Web Server Attacks - I

During a penetration test, you will almost always run into at least one web server. Sometimes it is a production Apache site with careful configuration. Sometimes it is a forgotten Python HTTP server that a developer spun up two years ago and never shut down. Both of them are in scope. Both of them can lead somewhere interesting.

This room focuses on the reconnaissance and misconfiguration-identification phase of web application testing. We have four different web servers running: Apache2, Python's built-in HTTP server, a Node.js Express application, and Nginx. These four were chosen because they represent the dominant server types you will encounter on Linux-based infrastructure: Apache and Nginx cover the traditional web server space, Node.js represents the modern application server pattern, and Python's HTTP server covers the accidental or improvisational server that appears more often than expected. Each one has distinct behaviours, default configurations, and common mistakes that testers encounter regularly.

The room stops at misconfiguration identification. We will not exploit vulnerabilities in the traditional sense, no shells, no RCE, no privilege escalation. The goal is to build reconnaissance skills that tell you what is exposed and why it matters, a prerequisite for every technique that follows.

Info: In a real engagement, these services would typically run on separate hosts. This lab consolidates them onto one machine to keep things manageable. The HTTP behaviour, response headers, and misconfigurations you will see are identical to what you would find in a distributed environment.

Learning Objectives

• Identify web server software and versions using response headers and default error pages
• Recognise the risks of Python's built-in HTTP server when accidentally exposed
• Enumerate Apache directory listings, exposed status pages, and unlinked backup files
• Identify debug endpoints, verbose error messages, and environment variable exposure in Node.js Express applications
• Detect Nginx autoindex directory listings and exposed nginx_status metrics
• Perform a security header audit across multiple servers using curl and nikto

Prerequisites

• Web Security Essentials: Understanding of HTTP request/response cycles, status codes, and response headers
• Linux CLI Basics: Comfortable using the terminal for basic navigation and running commands
• Networking Essentials: Familiarity with IP addresses and ports

Machine Access

Start the machine by clicking the Start Machine button below. Allow around two minutes for the services to initialise, then access them using the AttackBox or your VPN connection.

Set up your virtual environment

To successfully complete this room, you'll need to set up your virtual environment. This involves starting both your AttackBox (if you're not using your VPN) and Target Machines, ensuring you're equipped with the necessary tools and access to tackle the challenges ahead.

Attacker machine

Status:Off

Target machine

Status:Off

Start Machine