Lab Environment Setup

Target: OWASP Juice Shop running at http://localhost:3000
Prerequisites:

• Docker running
• Juice Shop container active
• curl CLI available

Start Lab:

docker ps | grep juice-shop
# Should show running container on port 3000

Part 1: Reconnaissance

1.1 Identify Login Endpoint

curl -s "http://localhost:3000/rest/user/login" -X POST \
  -H "Content-Type: application/json" \
  -d '{"email":"test@example.com","password":"test"}' \
  | head -20

Expected Response:

Invalid email or password.

This confirms the endpoint exists and validates credentials.

1.2 Test for SQL Injection (Boolean-based)

Payload 1 - Always False:

Attack Flow Overview

Reconnaissance → Discovery → Exploitation → Privilege Escalation → Post-Exploitation
    |               |            |                  |                    |
   T1592       T1590, T1595   T1190, T1078       T1078              T1087, T1005

PHASE 1: RECONNAISSANCE & DISCOVERY

T1592 (Gather Victim Org Info)

Objective: Identify Juice Shop as target, determine it runs on localhost:3000

Techniques:

# Service discovery
curl -s http://localhost:3000 | grep -i "juice\|owasp"

# Port enumeration
nmap -p 3000 localhost

Artifacts:

• Juice Shop running on port 3000
• Identifies as vulnerable training application

T1590 (Gather Victim Network Info)

Objective: Map application endpoints and authentication mechanisms

Step-by-step guide to deploying OpenClaw on a Hostinger VPS with Telegram integration, WordPress connection, and AI model cost optimization. No prior Linux experience required.

Objectives

By the end of this lab, you will:

1. Identify and exploit command injection vulnerabilities
2. Execute filesystem reconnaissance commands
3. Map application and system directory structure
4. Locate sensitive configuration files
5. Identify potential persistence and exfiltration vectors
6. Document findings in a structured format

Prerequisites

• Docker and docker-compose installed
• DVWA running on localhost:80
• Command-line access
• Basic Linux filesystem knowledge

Lab Setup

Start DVWA

cd esther-lab
docker-compose up -d dvwa mysql
docker-compose logs dvwa

Verify Access

curl -s http://localhost:80/login.php | head -20

Exercise Steps

Step 1: Login to DVWA

# Get login token
TOKEN=$(curl -s -c /tmp/cj.txt http://localhost:80/login.php | \
  grep -oP "user_token'[^']*value='\K[^']*")

# Login with default credentials
curl -s -b /tmp/cj.txt -c /tmp/cj.txt -X POST http://localhost:80/login.php \
  -d "username=admin&password=password&user_token=$TOKEN&Login=Login" -L

Step 2: Access Command Injection Vulnerability

Navigate to: http://localhost:80/vulnerabilities/exec/

Introduction

File and directory discovery (T1083) is a core reconnaissance technique. This post documents practical methods for enumerating filesystems, from passive information gathering to active command execution.

Method 1: Passive Information Gathering

1.1 Web Crawling and Sitemap Analysis

Objective: Identify publicly accessible files and directory structure

Tools:

• curl / wget — Fetch pages and analyze links
• robots.txt — Check for directory hints
• sitemap.xml — Public directory mapping

Example:

# Fetch robots.txt for directory hints
curl -s https://target.com/robots.txt

# Parse sitemap for accessible paths
curl -s https://target.com/sitemap.xml | grep -oP '<loc>\K[^<]*'

Output: /admin/, /api/, /backup/, /uploads/

Executive Summary

This report documents a controlled exercise in filesystem reconnaissance (MITRE ATT&CK T1083) against DVWA running on Docker. The exercise identified critical security misconfigurations, including unvalidated command execution and writable upload directories.

Key Finding: Command injection vulnerability allows unrestricted filesystem enumeration and identification of persistence vectors.

Methodology

Exercise Date: 2026-03-05
Target: DVWA (Damn Vulnerable Web Application) on localhost:80
Vulnerability: Command Injection (DVWA /vulnerabilities/exec/)
Execution Context: www-data user (UID 33)
Attack Vector: POST parameter injection

Overview

MITRE ATT&CK Technique: T1083 — File and Directory Discovery

Tactic: Discovery

Definition: Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system or directory structure. Adversaries may use the information gathered to plan follow-up actions, such as identifying executable files or sensitive data.

This post documents a practical reconnaissance exercise against DVWA using command injection to enumerate the filesystem and identify critical directories, configuration files, and potential attack surfaces.

Date: 2026-03-04
Target: DVWA (Damn Vulnerable Web Application) - Command Injection Module
Security Level: Low
MITRE Mapping: T1059 - Command and Scripting Interpreter

Executive Summary

This lab exercise demonstrates OS command injection via an unvalidated web input parameter. The vulnerable application (DVWA) provides a “ping” utility form that fails to sanitize user input, allowing attackers to break out of the intended command context and execute arbitrary OS commands as the web server user (www-data).

Date: 2026-03-04
Objective: Identify and analyze unauthenticated requests in OpenSearch security audit logs
Environment: OpenSearch cluster with security plugin enabled

Lab Setup

Prerequisites

• OpenSearch instance running with security audit plugin
• Admin credentials (or read access to security indices)
• curl with support for HTTPS and basic auth
• jq (optional, for JSON parsing)

Credentials Used

USERNAME="admin"
PASSWORD="<REDACTED>"
OPENSEARCH_URL="https://localhost:9200"

Step 1: Verify OpenSearch Connectivity

Test basic connectivity and authentication:

curl -s -u admin:<REDACTED> https://localhost:9200 --insecure | jq .

Expected Output:

Purpose: Tactical reference guide for querying OpenSearch audit logs to identify anomalies, security events, and suspicious activity.

Core Concept

OpenSearch audit logs record all REST API requests (authentication, data access, privilege changes). Systematic querying of these logs reveals:

• Unauthorized access attempts
• Unusual data access patterns
• Privilege escalation
• Service account abuse
• Automated scanning activity

Index Structure & Naming

OpenSearch stores audit logs in daily indices:

security-auditlog-YYYY.MM.DD

Examples:

security-auditlog-2026.03.04  (today)
security-auditlog-2026.03.03  (yesterday)
security-auditlog-2026.03-*   (all March 2026)
security-auditlog-*           (all indices)

Use wildcard patterns to query multiple days at once.