Single
single series all timeline

Not too tired after BSides London? Still want to solve challenges? Here is the VM I told about during my talk where you'll have to practice some of your skills to retrieve the precious flag located here: /root/flag.txt. This VM is an entry-level boot2root and is web based.

This VM is the first of a series which I'm currently creating where there will be links between all of them. Basically, each machine in the series will rely/depend on each other, so keep the flags for the next VMs.

This has been tested on VirtualBox and gets its IP from the DHCP server. Moreover, if you find yourself bruteforcing, you're doing something wrong. It is not needed and it wasn't designed to be done this way. Instead, focus on exploiting web bugs!

If you have any questions, feel free to ask me on Twitter @PaulWebSec or throw me a mail: paulwebsec(at)gmail(dot)com

more...
SecOS: 1
12 May 2014
 by 
PaulSec
ellipsis

We've packaged 10 real world applications into an Ubuntu Desktop based ISO. These applications are vulnerable to command injection attacks which you will need to find and exploit. Please note that not all applications are on port 80 :)

All the best!

more...
Command Injection ISO: 1
7 Apr 2014
 by 
Pentester Academy
ellipsis

A free open-source self-contained training environment for Web Application Security penetration testing. Tools + Targets = Dojo

What?

Various web application security testing tools and vulnerable web applications were added to a clean install of Ubuntu v10.04.2, which is patched with the appropriate updates and VM additions for easy use.

Why?

The Web Security Dojo is for learning and practicing web app security testing techniques. It is ideal for self-teaching and skill assessment, as well as training classes and conferences since it does not need a network connection. The Dojo contains everything needed to get started – tools, targets, and documentation.

Where?

Download Web Security Dojo from http://sourceforge.net/projects/websecuritydojo/files/ .

How?

To install Dojo you first install and run VirtualBox 3.2 or later, then “Import Appliance” using the Dojo’s OVF file. We have PDF or YouTube for instructions for Virtualbox. As of version 1.0 a VMware version is also provided, as well as video install instructions

Who?

Sponsored by Maven Security Consulting Inc (performing web app security testing & training since 1996). Also, could be you! Web Security Dojo is an open source and fully transparent project, with public build scripts and bug trackers on Sourceforge .

More?

Look for Dojo videos on our YouTube channel at http://www.youtube.com/user/MavenSecurity Hack your way to fame and glory 1 with our security challenges posted at Reddit (http://www.reddit.com/r/WebSecChallenges/). [1. Fame and glory not included; void where prohibited by law]

more...
Web Security Dojo: 2
26 Jul 2012
 by 
Maven Security
ellipsis

Vulnerable VM with some focus on NoSQL

This vulnerable VM is meant to act as a practice virtual machine for security researchers to start looking at identifying and exploiting vulnerabilities in NoSQL, PHP and the underlying OS (Debian).

more...
No Exploiting Me: 1
2 Sep 2013
 by 
bwall
ellipsis

Infernal: Hades v1.0.1.

Hades is a new boot2root challenge pitched at the advanced hobbyist. Solving this challenge will require skills in reverse engineering, sploit development and sound computer architecture understanding. If you've never heard of an opaque predicate, you're going to have a hard time of it!

I strongly suggest you don't start this the week before exams, important meetings, deadlines of any sort, marriages, etc.

The aim of this challenge is for you to incrementally increase your access to the box until you can escalate to root. The /root/flag.txt contains, amongst other things, a public PGP key which you can use to demonstrate victory - the private key has been given to the VulnHub.com admins.

Enjoy, Lok_Sigma

Notes

  1. I have verified this challenge is completable using 'Kali 3.7-trunk-686-pae' (Kali Linux 1.0.5 x86) as my attack platform with VMware Fusion 5.
  2. It's meant to be hard.
  3. EDB is your friend.
  4. Hades will get an IP address by DHCP.

Disclaimer

By using this virtual machine, you agree that in no event will I be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of or in connection with the use of this software. If something bad happens, it's not my fault. Use at your own risk!

more...
The Infernal: Hades (v1.0.1)
9 Jun 2014
 by 
Lok_Sigma
ellipsis 
----------------
bee-box - README
----------------

bee-box is a custom Linux VM pre-installed with bWAPP.

With bee-box you have the opportunity to explore all bWAPP vulnerabilities!
bee-box gives you several ways to hack and deface the bWAPP website.
It's even possible to hack the bee-box to get root access...

This project is part of the ITSEC GAMES project. ITSEC GAMES are a fun approach to IT security education. 
IT security, ethical hacking, training and fun... all mixed together.
You can find more about the ITSEC GAMES and bWAPP projects on our blog.

We offer a 2-day comprehensive web security course 'Attacking & Defending Web Apps with bWAPP'.
This course can be scheduled on demand, at your location!
More info: http://goo.gl/ASuPa1 (pdf)

Enjoy!

Cheers

Malik Mesellem
Twitter: @MME_IT

-----------------------
bee-box - Release notes
-----------------------

v1.6
****

Release date: 2/11/2014

bWAPP version: 2.2

New features:

- Vulnerable Drupal installation (Drupageddon)

Bug fixes: /

Modifications: /


v1.5
****

Release date: 27/09/2014

bWAPP version: 2.1

New features:

- CGI support (Shellshock ready)

Bug fixes: /

Modifications: /


v1.4
****

Release date: 12/05/2014

bWAPP version: 2.0

New features:

- Lighttpd web server installed, running on port TCP/9080 and TCP/9443
- PHP SQLite module installed
- SQLiteManager 1.2.4 installed
- Vulnerable bWAPP movie network service (BOF)

Bug fixes: /

Modifications: /


v1.3
****

Release date: 19/04/2014

bWAPP version: 1.9+

New features:

- Nginx web server installed, running on port TCP/8080 and TCP/8443
- Nginx web server configured with a vulnerable OpenSSL version (heartbleed vulnerability)
- Insecure distcc (a fast, free distributed C/C++ compiler)
- Insecure NTP configuration
- Insecure SNMP configuration
- Insecure VNC configuration

Bug fixes:

- bWAPP update script checks for Internet connectivity

Modifications: /


v1.2
****

Release date: 22/12/2013

bWAPP version: 1.8

New features:

- Apache modules enabled: rewrite, include, headers, dav, action
- Apache server-status directive enabled
- Insecure anonymous FTP configuration
- Insecure WebDAV configuration
- Server-Side Includes configuration
- Vulnerable PHP CGI configuration

Bug fixes: /

Modifications:

- MySQL listening on 0.0.0.0
- New bWAPP update script


v1.1
****

Release date: 12/09/2013

bWAPP version: 1.5

New features:

- bWAPP update script

Bug fixes: /

Modifications: /


v1.0
****

Release date: 15/07/2013

bWAPP version: 1.4

New features: /

Bug fixes: /

Modifications: /

-----------------
bee-box - INSTALL
-----------------

bee-box is a custom Linux VM pre-installed with bWAPP.

With bee-box you have the opportunity to explore all bWAPP vulnerabilities!
bee-box gives you several ways to hack and deface the bWAPP website.
It's even possible to hack the bee-box to get root access...


Requirements
////////////

*/ Windows, Linux or Mac OS
*/ VMware Player, Workstation, Fusion or Oracle VirtualBox


Installation steps
//////////////////

No! I will not explain how to install VMware or VirtualBox...

*/ Extract the compressed file.

*/ Double click on the VM configuration file (bee-box.vmx), or import the VM into the VMware software.

*/ Start the VM. It will login automatically.

*/ Check the IP address of the VM.

*/ Go to the bWAPP login page. If you browse the bWAPP root directory you will be redirected.

    example: http://[IP]/bWAPP/
    example: http://[IP]/bWAPP/login.php

*/ Login with the default bWAPP credentials, or make a new user.

    default credentials: bee/bug

*/ You are ready to explore and exploit the bee!


Notes
/////

*/ Linux credentials:

    bee/bug
    root/bug

*/ MySQL credentials:

    root/bug

*/ Modify the Postfix settings (relayhost,...) to your environment.

    config file: /etc/postfix/main.cf

*/ bee-box gives you several ways to deface the bWAPP website.
   It's even possible to hack the bee-box to get root access...

   Have fun!

*/ Take a snapshot of the VM before hacking the bee-box.
   There is also a backup of the bWAPP website (/var/www/bWAPP_BAK).

*/ To reinstall the bWAPP database, delete the database with phpmyadmin (http://[IP]/phpmyadmin/).
   Afterwards, browse to the following page: https://[IP]/bWAPP/install.php

*/ Don't upgrade the Linux operating system, you will lose all fun :)


This project is part of the ITSEC GAMES project. ITSEC GAMES are a fun approach to IT security education. 
IT security, ethical hacking, training and fun... all mixed together.
You can find more about the ITSEC GAMES and bWAPP projects on our blog.

We offer a 2-day comprehensive web security course 'Attacking & Defending Web Apps with bWAPP'.
This course can be scheduled on demand, at your location!
More info: http://goo.gl/ASuPa1 (pdf)

Enjoy!

Cheers

Malik Mesellem
Twitter: @MME_IT
more...
bWAPP: bee-box (v1.6)
2 Nov 2014
 by 
Malik Mesellem
ellipsis

Main

The Broken Web Applications (BWA) Project produces a Virtual Machine running a variety of applications with known vulnerabilities for those interested in:

  • learning about web application security
  • testing manual assessment techniques
  • testing automated tools
  • testing source code analysis tools
  • observing web attacks
  • testing WAFs and similar code technologies

all the while saving people interested in doing either learning or testing the pain of having to compile, configure, and catalog all of the things normally involved in doing this process from scratch.

Source: http://owasp.com/index.php/OWASP_Broken_Web_Applications_Project

Release notes for the Open Web Application Security Project (OWASP) Broken Web Applications Project, a collection of vulnerable web applications that is distributed on a Virtual Machine in VMware format compatible with their no-cost and commercial VMware products.

More information about the project can be found at http://www.owaspbwa.org/.

The VM can be downloaded as a .zip file or as a much smaller .7z 7-zip Archive. BOTH FILES CONTAIN THE EXACT SAME VM! We recommend that you download the .7z archive if possible to save bandwidth (and time). 7-zip is available for Windows, Mac, Linux, and other Operating Systems.

!!! This VM has many serious security issues. We strongly recommend that you run it only on the "host only" or "NAT" network in the virtual machine settings !!!

Version 1.2 - 2015-08-03

  • Updated Mutillidae
  • Other miscellaneous, minor updates

Version 1.2rc1 - 2015-06-24

  • Updated Mutillidae and WAVSEP
  • Removed IP address restrictions on Mutillidae
  • Added script to rebuild WAVSEP
  • Added bWAPP application and script to automatically update bWAPP
  • Added OWASP Security Shepherd application and supporting scripts.
  • Likely updated other applications

Version 1.1.1 - 2013-09-27

  • Updated Mutillidae and transitioned to use its new Git repository
  • Fixed issue with Tomcat not starting in some circumstances

Version 1.1 - 2013-07-30

  • Updated Mutillidae, Cyclone, and WAVSEP
  • Updated OWASP Bricks and configured it to pull from SVN
  • Fixed ModSecurity CRS blocking and rebuilt ModSecurity to include Lua support
  • Increased VM's RAM allocation to 1Gb
  • Set Tomcat to run as root (to allow some traversal issues tested by WAVSEP)
  • Updated landing page for OWASP 1-Liner to reflect that the application is not fully functional

Version 1.1beta1 - 2013-07-10

  • Added new applications: OWASP 1-liner, OWASP RailsGoat, OWASP Bricks, SpiderLabs "Magical Code Injection Rainbow", Cyclone
  • Updated Mutillidae (name, version, and to use new SVN repository)
  • Updated DVWA to new Git repository
  • Added SSL support to web server
  • Updated ModSecurity and updated Core Rule Set to current in Git
  • Known issues:
  • ModSecurity CRS blocking does not work
  • OWASP 1-liner application appears to have functional issues (it was heavily modified to run on the VM through Apache)
  • Other new applications have not been fully tested
  • User Guide has not been updated

Version 1.0 - 2012-07-24

  • Added new application: WIVET (http://code.google.com/p/wivet/)
  • Updated WAVSEP, Mutillidae, Vicnum
  • Created new category for "Applications for Testing Tools", containing OWASP ZAP WAVE, WIVET, and WAVSEP
  • Major update to User Guide at http://code.google.com/p/owaspbwa/wiki/UserGuide. Removed some other project Wiki pages that were incorporated into User Guide.
  • More improvements to index.html

Version 1.0rc2 - 2012-07-14

  • Added new application: WAVSEP (http://code.google.com/p/wavsep/)
  • Updated WebGoat.NET, WebGoat (Java), and other applications from source repositories. Updated Mutillidae.
  • Removed links to OWASP ESAPI SwingSet (non-Interactive). That application has been deprecated and replaced by the SwingSet Interactive.
  • Changed version numbers in index.html to better indicate applications that are updated from public SVN or GIT repositories.
  • Layout improvements to index.html file (layout could still use some work).
  • Fixed bugs in Yazd (may have been present in 1.0rc1 or before)
  • Changes MySQL configuration to store database and table names as lower case (facilitates use of software written on Windows that may not strictly adhere to one case for identifiers)

Version 1.0rc1 - 2012-04-04

  • Added new applications:
  • Added OWASP WebGoat.NET (https://www.owasp.org/index.php/Category:OWASP_WebGoat.NET)
  • Added OWASP ESAPI SwingSet (https://www.owasp.org/index.php/ESAPI_Swingset)
  • Added OWASP ESAPI SwingSet Interactive (https://www.owasp.org/index.php/ESAPI_Swingset)
  • Added Jotto (from OWASP Vicnum project - http://www.owasp.org/index.php/Category:OWASP_Vicnum_Project)
  • Updated applications: Mutillidae, WebGoat (Java), ModSecurity, ModSecurity Core Rule Set, BodgeIt, OWASP ZAP WAVE, Damn Vulnerable Web Application, WackoPicko
  • Added owaspbwa-*-rebuild.sh scripts to build and deploy applications from source (WebGoat, Yazd, CSRFGuard Test Apps, SwingSet Apps)
  • Added owaspbwa-update-*.sh scripts to automatically pull updates from source repositories (OWASP BWA only and for all applications)
  • Cleaned up installations of WebGoat and Yazd
  • Fixed issue with PHP configuration to allow Remote File Include (RFI) vulnerabilities.
  • Created User Guide at http://code.google.com/p/owaspbwa/wiki/UserGuide (not yet complete).

Version 0.94 - 2011-07-24

  • No changes from 0.94rc3.

Version 0.94rc3 - 2011-07-14

  • More fixes to hackxor applications (thanks again to Albino Wax).

Version 0.94rc2 - 2011-07-13

  • Fixes to hackxor applications (thanks to Albino Wax for fixes).

Version 0.94rc1 - 2011-07-11

  • Added a number of new applications, including Gruyere, Hackxor, WackoPicko, BodgeIt, TikiWiki, Joomla, Gallery2, WebCalendar, AWStats, and ZAP-Wave (thanks to Mike Cyr for lots of work in this area).
  • New and improved "home" page in the VM (thanks again to Mike Cyr).

Version 0.93rc1 - 2011-01-19

  • Rebuilt OrangeHRM database to fix login issue (thanks to Dave van Stein for reporting this)
  • Configured mod_proxy on Apache web server to reverse proxy applications running on Tomcat web server. Disabled direct access to Tomcat server
  • Installed ModSecurity to 2.5.13 from source (needed by Core Rule Set)
  • Configured the ModSecurity Core Rule Set. It is disabled by default, but can be enabled through the use of new shell scripts in /usr/local/bin
  • Adjusted Samba shares to follow symlinks
  • Removed some miscellaneous old / duplicate files
  • Attempted to fix phpBB issues, but was unsuccessful. That application is broken for this release and marked as such in the index.html file (thanks to Dave van Stein for reporting this issue)

Version 0.92rc2 - 2010-11-15

  • Fixed bug with MySQL databases not starting properly (thanks to Tom Neaves for reporting this)

Version 0.92rc1 - 2010-11-10

  • Developed method for tracking known issues in the applications at http://sourceforge.net/apps/trac/owaspbwa/report/1.
  • Updated base OS to Ubuntu 10.04 LTS
  • Updated DVWA to SVN version > 1.07
  • Updated Mutillidae to version 1.5
  • Updated WebGoat to SVN version > 5.3
  • Added and configured three "real" applications suggested by Matt Tesauro:
  • Added application: GetBoo version 1.04 (http://sourceforge.net/projects/getboo/files/)
  • Added application: GTD-PHP version 0.7 (http://sourceforge.net/projects/gtd-php/files/)
  • Added application: OrangeHRM version 2.4.2 (http://www.orangehrm.com/)
  • Fixed bug in DVWA database permissions that was preventing stored XSS from working (thanks to Owen Wright for reporting this)

Version 0.91rc1 - 2010-03-24

  • Updated OWASP Vicnum to version 1.4 (http://www.owasp.org/index.php/Category:OWASP_Vicnum_Project)
  • Added application: Ghost (http://webdevelopmentsolutions.org/)
  • Added application: Peruggia version 1.2 (http://peruggia.sourceforge.net/)
  • Added application: OWASP AppSensor Demo (http://www.owasp.org/index.php/Category:OWASP_AppSensor_Project)
  • Fixed bug where VM would sometimes not get an address from DHCP on boot
  • Fixed bug where PHP magic quotes were enabled for some applications, preventing SQL Injection
  • Changed password for some applications to match standard users named 'admin' and 'user' with the password the same as the username
  • Moved databases, applications that run on Apache web server, some configuration files, and some applications that run on Tomcat web server into SVN with symlinks to the SVN directory in the normal file system.
  • Fixed bug in where permissions on /var/www/dvwa were not set properly (thanks to Dale Castle for reporting this)

Version 0.9 - 2009-11-11

  • Initial Release
more...
OWASP Broken Web Applications Project: 1.2
3 Aug 2015
 by 
OWASP
ellipsis

GoatseLinux v1.0 pentest lab Virtual Machine

Steve Pordon

2009.06.27

Feel free to distribute this far and wide under the gnu license.

This is specifically built for VMware 6.5 compatibility.

WARNING: GoatseLinux is intentionally unsecure. It was designed as a laboratory box to practice penetration testing on. Due to the wide open nature of nearly every program installed on it, I would strongly advise against setting your VM network to anything other than "host-based," unless you enjoy your VMs being used as zombie spamboxes.

Notes:

Built on the Slax 5.0.7 distro.

Source: readme.txt

more...
GoatseLinux: 1
27 Jun 2009
 by 
neutronstar
ellipsis

During my SQL Injection learning journey I needed a vulnerable web application for practice.

I created a WebApp vulnerable to SQL Injection for my personal use, The result was an extremely vulnerable web site which I could test some SQLi techniques against MySQL.

I must confess, I am not a programmer and I have never coded in PHP before, I thought it would be a good practice to develop a PHP based site from scratch in order to learn the basic of PHP and MySQL.

exploit.co.il Vulnerable Web app designed as a learning platform to test various SQL injection Techniques and it is a fully functional web site with a content management system based on fckeditor.

I thought some of you may find it useful so i decided to share it via a SourceForge project page i created for it at :

https://sourceforge.net/projects/exploitcoilvuln

Read Me First

Please notice! this web app is extremely vulnerable to SQLi attack and its poorly coded and configured intentionally.

It is not recommended to use this WebApp as live site on the net neither set it up on your local machine with access to it from the web.

Please use it in your internal LAN only, Set it up in a virtual environment such as VMware or Virtual Box.

This is a fully functional web site with a content management system based on fckeditor.

I hope you will find this web app useful in your SQLi and web app security studies or demonstrations.

General Information

Visit the Vulnerable Web Site by browsing to its IP address

Admin interface can be found at: http://localhost/admin

Username: admin

Password: P@ssw0rd

Database Name: exploit

Database contains 8 tables:

articles authors category downloads links members news videos I have only tested the web app for SQLi, but i am sure you will find some more interesting vulnerabilities

Please try to avoid using automated tools to find the vulnerabilities and try doing it manually

Feel free to discuss this web app by visiting http://exploit.co.il and commenting on the relevant post.

You can send solutions, videos and ideas to shai[at]exploit.co.il and i will post them on my blog.

Good Luck!

Source: http://exploit.co.il/projects/vuln-web-app/

more...
Exploit KB Vulnerable Web App: 1
28 Jan 2013
 by 
Shai
ellipsis

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable.

Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

Source: http://www.dvwa.co.uk/

more...
Damn Vulnerable Web Application (DVWA): 1.0.7
2 Oct 2011
 by 
RandomStorm
ellipsis 
TheXero's    ____        __    __         
            / __ )____  / /_  / /_  __  __
           / __  / __ \/ __ \/ __ \/ / / /
          / /_/ / /_/ / /_/ / /_/ / /_/ / 
         /_____/\____/_.___/_.___/\__, / v.1 
                                /____/   
|---------------------------------------------------------------------|
|Objective| There is a 'flag' in the administrator's personal folder. |
|         | Find it & read the contents of the file.                  |
|---------+-----------------------------------------------------------|
|       OS| Windows XP Pro SP3 x86                                    |
|  Network| Static (Somewhere in 192.168.1.0/24)                      |
|---------------------------------------------------------------------|


--TheXero
http://www.thexero.co.uk/

p.s. The setup of this vulnerable machine uses 'AutoIT' to automate the various aspects of the installation.
If the timings during the installation are off, the setup will fail.
Try installing it again if it does fail, however if it keeps on failing - please get in touch.

Source: readme.txt

more...
Bobby: 1
7 Dec 2011
 by 
TheXero
ellipsis

Welcome to Badstore.net

Badstore.net is dedicated to helping you understand how hackers prey on Web application vulnerabilities, and to showing you how to reduce your exposure. Our Badstore demonstration software is designed to show you common hacking techniques.

Source: http://www.badstore.net/

v1.0 – Original version for 2004 RSA Show

v1.1 – Added:

  • More supported NICs.

  • Referrer checking for Supplier Upload.

  • badstore.old in /cgi-bin/

  • Select icons added to the /icons/ directory.

v1.2 – Version presented at CSI 2004

Added:

  • Full implementation of MySQL.

  • JavaScript Redirect in index.html.

  • JavaScript validation of a couple key fields.

  • My Account services, password reset and recovery.

  • Numerous cosmetic updates.

  • 'Scanbot Killer' directory structure to detect scanners.

  • favicon.ico.

  • Reset files and databases to original state without reboot.

  • Dynamic dates and times in databases.

  • Additional attack possibilities.

Source: BadStore_Manual.pdf

more...
Badstore: 1.2.3
24 Feb 2004
 by 
Badstore
ellipsis
This website uses 'cookies' to give you the best, most relevant experience. Using this website means you're happy with this. You can find out more about the cookies used by clicking this link (or by clicking the 'Privacy Policy' link at the top of any page).