News We are Working with Esteemed Law Enforcement Agencies to Fight Cybercrimes

Home » Blog » VAPT » DFIR Engineer’s First Black Box Pentest Experience

DFIR Engineer’s First Black Box Pentest Experience

author
Published By Stephen Mag
admin
Approved By Admin
Calendar
Published On August 1st, 2025
Calendar
Reading Time 3 Min Read

Hey folks,

So this week I finally got to do a full black box pentest on a client’s web app — no creds, no internal info, just dropped into the wild like it’s a CTF challenge. Thought I’d write a quick blog about what I did, what I messed up, and a few lessons I wish someone had told me before.

What is Black Box Pentest Anyway?

For anyone who’s new, black box penetration testing is when you test an application or network without any prior knowledge. No internal docs, no access, nothing. You’re just like an outsider trying to break in. It’s basically simulating what a real-world attacker would do, which makes it fun… and hard.

Explore Further: Steps for Mobile Penetration Testing for Applications

Step 1: Recon is 🔑

Started off with good old recon. Honestly, I spend maybe 60% time just doing recon. People underestimate this part so badly.

Used:

  • Amass for subdomain enum
  • Nmap (ofc) for open ports
  • WhatWeb and dirsearch to peek into what tech stack we’re dealing with

I found some juicy stuff like an old dev subdomain running outdated WordPress (yep, still happens in 2025 lol).

Step 2: Fingerprinting and Enumeration

I almost missed the version of Apache server ’cause I was rushing through banner grabs. Lesson: slow down, bro. One missed detail = one missed vuln.

Also ran gobuster with a way too short wordlist at first. Wasted a lot of time until I realized I should’ve swapped it with SecLists’ medium list. 🙃

Step 3: Exploit Attempts (And Fails…)

So this part… yeah. I tried to exploit a known LFI vuln I *thought* I found. Turns out it was just a false positive from a custom error page. Wasted like 3 hours tunneling crap through Burp Suite for no reason.
Did finally manage to get a low-priv reverse shell via misconfigured file upload on the dev site. Not bad eh?

Step 4: Lessons I Took Back

  1. Check everything twice. Don’t jump to exploit before validating.
  2. Don’t rush recon. Details matter.
  3. Think like a lazy attacker. Go after low-hanging fruits first.
  4. Don’t trust scanner blindly. Tools are dumb without context.

Keep Reading: White Box Penetration Testing Definition

Black Box Pentest: The Struggles and the Thrill

Also… write everything down. I was lazy in note-taking and then forgot which payload worked on which endpoint. Never again. 😂

Anyway, it was a hell of a learning experience. Black box is tough but really fun. You’re basically blindfolded and trying to feel your way in — but the moment you break through, that feeling is unbeatable.

If you’re just starting in pentest or DFIR — don’t stress if you mess up. Everyone does. Just document it and learn.