2020 08 29_dvwa

Damn Vulnerable Web Application (DVWA)

DVWA is a web application which uses PHP and MySQL and implements a number of common web application vulnerabilities. For more information visit http://www.dvwa.co.uk/ and https://github.com/digininja/DVWA.

Installation - vagrant up

Using the Vagrantfile in the penetration testing lab directory in the git repo at https://github.com/kushfj/pentesting, spin up a DVWA VM in virtual box.

The virtual machines has two virtual network adapters, the first adapter is connected to the default NAT network. The NAT network is required during the initial setup to download and install updates and packages. The second adapter is connected the default intnet internal network. The intnet internal network is used for the penetration testing. Note, you must disable or disconnect the NAT interface as soon as the machine is ready.

The Kali or Parrot pentest VM should be connect to intnet. For this blog post an using Parrot OS, which has its eth0 interface connected to intnet internal network. The intnet internal network must have a DHCP server running, you can configure this using VBoxManage, e.g. VBoxManage dhcpserver add --netname intnet -ip 172.16.254.254 --netmask 255.255.255.0 --lowerip 172.16.254.100 --upperip 172.16.254.199 --enable. In this case we have a DHCP server at 172.16.254.254 configured to issue IP addresses in the range 172.16.254.100 - 172.16.254.199.

Virtual Machine

Once the vagrant command has completed, the DVWA Virtualbox should be up and running. Running sudo netdiscover -i eth1 -r 172.16.254.0/24, we find the DVWA virtual machine at 172.16.254.107

Currently scanning: Finished!   |   Screen View: Unique Hosts                 
                                                                               
 2 Captured ARP Req/Rep packets, from 2 hosts.   Total size: 120               
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 172.16.254.107  08:00:27:34:1b:c6      1      60  PCS Systemtechnik GmbH      
 172.16.254.254  08:00:27:00:00:b9      1      60  PCS Systemtechnik GmbH

Initial Configuration

  • Using a web browser nagivate to http://172.16.254.107
  • Click on Login button, no need to enter credentials yet
  • Once on the setup.php click on Create/Reset Database button
  • Once the database is rest you will be returned to the login.php page

Walkthough

The walkthough below is a summary of the notes collated during the exercise. The exercise is documented for each security level

  • Log into the application using the default credentals of admin as the username and password as the password, click on the Login button
  • The security level may be set to low, medium, high and impossible. The default security level is impossible.

Walkthrough - Low

Vulnerability: Brute Force

  • Enter random password and use admin as the username
  • We get the logon failure message Username and/or password incorrect.
  • Also we can see the URL query string http://172.16.254.107/vulnerabilities/brute/?username=admin&password=totallynotapassword&Login=Login# which was submitted
  • THC Hydra is a popular brute force tool and can be used, refer https://github.com/vanhauser-thc/thc-hydra
  • I tried hydra -l admin -P /usr/share/wordlists/rockyou.txt 172.16.254.107 http-post-form "/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:incorrect.", and it comes back with 16 successful logins, and although password is one of the 16 passwords found, the other passwords are incorrect. 16 passwords were returned because by default Hydra runs 16 tasks in an attempt to brute force passwords. When restricting to a single task using the -t 1 command line option/switch, I get the password as 123456 which is not correct. Thought perhaps the issue was with the expected error message so instead of just incorrect., tried the full error message Username and/or password incorrect., but still not getting the correct result. Attempted to introduce a delay between connection using -W 3, but no change in results

hydra -l admin -P /usr/share/wordlists/rockyou.txt 172.16.254.107 http-post-form “/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:incorrect.” -W 2 -t 1 -f hydra -l admin -P /usr/share/wordlists/rockyou.txt 172.16.254.107 http-post-form “/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:incorrect.” -t 1 -W 3

Walkthrough - Medium

Walkthrough - High

Walkthrough - Impossible

Discovery

Vulnerability Assessment

Exploitation


See also