### Download the virtual machine
This project documents the pentesting process of a vulnerable virtual machine called Zico2. The goal is to practice reconnaissance, scanning, directory enumeration, and exploitation of a web vulnerability (Remote Code Execution). Kali Linux was used as the attack environment along with analysis and exploitation tools such as Nmap, Nikto, Dirb, Searchsploit, and Metasploit.
- Kali Linux
- Nmap
- Netdiscover
- Nikto
- Dirb
- Searchsploit
- Metasploit
- Attacker system: Kali Linux
- Target system: Zico2 Virtual Machine (10.0.2.5)
- Network mode: NAT + Internal Network (VirtualBox)
Command used:
netdiscover -r 10.0.2.0/24
Using netdiscover to identify the target machine’s IP.
nmap -Pn -A -T4 10.0.2.5Services detected:
- 22/tcp - SSH
- 80/tcp - HTTP
- 111/tcp - RPCBind
Nmap scan revealing open ports (22, 80, 111).
nikto -h http://10.0.2.5Potentially vulnerable directories and configurations are identified.
Analysis with nikto detecting possible vulnerabilities.
dirb http://10.0.2.5/ /usr/share/dirb/wordlists/common.txtImportant result: discovery of the /dbadmin directory.
Directory enumeration with dirb, discovering
/dbadmin.
Accessing http://10.0.2.5/dbadmin reveals the phpLiteAdmin application.
searchsploit -t phpliteadminMatch found:
PHPLiteAdmin 1.9.3 – Remote PHP Code Injectionsearchsploit -x php/webapps/24044.txtAttempting access to phpLiteAdmin using default passwords documented in the exploit.
Access to phpLiteAdmin, potential exploitation via Remote Code Execution.
- Improved skills in network scanning and service enumeration.
- Identification and exploitation of known vulnerabilities.
- Manual and automated analysis of web applications.
- Use of dictionaries for directory brute forcing.
- Consulting and practical use of public exploits.
pentesting-zico2/ ├── screenshots/ │ └── 1.png │ └── 2.png │ └── 3.png │ └── 4.png │ └── 5.png ├── report.md └── index.html (this file)
Déborah Loisel
Vulnerability Analyst & Blue Team Junior
LinkedIn · GitHub