Share
## https://sploitus.com/exploit?id=EC557568-D90F-52CE-B27D-A26D3D18AACA
# AppAssault Lab โ€” Attacking Common Applications

```
    โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—
    โ•‘                                          โ•‘
    โ•‘   APP ASSAULT LAB                        โ•‘
    โ•‘   Attacking Common Applications          โ•‘
    โ•‘                                          โ•‘
    โ•‘   15 Vulnerable Apps | 15 CVEs           โ•‘
    โ•‘   Real Exploits | Real RCE               โ•‘
    โ•‘                                          โ•‘
    โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
```

**A collection of intentionally vulnerable real-world applications for practicing exploitation techniques.**

Each application runs a specific vulnerable version with known CVEs and misconfigurations. Enumerate, exploit, and gain RCE on each target.

---

## Quick Start

```bash
git clone https://github.com/Phantom-C2-77/AppAssaultLab.git
cd AppAssaultLab
docker compose up -d

# Wait 3-5 minutes for all services to initialize
# Open scoreboard: http://localhost:7777
```

### Requirements
- Docker + Docker Compose
- 8GB+ RAM (recommended 16GB)
- Kali Linux or equivalent pentest OS

---

## Targets

### Content Management Systems (CMS)

| Target | Version | CVE | Port | Technique |
|--------|---------|-----|------|-----------|
| WordPress | 5.6 | CVE-2021-29447 (XXE) + WPScan | 8001 | Plugin enumeration โ†’ XXE โ†’ credential leak |
| Joomla | 4.2.7 | CVE-2023-23752 (Info Disclosure) | 8002 | API info leak โ†’ admin access โ†’ template RCE |
| Drupal | 8.5.0 | CVE-2018-7600 (Drupalgeddon2) | 8003 | Unauthenticated RCE via form API |

### Servlet Containers & DevOps

| Target | Version | CVE/Vuln | Port | Technique |
|--------|---------|----------|------|-----------|
| Tomcat | 9.0.30 | CVE-2020-1938 (Ghostcat) + Manager Deploy | 8004/8009 | AJP file read โ†’ WAR deploy โ†’ RCE |
| Jenkins | 2.441 | CVE-2024-23897 (File Read) + Script Console | 8005 | Arbitrary file read โ†’ credentials โ†’ RCE |
| GitLab CE | 13.10.2 | CVE-2021-22205 (RCE via ExifTool) | 8006 | Image upload โ†’ RCE |

### Infrastructure & Monitoring

| Target | Version | CVE/Vuln | Port | Technique |
|--------|---------|----------|------|-----------|
| Splunk | 8.2.0 | Default creds + Custom App RCE | 8007 | admin:changeme โ†’ scripted input โ†’ RCE |
| Nagios XI | 5.7.5 | CVE-2021-25296 (Authenticated RCE) | 8008 | Default creds โ†’ command injection โ†’ RCE |
| Zabbix | 5.0.0 | CVE-2022-23131 (Auth Bypass + RCE) | 8009 | SAML bypass โ†’ script execution โ†’ RCE |

### Ticketing & Collaboration

| Target | Version | CVE/Vuln | Port | Technique |
|--------|---------|----------|------|-----------|
| osTicket | 1.15.8 | File upload bypass + SQL injection | 8010 | Upload .phar โ†’ execute โ†’ RCE |
| Roundcube | 1.5.0 | CVE-2023-5631 (Stored XSS โ†’ RCE chain) | 8011 | XSS โ†’ CSRF โ†’ command execution |

### CGI & Legacy

| Target | Version | CVE/Vuln | Port | Technique |
|--------|---------|----------|------|-----------|
| Apache + CGI | 2.4.49 | CVE-2021-41773 (Path Traversal + RCE) | 8012 | Path traversal โ†’ CGI execution โ†’ RCE |
| Shellshock | Bash 4.3 | CVE-2014-6271 (Shellshock) | 8013 | CGI bash injection โ†’ RCE |

### Data & Services

| Target | Version | CVE/Vuln | Port | Technique |
|--------|---------|----------|------|-----------|
| phpMyAdmin | 4.8.1 | CVE-2018-12613 (LFI โ†’ RCE) | 8014 | Local file inclusion โ†’ session file โ†’ RCE |
| OpenLDAP | 2.4 | Anonymous bind + info disclosure | 8015 | Anonymous query โ†’ credential dump |

---

## Attack Methodology

For each target:

1. **Discovery** โ€” Port scan, service identification, version detection
2. **Enumeration** โ€” Application-specific enumeration (WPScan, droopescan, etc.)
3. **Exploitation** โ€” Exploit the CVE or misconfiguration
4. **Post-Exploitation** โ€” Read the flag, demonstrate impact

---

## Recommended Tools

- [nmap](https://nmap.org/) โ€” Service discovery and version detection
- [WPScan](https://github.com/wpscanteam/wpscan) โ€” WordPress vulnerability scanner
- [droopescan](https://github.com/SamJoan/droopescan) โ€” Drupal/Joomla/WordPress scanner
- [Metasploit](https://www.metasploit.com/) โ€” Exploit framework
- [Burp Suite](https://portswigger.net/burp) โ€” Web proxy
- [curl](https://curl.se/) โ€” HTTP client
- [searchsploit](https://www.exploit-db.com/searchsploit) โ€” Exploit database search
- [nuclei](https://github.com/projectdiscovery/nuclei) โ€” Vulnerability scanner

---

## Disclaimer

**All applications are intentionally vulnerable.** Do NOT expose to the internet. Run locally or in an isolated network for training only.

---

## Author

**Opeyemi Kolawole** โ€” [GitHub](https://github.com/Phantom-C2-77)

## License

BSD 3-Clause

## References

- [Vulhub](https://github.com/vulhub/vulhub) โ€” Pre-built vulnerable Docker environments
- [OWASP Vulnerable Container Hub](https://owasp.org/www-project-vulnerable-container-hub/)
- [HTB Academy โ€” Attacking Common Applications](https://academy.hackthebox.com/)