This exercise covers how one can bypass the authentication of an SSH server based on libssh to gain a shell on the impacted system
This exercise covers the different ways to perform code review. It also contains a simple application to review to help you get started.
This exercise covers the exploitation of the Struts S2-052 vulnerability
This exercise explains how you can exploit a vulnerability published in 2014 in Gitlist.
This exercise covers an attack against CBC mode. This attack can be used to decrypt data and re-encrypt arbitrary data
This exercise covers the exploitation of a XML entities in the Play framework.
This exercise covers the exploitation of a Bash vulnerability through a CGI.
This exercise covers the exploitation of a session injection in the Play framework. This issue can be used to tamper with the content of the session while bypassing the signing mechanism
This exercise covers the exploitation of CVE-2007-1860. This vulnerability allows an attacker to gain access to unaccessible pages using crafted requests. This is a common trick that a lot of testers miss.
This exercise explains how you can use a Cross-Site Scripting vulnerability to get access to an administrator's cookies. Then how you can use his/her session to gain access to the administration to find a SQL injection and gain code execution using it.
This exercise explains how you can tamper with an encrypted cookies to access another user's account.
This exercise is a set of the most common web vulnerabilities.
This exercise explains how you can, from a blind SQL injection, gain access to the administration console. Then once in the administration console, how you can run commands on the system.
This exercise explains how you can exploit CVE-2012-6081 to gain code execution. This vulnerability was exploited to compromise Debian's wiki and Python documentation website
This exercise is a set of the most common web vulnerabilities.
This exercice explains the interactions between Tomcat and Apache, then it will show you how to call and attack an Axis2 Web service. Using information retrieved from this attack, you will be able to gain access to the Tomcat Manager and deploy a WebShell to gain commands execution.
This exercise explains how you can exploit CVE-2008-1930 to gain access to the administration interface of a Wordpress installation.
This exercise explains how you can from a SQL injection gain access to the administration console. Then in the administration console, how you can run commands on the system.
After a short brute force introduction, this exercise explains the tampering of rack cookie and how you can even manage to modify a signed cookie (if the secret is trivial). Using this issue, you will be able to escalate your privileges and gain commands execution.
This exercise explains how to perform a Linux host review, what and how you can check the configuration of a Linux server to ensure it is securely configured. The reviewed system is a traditional Linux-Apache-Mysql-PHP (LAMP) server used to host a blog.
This exercise explains how you can exploit CVE-2012-2661 to retrieve information from a database
This exercise explains how you can exploit CVE-2012-1823 to retrieve the source code of an application and gain code execution.
This exercise describes the exploitation of a local file include with limited access. Once code execution is gained, you will see some post exploitation tricks.
This exercise explains how you can, from a SQL injection, gain access to the administration console, then in the administration console, how you can run commands on the system.
© PentesterLab. ALL Rights Reserved. | Terms and conditions | Privacy Policy