Pen-testing: Badstore v1.2.3 Walkthrough — Vulnhub

The following is a walkthrough of this vulnhub machine from 2004. I know… it’s crazy old stuff. If this machine would still exist it’d probably look like this:

But, for the propose of experimenting with classic low-hanging web app vulnerabilities, it’s still a reliable source for beginners like me. So, the goal was to search for and exploit every vulnerability regarding the web page. My findings include:

• Exposed directories
• Design flaws in password reset
• SQLi
• XSS
• CSRF
• Parameter manipulation vulnerabilities
• Poor hash algorithm
• Poor password policy
• Information disclosure
• Flaws in access privileges for directories and functionalities
• Some default credentials

Let’s start with this!

1- Doing reconnaissance and enumeration

First I boot the machine and run an Nmap scan to find where it is: