :: Errorcoffee.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 18ms]
:: Progress: [1973/9228] :: Job [1/3] :: 0 req/sec :: Duration: [0:00:00] :: Error:: Progress: [2201/9228] :: Job [1/3] :: 0 req/sec :: Duration: [0:00:00] :: Error.htaccess [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 384ms]
:: Progress: [2301/9228] :: Job [1/3] :: 0 req/sec :: Duration: [0:00:00] :: Errordb.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 7ms]
:: Progress: [2401/9228] :: Job [1/3] :: 0 req/sec :: Duration: [0:00:00] :: Error.hta [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 480ms]
:: Progress: [2878/9228] :: Job [1/3] :: 0 req/sec :: Duration: [0:00:00] :: Error:: Progress: [2950/9228] :: Job [1/3] :: 0 req/sec :: Duration: [0:00:00] :: Error:: Progress: [3761/9228] :: Job [1/3] :: 0 req/sec :: Duration: [0:00:00] :: Errorindex.php [Status: 200, Size: 14261, Words: 2458, Lines: 109, Duration: 54ms]
:: Progress: [4263/9228] :: Job [1/3] :: 0 req/sec :: Duration: [0:00:00] :: Errorindex.php [Status: 200, Size: 14261, Words: 2458, Lines: 109, Duration: 79ms]
:: Progress: [4376/9228] :: Job [1/3] :: 0 req/sec :: Duration: [0:00:00] :: Error:: Progress: [4376/9228] :: Job [1/3] :: 0 req/sec :: Duration: [0:00:00] :: Errorlogout.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 4ms]
:: Progress: [4741/9228] :: Job [1/3] :: 0 req/sec :: Duration: [0:00:00] :: Error:: Progress: [4945/9228] :: Job [1/3] :: 0 req/sec :: Duration: [0:00:00] :: Error:: Progress: [5466/9228] :: Job [1/3] :: 4545 req/sec :: Duration: [0:00:01] :: Er:: Progress: [5962/9228] :: Job [1/3] :: 3773 req/sec :: Duration: [0:00:01] :: Erinit.php [Status: 200, Size: 238, Words: 22, Lines: 8, Duration: 515ms]
:: Progress: [6302/9228] :: Job [1/3] :: 5555 req/sec :: Duration: [0:00:01] :: Er:: Progress: [6702/9228] :: Job [1/3] :: 6896 req/sec :: Duration: [0:00:01] :: Er:: Progress: [7325/9228] :: Job [1/3] :: 5263 req/sec :: Duration: [0:00:01] :: Er:: Progress: [7872/9228] :: Job [1/3] :: 4166 req/sec :: Duration: [0:00:01] :: Er:: Progress: [8740/9228] :: Job [1/3] :: 11111 req/sec :: Duration: [0:00:01] :: E:: Progress: [9228/9228] :: Job [1/3] :: 8000 req/sec :: Duration: [0:00:01] :: Er:: Progress: [9228/9228] :: Job [1/3] :: 67 req/sec :: Duration: [0:00:04] :: Erro[INFO] Starting queued job on target: <http://localhost/capstone/admin/FUZZ>
:: Progress: [0/9228] :: Job [2/3] :: 0 req/sec :: Duration: [0:00:00] :: Errors: .htpasswd.php [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 2ms]
:: Progress: [49/9228] :: Job [2/3] :: 0 req/sec :: Duration: [0:00:00] :: Errors:.hta.php [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 2ms]
:: Progress: [50/9228] :: Job [2/3] :: 0 req/sec :: Duration: [0:00:00] :: Errors: [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 5ms]
:: Progress: [65/9228] :: Job [2/3] :: 0 req/sec :: Duration: [0:00:00] :: Errors:.hta [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 5ms]
:: Progress: [67/9228] :: Job [2/3] :: 0 req/sec :: Duration: [0:00:00] :: Errors:.htaccess.php [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 10ms]
:: Progress: [96/9228] :: Job [2/3] :: 0 req/sec :: Duration: [0:00:00] :: Errors:.htaccess [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 10ms]
:: Progress: [97/9228] :: Job [2/3] :: 0 req/sec :: Duration: [0:00:00] :: Errors:.htpasswd [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 10ms]
:: Progress: [97/9228] :: Job [2/3] :: 0 req/sec :: Duration: [0:00:00] :: Errors:admin.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 10ms]
:: Progress: [640/9228] :: Job [2/3] :: 0 req/sec :: Duration: [0:00:00] :: Errorsadmin.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 18ms]
:: Progress: [759/9228] :: Job [2/3] :: 0 req/sec :: Duration: [0:00:00] :: Errors:: Progress: [1189/9228] :: Job [2/3] :: 0 req/sec :: Duration: [0:00:00] :: Error:: Progress: [2466/9228] :: Job [2/3] :: 0 req/sec :: Duration: [0:00:00] :: Error:: Progress: [3523/9228] :: Job [2/3] :: 0 req/sec :: Duration: [0:00:00] :: Error:: Progress: [4506/9228] :: Job [2/3] :: 0 req/sec :: Duration: [0:00:00] :: Error:: Progress: [5761/9228] :: Job [2/3] :: 0 req/sec :: Duration: [0:00:00] :: Error:: Progress: [7016/9228] :: Job [2/3] :: 0 req/sec :: Duration: [0:00:00] :: Error:: Progress: [8087/9228] :: Job [2/3] :: 0 req/sec :: Duration: [0:00:00] :: Error:: Progress: [9228/9228] :: Job [2/3] :: 10000 req/sec :: Duration: [0:00:01] :: E:: Progress: [9228/9228] :: Job [2/3] :: 10000 req/sec :: Duration: [0:00:01] :: E[INFO] Starting queued job on target: <http://localhost/capstone/assets/FUZZ>
:: Progress: [0/9228] :: Job [3/3] :: 0 req/sec :: Duration: [0:00:00] :: Errors: [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 0ms]
:: Progress: [43/9228] :: Job [3/3] :: 0 req/sec :: Duration: [0:00:00] :: Errors:.hta [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 3ms]
:: Progress: [51/9228] :: Job [3/3] :: 0 req/sec :: Duration: [0:00:00] :: Errors:.htaccess [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 3ms]
:: Progress: [51/9228] :: Job [3/3] :: 0 req/sec :: Duration: [0:00:00] :: Errors:.htaccess.php [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 3ms]
:: Progress: [51/9228] :: Job [3/3] :: 0 req/sec :: Duration: [0:00:00] :: Errors:.htpasswd [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 3ms]
:: Progress: [51/9228] :: Job [3/3] :: 0 req/sec :: Duration: [0:00:00] :: Errors:.htpasswd.php [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 3ms]
:: Progress: [51/9228] :: Job [3/3] :: 0 req/sec :: Duration: [0:00:00] :: Errors:.hta.php [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 4ms]
:: Progress: [62/9228] :: Job [3/3] :: 0 req/sec :: Duration: [0:00:00] :: Errors:11.php [Status: 200, Size: 192, Words: 16, Lines: 5, Duration: 67ms]