Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable.

Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

About

Protostar introduces the following in a friendly way:

• Network programming
• Byte order
• Handling sockets
• Stack overflows
• Format strings
• Heap overflows The above is introduced in a simple way, starting with simple memory corruption and modification, function redirection, and finally executing custom shellcode.

In order to make this as easy as possible to introduce Address Space Layout Randomisation and Non-Executable memory has been disabled.

Getting started

Once the virtual machine has booted, you are able to log in as the "user" account with the password "user" (without the quotes).

The levels to be exploited can be found in the /opt/protostar/bin directory.

For debugging the final levels, you can log in as root with password "godmode" (without the quotes)

Core files

README! The /proc/sys/kernel/core_pattern is set to /tmp/core.%s.%e.%p. This means that instead of the general ./core file you get, it will be in a different directory and different file name.

Again a long delay between VMs, but that cannot be helped. Work, family must come first. Blogs and hobbies are pushed down the list. These things aren’t as easy to make as one may think. Time and some planning must be put into these challenges, to make sure that:

1. It’s possible to get root remotely [ Edit: sorry not what I meant ]

1a. It’s possible to remotely compromise the machine

1. Stays within the target audience of this site

2. Must be “realistic” (well kinda…)

3. Should serve as a refresher for me. Be it PHP or MySQL usage etc. Stuff I haven’t done in a while.

I also had lots of troubles exporting this one. So please take the time to read my comments at the end of this post.

Keeping in the spirit of things, this challenge is a bit different than the others but remains in the realm of the easy. Repeating myself I know, but things must always be made clear: These VMs are for the beginner. It’s a place to start.

I’d would love to code some small custom application for people to exploit. But I’m an administrator not a coder. It would take too much time to learn/code such an application. Not saying I’ll never try doing one, but I wouldn’t hold my breath. If someone wants more difficult challenges, I’m sure the Inter-tubes holds them somewhere. Or you can always enroll in Offsec’s PWB course. *shameless plug

-- A few things I must say. I made this image using a new platform. Hoping everything works but I can’t test for everything. Initially the VM had troubles getting an IP on boot-up. For some reason the NIC wouldn’t go up and the machine was left with the loopback interface. I hope that I fixed the problem. Don’t be surprised if it takes a little moment for this one to boot up. It’s trying to get an IP. Be a bit patient. Someone that tested the image for me also reported the VM hung once powered on. Upon restart all was fine. Just one person reported this, so hoping it’s not a major issue. If you plan on running this on vmFusion, you may need to convert the imagine to suit your fusion version.

-- Also adding the VHD file for download, for those using Hyper-V. You guys may need to change the network adapter to “Legacy Network Adapter”. I’ve test the file and this one seems to run fine for me… If you’re having problems, or it’s not working for any reason email comms[=]kioptrix.com

Thanks to @shai_saint from www.n00bpentesting.com for the much needed testing with various VM solutions.

Thanks to Patrick from Hackfest.ca for also running the VM and reporting a few issues. And Swappage & @Tallenz for doing the same. All help is appreciated guys

So I hope you enjoy this one.

The Kioptrix Team

Configuration

The network is configured to obtain an IP address via DHCP by default. Although if you want to further configure the virtual machine you can login as user root and password toor. The apache web server is configured to run on port 8880.

Mission

The challenge includes an image hosting web service that has various design vulnerabilities. You must enumerate the various web service features and find an exploitable vulnerability in order to read system hidden files. The web application is 100% custom so do not try to search google for relative PoC exploit code.

FINAL GOAL: Reveal the hidden message for a date arrange that Bob sent to Alice.

Welcome, welcome! The time has come to select one courageous young hacker for the honor of representing District 12 in the 74th annual Hacker Games! And congratulations, for you have been selected as tribute!

Hacking games and CTF’s are a lot of fun; who doesn’t like pitting your skills against the gamemakers and having a free pass to break into things?

But watch out, as you will find out, some games are more dangerous than others. I have talked about counterattacks here before, and this system has implemented a number of aggressive anti-hacker measures.

In fact, this VM is downright evil. I am probably legally obligated to tell you that it will try to hack you. So if a calculator or message declaring your pwnedness pops up or shows up on your desktop, you asked for it. But don’t worry, it won’t steal your docs or rm you, it will just demonstrate compromise for the game.

To save precious bandwidth, this has been implemented in a minimal tinycore-based VM, and will require VirtualBox to run. But vbox is free – you can download it here: https://www.virtualbox.org/wiki/Downloads

Unfortunately, I didn’t have the time to add nearly all the things I wanted to, so there are really just a few challenges, a couple of counterhacks, and about 10 memes to conquer. Depending on your skill level, you could pwn (or be pwned) in just a few minutes or in a few hours. So hack it before it hacks you!

No sponsors are necessary, so don’t light yourself on fire. Simply download the evil VM here: TheHackerGames.zip, start it, and open up http://localhost:3000/ to begin. Now, you can totally cheat since you own the VM, but see if you can beat the challenges without cheating. Then you can go ahead and cheat, which should also be fun – you’re probably comfortable with many physical access attacks involving the hard disk, but this system doesn’t use a hard disk. So enjoy and remember…

May the odds be ever in your favor!

About

Fusion is the next step from the protostar setup, and covers more advanced styles of exploitation, and covers a variety of anti-exploitation mechanisms such as: + Address Space Layout Randomisation + Position Independent Executables + Non-executable Memory + Source Code Fortification (_DFORTIFY_SOURCE=) + Stack Smashing Protection (ProPolice / SSP)

In addition to the above, there are a variety of other challenges and things to explore, such as: + Cryptographic issues + Timing attacks + Variety of network protocols (such as Protocol Buffers and Sun RPC) + At the end of Fusion, the participant will have a through understanding of exploit prevention strategies, associated weaknesses, various cryptographic weaknesses, numerous heap implementations.

Getting started

Have a look at the levels available on the side bar, and pick which ones interest you the most. If in doubt, begin at the start. You can log into the virtual machine with the username of "fusion" (without quotes), and password "godmode" (again, without quotes).

To get root for debugging purposes, do "sudo -s" with the password of "godmode".

Some folks may already be aware of Metasploitable, an intentionally vulnerable virtual machine designed for training, exploit testing, and general target practice. Unlike other vulnerable virtual machines, Metasploitable focuses on vulnerabilities at the operating system and network services layer instead of custom, vulnerable applications. I am happy to announce the release of Metasploitable 2, an even better punching bag for security tools like Metasploit, and a great way to practice exploiting vulnerabilities that you might find in a production environment.

For download links and a walkthrough of some of the vulnerabilities (and how to exploit them), please take a look at the Metasploitable 2 Exploitability Guide.

Have fun!

Name: Game Over Category: Web Pentest Learning Platform File Type: VM image/iso

Author: Jovin Lobo Mentor: Murtuja Bharmal

Download URL: http://sourceforge.net/projects/null-gameover/files

Default Credentials: [username:root / password:gameover]

Description:

Project GameOver was started with the objective of training and educating newbies about the basics of web security and educate them about the common web attacks and help them understand how they work. It is collection of various vulnerable web applications, designed for the purpose of learning web penetration testing.

GameOver has been broken down into two sections. Section 1 consists of special web applications that are designed especially to teach the basics of Web Security. This seciton will cover:

• XSS
• CSRF
• RFI & LFI
• BruteForce Authentication
• Directory/Path traversal
• Command execution
• SQL injection

Section 2 is a collection of dileberately insecure Web applications. This section provides a legal platform to test your skills and to try and exploit the vulnerabilities and sharpen your skills before you pentest live sites. We would advice newbies to try and exploit these web applications. These applications provide real life environments and will boost their confidence.

Scene 1

Your pentesting company has been hired to perform a test on a client company's internal network. Your team has scanned the network and you have been assigned one of the discovered systems. Perform a test on this system starting from the beginning of your chosen methodology and submit your report to the project manager at scenes AT 21LTR DOT com

Scope Statement

The client has defined a set of limitations for the pentest: - All tests will be restricted to the systems identified on the 192.168.2.0/24 network. - All commands run against the network and systems must be supplied in the form of script files packaged with the submission of the report - A final report indicating all identified vulnerabilities and exploits will be provided to the company's engineering department within 90 days of the start of this engagement.

Configuration

Scenario Pentest Lab Scene 1:

This LiveCD is configured with an IP address of 192.168.2.120 - no additional configuration is necessary.

During my SQL Injection learning journey I needed a vulnerable web application for practice.

I created a WebApp vulnerable to SQL Injection for my personal use, The result was an extremely vulnerable web site which I could test some SQLi techniques against MySQL.

I must confess, I am not a programmer and I have never coded in PHP before, I thought it would be a good practice to develop a PHP based site from scratch in order to learn the basic of PHP and MySQL.

exploit.co.il Vulnerable Web app designed as a learning platform to test various SQL injection Techniques and it is a fully functional web site with a content management system based on fckeditor.

I thought some of you may find it useful so i decided to share it via a SourceForge project page i created for it at :

https://sourceforge.net/projects/exploitcoilvuln

Read Me First

Please notice! this web app is extremely vulnerable to SQLi attack and its poorly coded and configured intentionally.

It is not recommended to use this WebApp as live site on the net neither set it up on your local machine with access to it from the web.

Please use it in your internal LAN only, Set it up in a virtual environment such as VMware or Virtual Box.

This is a fully functional web site with a content management system based on fckeditor.

I hope you will find this web app useful in your SQLi and web app security studies or demonstrations.

General Information

Visit the Vulnerable Web Site by browsing to its IP address

Admin interface can be found at: http://localhost/admin

Username: admin

Password: P@ssw0rd

Database Name: exploit

Database contains 8 tables:

articles authors category downloads links members news videos I have only tested the web app for SQLi, but i am sure you will find some more interesting vulnerabilities

Please try to avoid using automated tools to find the vulnerabilities and try doing it manually

Feel free to discuss this web app by visiting http://exploit.co.il and commenting on the relevant post.

You can send solutions, videos and ideas to shai[at]exploit.co.il and i will post them on my blog.

Good Luck!