Pen-testing: Badstore v1.2.3 Walkthrough — Vulnhub
Published in
8 min readFeb 12, 2018
The following is a walkthrough of this vulnhub machine from 2004. I know… it’s crazy old stuff. If this machine would still exist it’d probably look like this:
But, for the propose of experimenting with classic low-hanging web app vulnerabilities, it’s still a reliable source for beginners like me. So, the goal was to search for and exploit every vulnerability regarding the web page. My findings include:
- Exposed directories
- Design flaws in password reset
- SQLi
- XSS
- CSRF
- Parameter manipulation vulnerabilities
- Poor hash algorithm
- Poor password policy
- Information disclosure
- Flaws in access privileges for directories and functionalities
- Some default credentials
Let’s start with this!
1- Doing reconnaissance and enumeration
First I boot the machine and run an Nmap scan to find where it is: