Pentesting Web Reconnaissance Project - The Lovers

Web Reconnaissance Project in Pentesting – The Lovers

In this second phase of the pentest on the vulnerable machine The Lovers, you will perform reconnaissance of the previously identified web service.

Your mission:

• Explore the homepage.
• Detect the vulnerable login form.
• Enumerate hidden directories and files on the web server.

In this stage, do not exploit vulnerabilities. Only document the web surface, which will serve as a starting point for later phases.

Requirements

1. Have completed Phase 1 – Machine Reconnaissance.
2. The Lovers virtual machine (already running). If you don't have it, download the VM from this link:

1   https://storage.googleapis.com/cybersecurity-machines/lovers-lab.ova

1. Attacking machine: Kali Linux.

📝 Instructions

1. Access the website hosted on The Lovers using the IP discovered in the previous phase.
2. Explore the homepage and document its content.
3. Locate and document the existence of the login form. ⚠️ Do not attempt to exploit it yet.
4. Perform directory brute-forcing with Gobuster or Dirb, using SecLists wordlists, for example:

1   gobuster dir -u http://<IP> -w /usr/share/seclists/Discovery/Web-Content/common.txt

1. Record in your report the hidden paths and files you have found.

Submission

Submit a PDF report with:

• Screenshots of the homepage.
• Evidence of the login form.
• Commands used to enumerate directories.
• Results of found paths and initial observations.