Tuesday, April 4, 2017

Configure your web application pentesting lab

In the previous tutorial, we set up our web application pentesting lab. However, it's far from ready, and we need to make some changes to get it working as per our needs. Here's the link to the previous post if you didn't follow that-

Set up your web app pentesting lab

Contents

  1. Fixing the problems
  2. Changing credentials
  3. Adding recaptcha key
  4. Enabling disabled stuff
  5. Installing missing stuff
  6. Giving write privileges

Fixing problems

If you remember from previous post, we reached this point-

There's some stuff in red color
All the stuff in red needs fixing. If you are lucky, we have the same set of issues which need fixing. Otherwise, you'll have to do some googling to find out how to fix problems which you are facing and I am not.

Changing mysql username and password

The default credentials are 'root' and 'p@ssw0rd' in the config.inc.php file. We change it to the correct mysql login credentials, 'root' and '', in my case. You can change depending on your mysql credentials. This gets rid of our biggest worry - Unable to connect to database!

This is the biggest problem. Solving this means we can create our database, some modules may not work
perfectly, but DVWA will run. Without fixing this, we won't even be able to start.
To fix this, open /opt/lamp/htdocs/DVWA-master/config/config.inc.php file in your favorite text editor.



This password isn't the password of our mysql database. In my case, password is nothing, i.e. two single quotes (i.e. '').
Update the value here. In case your mysql password is something else, use that. Change
the username too is need be.
This is the corrected password value in my case. After this, refresh the page and click "Create/Reset database"

Now everything works fine after you click Create/Reset database.

Now we'll fix the other remaining issues.

Fixing missing recaptcha key


Firstly, we need to solve the recaptcha key missing problem. Go to this URL-
Go to the URL, you'll see a form like this

Fill form, values don't matter much
You obtain site key and secret key. Site key = Private key, secret key = private key
Open the config.ini.php file in your favourite text editor
Edit the recaptcha public key and private key fields. Here is what I did.

Now we have a a recaptcha key. One red down, 3 to go.

Fixing disabled allow_url_include 

We simply have to locate the configuration file and edit the value of the parameter from Off to On.

The php configuration file is located at /opt/lampp/etc/php.ini
Edit it with your favourite text editor, you'll need root privileges (sudo)
Locate the allow_url_include line by using search feature of your text editor

Change Off to On 
Restart the lampp service



Reload page, you'll see that the issue is fixed

Note: Any other function which is disabled can be enabled in a similar manner. All settings are in the php.ini file. You just need to search for the corresponding line and edit it.



Fixing missing modules

If a module is shown as missing , then we need to install it. In my case, everything is installed. Most likely, since you are also using XAMPP, everything would be installed. However, if that is not the case, then you have to figure out how to install the modules. If you aren't using XAMPP and did everything manually, then apt-get would be the way to go. Otherwise look at XAMPP's (or whichever bundle you are using) documentation.

Fixing File Ownership

We need to give www-data user write access to two directories. We'll can use chgrp and chmod commands in unison to give only the privileges that are needed, or we could go the lazy way and use chmod 777 (full read, write and execute privileges to everyone). I'm feeling lazy and I'm just gonna go the chmod way. Run the command below-

chmod 777 <directory>

Replace directory with the correct directory.
This is the last thing that needs to be done

Everything is green finally! Also, notice the credentials, we'll need it later.
"admin // password"
Database created. Populated with tables. 
Finally the damn vulnerable application is running.
The username = "admin" and password is "password" ("admin // password" that we saw three pics ago).
Everything is running perfectly. This is the page you should see after successful login.

I'll leave you at the welcome page of DVWA. In the next tutorial, we'll begin proper exploitation of the intentional vulnerabilities, moving from trivial stuff to the really hard stuff. The first two tutorials complete the installation and configuration parts.

10 comments:

  1. Thanks for this configiration
    It helps me a lot

    ReplyDelete
    Replies
    1. ⚡️✅MEET THE REAL HACKERS✅⚡️

      I Always Feel Bad Whenever we receive complaints from Clients About The Hackers They Met Before They Heard about us.
      These Days There Are alot of Hackers Online, You Just Have to Be Careful about who you meet for help, because many people now don't know who to ask for help anymore but there's really an actual solution to that which I am giving you for free, Don't go for the cheap Ones which I know you understand what I'm saying like hackers using gmail and other cheaper email accounts ⚠️🚷 that could be easily hacked you know, why would a REAL HACKER want to use something that brings out his vulnerabilities? ❌❌ ❌ it's really so sad that they even lack creativity to the extent that they show their frustrations to people. so you see they are really not who they say they're, they are just here to Rip people Off You Can Always Identify Them With Their False Write Ups and False Testimonies Trying To Lure you Into their Arms.❌❌❌ and my advice really goes out to you looking for a Real Hacker that's a heads up so that you would fall deep into their trap no more.🚷⚠️⚠️⚠️

      ✅COMPOSITE HACKS is here to Provide you with The Best Hackers, So you can get saved from The Arms of the Fake Hackers❌❌

      ✅We have Legit Hackers and Private investigators at your service. 💻 Every member of our team is well experienced in their various niches with Great Skills, Technical Hacking Strategies And Positive Online Reviews And Recommendations💻🛠

      ✅We have Digital Forensic Specialists, Certified Ethical Hackers, Computer Engineers, Cyber Security Experts, Private investigators and more on our team. Our Goal is to make your digital life secure, safe and hassle-free.
      Some Of The Services we render includes:
      * Website hacking 💻
      * Facebook and social media hacking 📲
      * Database hacking, & Blog Cleaning🛠
      * Phone and Gadget Hacking 📲
      • CREDIT CARD Loading ( Strictly USA & UK Credit Cards Only) 💳
      * Clearing Of Criminal Records ❌
      * RECOVERY OF LOST FUNDS ON BINARY OPTIONS money 💰
      * Location Tracking 📲
      and many More

      ✅We have a team of seasoned PROFESSIONALS under various skillsets when it comes to online hacking services. Our company in fact houses a separate group of specialists who are productively focussed and established authorities in different platforms. They hail from a proven track record Called “HackerOne” and have cracked even the toughest of barriers to intrude and capture or recapture all relevant data needed by our Clients. Some Of These Specialist Includes ⭐️ PETER YAWORSKI ⭐️FRANS ROSEN⭐️ JACK CABLE ⭐️JOBERT ABMA⭐️ ARNE SWINNEN ⭐️And More. All you Need To do is To Write us a Mail Then We’ll Assigned any of These Hackers To You Instantly.

      Feel Free To Mail Us Anytime

      ✅CONTACT:
      * Email:
      compositehacks@cyberservices.com
      * Wickr: compositehacks


      ★CONTACT US AND GET YOUR PROBLEMS SOLVED IN THE TWINKLING OF AN EYE

      Delete
  2. check out this
    www.junaidmugloo.blogspot.com

    ReplyDelete
  3. I never knew it was possible until a friend of my who is studying computer science in Massachusetts Institute of Technology told me about these Chinese computer geniuses he knew Soft tech geeks. They helped me clone a credit card to my dad's account and now I can spend Dad's money without him knowing. Contact them for any tech job you need. softtechgeeks@gmail.com

    ReplyDelete
    Replies
    1. خخخخخخخخخخخخخخخخخخخخخخخخخخخخخخخخخخخخخخخخ

      Delete
  4. ⚡️✅MEET THE REAL HACKERS✅⚡️

    I Always Feel Bad Whenever we receive complaints from Clients About The Hackers They Met Before They Heard about us.
    These Days There Are alot of Hackers Online, You Just Have to Be Careful about who you meet for help, because many people now don't know who to ask for help anymore but there's really an actual solution to that which I am giving you for free, Don't go for the cheap Ones which I know you understand what I'm saying like hackers using gmail and other cheaper email accounts ⚠️🚷 that could be easily hacked you know, why would a REAL HACKER want to use something that brings out his vulnerabilities? ❌❌ ❌ it's really so sad that they even lack creativity to the extent that they show their frustrations to people. so you see they are really not who they say they're, they are just here to Rip people Off You Can Always Identify Them With Their False Write Ups and False Testimonies Trying To Lure you Into their Arms.❌❌❌ and my advice really goes out to you looking for a Real Hacker that's a heads up so that you would fall deep into their trap no more.🚷⚠️⚠️⚠️

    ✅COMPOSITE HACKS is here to Provide you with The Best Hackers, So you can get saved from The Arms of the Fake Hackers❌❌

    ✅We have Legit Hackers and Private investigators at your service. 💻 Every member of our team is well experienced in their various niches with Great Skills, Technical Hacking Strategies And Positive Online Reviews And Recommendations💻🛠

    ✅We have Digital Forensic Specialists, Certified Ethical Hackers, Computer Engineers, Cyber Security Experts, Private investigators and more on our team. Our Goal is to make your digital life secure, safe and hassle-free.
    Some Of The Services we render includes:
    * Website hacking 💻
    * Facebook and social media hacking 📲
    * Database hacking, & Blog Cleaning🛠
    * Phone and Gadget Hacking 📲
    • CREDIT CARD Loading ( Strictly USA & UK Credit Cards Only) 💳
    * Clearing Of Criminal Records ❌
    * RECOVERY OF LOST FUNDS ON BINARY OPTIONS money 💰
    * Location Tracking 📲
    and many More

    ✅We have a team of seasoned PROFESSIONALS under various skillsets when it comes to online hacking services. Our company in fact houses a separate group of specialists who are productively focussed and established authorities in different platforms. They hail from a proven track record Called “HackerOne” and have cracked even the toughest of barriers to intrude and capture or recapture all relevant data needed by our Clients. Some Of These Specialist Includes ⭐️ PETER YAWORSKI ⭐️FRANS ROSEN⭐️ JACK CABLE ⭐️JOBERT ABMA⭐️ ARNE SWINNEN ⭐️And More. All you Need To do is To Write us a Mail Then We’ll Assigned any of These Hackers To You Instantly.

    Feel Free To Mail Us Anytime

    ✅CONTACT:
    * Email:
    compositehacks@cyberservices.com
    * Wickr: compositehacks


    ★CONTACT US AND GET YOUR PROBLEMS SOLVED IN THE TWINKLING OF AN EYE

    ReplyDelete
  5. i usually don't do this but this is me keeping to my word ,testifying to the good works of the hack group QUADHACKED @ G M A I L . C O M . they helped me fix my credit . i had history of late payment, had repossessions, inquiries and few collections i acquired on my downtime while i was struggling. this affected my finances so bad i had blemishing lurking on my report for years . i started tackling each one buy one, and on one occasion i paid $5000 once in clearing a debt and even pay advances for some. this didn't move my score to any reasonable significance, as i proposed and needed . i was seeking a mortgage loan and needed over a +100 units in credit score increase .then i met this hacker QUADHACKED@GMAIL.COM . He helped me dispute some, successfully replace them with good trade-lines that had positive effect on my credit score in just week .I was left amazed, i promised i will share on few blogs if he could help me with this . of course he did and helped several others i recommended to him. hence i'm sharing his contact email address which you can send a message of the credit repair services you're seeking and other related ethical hack jobs.
    contact email
    Q U A D H A C K E D _at_ G MA I L . COM

    ReplyDelete
  6. I know a professional hacker named ethicalhackers009@gmail.com who has worked for me this week. He offers very

    legitimate services such as clearing of bad records online without being traced back to you, He clone/hack mobile

    phones, hack Facebook account, instagram, WhatsApp, emails, Twitter, bank accounts, Skype, FIXES CREDIT REPORTs,

    track calls. He also help retrieve accounts that have been taking by hackers. His charges are affordable, reliable

    and 100% safe. For his job well done this is my own way to show appreciation, Contact him via address below...
    Email...ethicalhackers009@gmail. com

    ReplyDelete
  7. Am really happy with anonymousmaskhat@gmail. com honestly is all like a dream come through. since last year i have been having a very poor Credit score though i have been seeing so many reviews about getting credit scores fixed but i felt it was not possible until i contacted anonymousmaskhat@gmail. com for credit score fixing. this hacker really surprised me and am so happy my poor credit have been perfected. thanks once again anonymousmaskhat@gmail. com 

    ReplyDelete

© Kali Tutorials, 2016. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Shashwat Chaudhary and Kali Tutorials with appropriate and specific direction to the original content.
Bitcoin: 1B5aLqJcMW7zznffTxQwta8JTZsxBDPguC