โ๏ธ Lab Setup
Before running any lab, ensure your Kali Linux environment has the required tools installed.
Prerequisites
These labs require Kali Linux (or a comparable pentesting distro). Run with explicit permission on systems you own or are authorized to test.
Required toolsโ
Install everything at once:
sudo apt update && sudo apt install -y \
nmap curl gobuster nikto sqlmap \
hydra john hashcat openssl \
python3 python3-pip wfuzz ffuf
Python toolsโ
pip3 install jwt_tool trufflehog gitleaks
Optional tools (used in specific labs)โ
# jwt_tool (from source)
git clone https://github.com/ticarpi/jwt_tool /opt/jwt_tool
# phpggc (PHP deserialization gadget chains)
git clone https://github.com/ambionics/phpggc.git /opt/phpggc
# ysoserial (Java deserialization)
wget https://github.com/frohoff/ysoserial/releases/latest/download/ysoserial-all.jar -O /opt/ysoserial.jar
# SSRFmap (automated SSRF exploitation)
git clone https://github.com/swisskyrepo/SSRFmap.git /opt/SSRFmap
Wordlistsโ
| Path | Use |
|---|---|
/usr/share/wordlists/dirb/common.txt | Directory/file brute-forcing |
/usr/share/wordlists/rockyou.txt | Password cracking |
/usr/share/wordlists/metasploit/unix_users.txt | Username enumeration |
Lab configurationโ
Each lab script has a configuration block at the top. Edit these before running:
TARGET="http://TARGET_IP_OR_DOMAIN"
PORT="80"
WORDLIST="/usr/share/wordlists/dirb/common.txt"
OWASP Labs indexโ
| Lab | OWASP Category |
|---|---|
| A01 โ Broken Access Control | A01:2021 |
| A02 โ Cryptographic Failures | A02:2021 |
| A03 โ Injection | A03:2021 |
| A05 โ Security Misconfiguration | A05:2021 |
| A06 โ Vulnerable Components | A06:2021 |
| A07 โ Authentication Failures | A07:2021 |
| A08 โ Integrity Failures | A08:2021 |
| A10 โ SSRF | A10:2021 |