DVWA PENTESTING LAB - PART 1

OBJECTIVES:

Understanding how some top 10 OWASP's Web attacks work and can be used on a
vulnerable Web application.

WHAT WE'LL NEED:

1- Kali Linux virtual Machine with Apache Web Server installed

2- A Damn Vulnerable Web Application

3- To be serious ;)

COURSE OF THE LAB:

Part 1. Setup the Web application pen-testing lab

Part 2. Sensitive Data exposure and Directory listing

Part 3. Access Control & Authentication using Burpsuite

Part 4. Mastering the SQL-injection

Part 5. Find & Exploit Cross-site-scripting (XSS)

Part 6. Command Injection & LFI - Local File Inclusion (more at

https://www.aptive.co.uk/blog/local-file-inclusion-Lfi-testing/#:~:text=Local%20File
%20Inclusion%20%28LFI%29%20allows%20an%20attacker%20to,and%20include%20other
%20files%20from%20the%20web%20server.?
msclkid=e90c91eaa60711ec9a7b096200456ef3 )

===========================================================

Part 1: Setup the Web application Pentesting Lab

1. Run the Kali Linux VM. Ensure that the VM is connected using NAT network

2. Log into Kali Linux with the user account you created during install process

3. Check network connectivity (ex. ping www.google.com). The host OS must be connected
to a physical network (ex. WiFi)

4. On the Terminal, note the IP address assigned to your Kali Linux's OS (ifconfig command)

5. On the terminal, enable the SSH server:

$ sudo systemctl status ssh

(check if the service is in "running" or "inactive/dead" state)

$ sudo systemctl start ssh

$ sudo systemctl status ssh

1
 (you'll see that the service is in "running" state)

6. On your host OS (Windows), open the Terminal (cmd, Windows Terminal, or any SSH
client), then connect to your Kali Linux using the "ssh" command (you'll need the IP address
and the username of you Kali of course)

> ssh USERNAME@KALI_IP_ADDRESS

(if a long boring message appears that ends with YES|NO, type "yes", then type your Kali
username's password)

7. From now on, you'll use the SSH session from your Windows (Say thanks!)

8. On the SSH terminal, ensure that the Apache Server is installed and running (and please,
don't copy the $ symbol):

$ sudo systemctl status apache2

$ sudo systemctl start apache2

$ sudo systemctl enable apache2

9. On the SSH terminal, change the current user to "root":

$ sudo -s

10. On the SSH terminal, move to the directory /var/www/html (please don't copy the #
symbol)

# cd /var/www/html

11. Download the DVWA archive from the URL:

https://github.com/digininja/DVWA/archive/master.zip , then press "Enter"

# wget https://github.com/digininja/DVWA/archive/master.zip

12. Once downloaded, unzip the archive:

# uzip master.zip

13. Now, move the downloaded archive to /root location:

# mv master.zip /root

14. The extracted archive will contain a Directory named "DVWA-master". Move into it:

# cd DVWA-master

15. rename the "config.inc.php.dist" to "config.inc.php"

# mv config.inc.php.dist config.inc.php

16. Using your favorite text editor (my favorite is vim, but not recommanded for you... sorry
not sorry! use nano instead), open the "config.inc.php" file:

# nano config.inc.php

17. Edit the “db_user” and “db_password” variables as shown in the following image:

2
Then save the file with CTRL+O, then ENTER, then CTRL+X to exit the file. Finally, exit the
“root” account with CTRL+D or with “exit” command.

18. Restart the “Apache2” service and start “mariadb” service:

$ sudo systemctl stop apache2

$ sudo systemctl start apache2

$ netstat -tulpn (you should see a listening service on the 80 port number)

$ sudo systemctl start mariadb

$ netstat -tulpn (you should see a listening service on the 3306 port number)

19. We need to connect to the “Mariadb” server in order to create the database needed by
the DVWA application. However, the Mariadb root’s password isn’t known. So we need to
reset it (it’s a bit tricky, so we won’t reset it. Instead, we will reinstall mariadb):

 Stop Mariadb service if running:

$ sudo systemctl stop mariadb

 Uninstall mariadb-server and mariadb-server-core

$ sudo apt remove mariadb-server mariadb-server-core

 Check if there’s still any processes of mariadb running or listening on 3306 port
number:
$ ps ax | grep mariadb
If found, KILL’EM ALL
$ kill -9 pid (pid is the process id returned by the previous ps ax command)
THIS IS SPARTA! WAHOU!
$ netstat -tulpn | grep 3306
(at this level, you should find nothing. Otherwise, do what any newbie does: reboot)

 Install mariadb-server and mariadb-server-core:

$ sudo apt install mariadb-server mariadb-server-core

3
 Then, we will run the mysql_secure_installation script (check Y or N for every
question like in the following images):

 At this step, you need to set mariadb’s root’s password (use root123* as a password):

4
  Now, we’re all set! Let’s try to connect to our mariadb server:

$ sudo systemctl status mariadb (check if it’s running, else start it)
$ mysql -u root -p (press ENTER then type the password and pray)

 If connected, you should see a prompt like this: MariaDB [(none)]>

 Let’s create the database and its user for our vulnerable application:

MariaDB [(none)]> create database dvwa;

MariaDB [(none)]> GRANT ALL on dvwa.* to dvwa@localhost identified by
‘coolpassword123’
MariaDB [(none)]>flush privileges;
Then CTRL+D to exit MariaDB

20. Now, we will start our application. Open the WEB browser and type in the address bar:
http://127.0.0.1/DVWA-master

21. Log into the application. The default username is “admin” and password is “password”

5
22. The next page will show some problem to fix regarding the application and the database.

23. Next, we will set some permissions on the paths (you might have different paths from
the image) as shown in the previous image. As root:

# chmod 777 /var/www/html/DVWA-master/hackable/uploads

# chmod 777
/var/www/html/DVWA-master/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt

# chmod 777 /var/www/html/DVWA-master/config

24. Next, we will edit the php.ini file located in /etc/php/[VERSION]/apache2 directory (in
my case, I have the 8.1 version of PHP)

# nano /etc/php/8.1/apache2/php.ini

Add the following lines at the end of the file

allow_url_fopen = On
allow_url_include = On

25. Refresh the WEB page and notice that the paths we changed their permissions that
showed “No” in red are now “Yes” in Green

26. Restart the Apache Web service then refresh the Web page again:

$ sudo systemctl restart apache2

27. Finally, click on create/reset database button. And we’re all set