Tuesday, April 4, 2017

Configure your web application pentesting lab

In the previous tutorial, we set up our web application pentesting lab. However, it's far from ready, and we need to make some changes to get it working as per our needs. Here's the link to the previous post if you didn't follow that-

Set up your web app pentesting lab

Contents

  1. Fixing the problems
  2. Changing credentials
  3. Adding recaptcha key
  4. Enabling disabled stuff
  5. Installing missing stuff
  6. Giving write privileges

Fixing problems

If you remember from previous post, we reached this point-

There's some stuff in red color
All the stuff in red needs fixing. If you are lucky, we have the same set of issues which need fixing. Otherwise, you'll have to do some googling to find out how to fix problems which you are facing and I am not.

Changing mysql username and password

The default credentials are 'root' and 'p@ssw0rd' in the config.inc.php file. We change it to the correct mysql login credentials, 'root' and '', in my case. You can change depending on your mysql credentials. This gets rid of our biggest worry - Unable to connect to database!

This is the biggest problem. Solving this means we can create our database, some modules may not work
perfectly, but DVWA will run. Without fixing this, we won't even be able to start.
To fix this, open /opt/lamp/htdocs/DVWA-master/config/config.inc.php file in your favorite text editor.



This password isn't the password of our mysql database. In my case, password is nothing, i.e. two single quotes (i.e. '').
Update the value here. In case your mysql password is something else, use that. Change
the username too is need be.
This is the corrected password value in my case. After this, refresh the page and click "Create/Reset database"

Now everything works fine after you click Create/Reset database.

Now we'll fix the other remaining issues.

Fixing missing recaptcha key


Firstly, we need to solve the recaptcha key missing problem. Go to this URL-
Go to the URL, you'll see a form like this

Fill form, values don't matter much
You obtain site key and secret key. Site key = Private key, secret key = private key
Open the config.ini.php file in your favourite text editor
Edit the recaptcha public key and private key fields. Here is what I did.

Now we have a a recaptcha key. One red down, 3 to go.

Fixing disabled allow_url_include 

We simply have to locate the configuration file and edit the value of the parameter from Off to On.

The php configuration file is located at /opt/lampp/etc/php.ini
Edit it with your favourite text editor, you'll need root privileges (sudo)
Locate the allow_url_include line by using search feature of your text editor

Change Off to On 
Restart the lampp service



Reload page, you'll see that the issue is fixed

Note: Any other function which is disabled can be enabled in a similar manner. All settings are in the php.ini file. You just need to search for the corresponding line and edit it.



Fixing missing modules

If a module is shown as missing , then we need to install it. In my case, everything is installed. Most likely, since you are also using XAMPP, everything would be installed. However, if that is not the case, then you have to figure out how to install the modules. If you aren't using XAMPP and did everything manually, then apt-get would be the way to go. Otherwise look at XAMPP's (or whichever bundle you are using) documentation.

Fixing File Ownership

We need to give www-data user write access to two directories. We'll can use chgrp and chmod commands in unison to give only the privileges that are needed, or we could go the lazy way and use chmod 777 (full read, write and execute privileges to everyone). I'm feeling lazy and I'm just gonna go the chmod way. Run the command below-

chmod 777 <directory>

Replace directory with the correct directory.
This is the last thing that needs to be done

Everything is green finally! Also, notice the credentials, we'll need it later.
"admin // password"
Database created. Populated with tables. 
Finally the damn vulnerable application is running.
The username = "admin" and password is "password" ("admin // password" that we saw three pics ago).
Everything is running perfectly. This is the page you should see after successful login.

I'll leave you at the welcome page of DVWA. In the next tutorial, we'll begin proper exploitation of the intentional vulnerabilities, moving from trivial stuff to the really hard stuff. The first two tutorials complete the installation and configuration parts.

18 comments:

  1. Thanks for this configiration
    It helps me a lot

    ReplyDelete
    Replies
    1. ⚡️✅MEET THE REAL HACKERS✅⚡️

      I Always Feel Bad Whenever we receive complaints from Clients About The Hackers They Met Before They Heard about us.
      These Days There Are alot of Hackers Online, You Just Have to Be Careful about who you meet for help, because many people now don't know who to ask for help anymore but there's really an actual solution to that which I am giving you for free, Don't go for the cheap Ones which I know you understand what I'm saying like hackers using gmail and other cheaper email accounts ⚠️🚷 that could be easily hacked you know, why would a REAL HACKER want to use something that brings out his vulnerabilities? ❌❌ ❌ it's really so sad that they even lack creativity to the extent that they show their frustrations to people. so you see they are really not who they say they're, they are just here to Rip people Off You Can Always Identify Them With Their False Write Ups and False Testimonies Trying To Lure you Into their Arms.❌❌❌ and my advice really goes out to you looking for a Real Hacker that's a heads up so that you would fall deep into their trap no more.🚷⚠️⚠️⚠️

      ✅COMPOSITE HACKS is here to Provide you with The Best Hackers, So you can get saved from The Arms of the Fake Hackers❌❌

      ✅We have Legit Hackers and Private investigators at your service. 💻 Every member of our team is well experienced in their various niches with Great Skills, Technical Hacking Strategies And Positive Online Reviews And Recommendations💻🛠

      ✅We have Digital Forensic Specialists, Certified Ethical Hackers, Computer Engineers, Cyber Security Experts, Private investigators and more on our team. Our Goal is to make your digital life secure, safe and hassle-free.
      Some Of The Services we render includes:
      * Website hacking 💻
      * Facebook and social media hacking 📲
      * Database hacking, & Blog Cleaning🛠
      * Phone and Gadget Hacking 📲
      • CREDIT CARD Loading ( Strictly USA & UK Credit Cards Only) 💳
      * Clearing Of Criminal Records ❌
      * RECOVERY OF LOST FUNDS ON BINARY OPTIONS money 💰
      * Location Tracking 📲
      and many More

      ✅We have a team of seasoned PROFESSIONALS under various skillsets when it comes to online hacking services. Our company in fact houses a separate group of specialists who are productively focussed and established authorities in different platforms. They hail from a proven track record Called “HackerOne” and have cracked even the toughest of barriers to intrude and capture or recapture all relevant data needed by our Clients. Some Of These Specialist Includes ⭐️ PETER YAWORSKI ⭐️FRANS ROSEN⭐️ JACK CABLE ⭐️JOBERT ABMA⭐️ ARNE SWINNEN ⭐️And More. All you Need To do is To Write us a Mail Then We’ll Assigned any of These Hackers To You Instantly.

      Feel Free To Mail Us Anytime

      ✅CONTACT:
      * Email:
      compositehacks@cyberservices.com
      * Wickr: compositehacks


      ★CONTACT US AND GET YOUR PROBLEMS SOLVED IN THE TWINKLING OF AN EYE

      Delete
  2. check out this
    www.junaidmugloo.blogspot.com

    ReplyDelete
  3. I never knew it was possible until a friend of my who is studying computer science in Massachusetts Institute of Technology told me about these Chinese computer geniuses he knew Soft tech geeks. They helped me clone a credit card to my dad's account and now I can spend Dad's money without him knowing. Contact them for any tech job you need. softtechgeeks@gmail.com

    ReplyDelete
    Replies
    1. خخخخخخخخخخخخخخخخخخخخخخخخخخخخخخخخخخخخخخخخ

      Delete
  4. ⚡️✅MEET THE REAL HACKERS✅⚡️

    I Always Feel Bad Whenever we receive complaints from Clients About The Hackers They Met Before They Heard about us.
    These Days There Are alot of Hackers Online, You Just Have to Be Careful about who you meet for help, because many people now don't know who to ask for help anymore but there's really an actual solution to that which I am giving you for free, Don't go for the cheap Ones which I know you understand what I'm saying like hackers using gmail and other cheaper email accounts ⚠️🚷 that could be easily hacked you know, why would a REAL HACKER want to use something that brings out his vulnerabilities? ❌❌ ❌ it's really so sad that they even lack creativity to the extent that they show their frustrations to people. so you see they are really not who they say they're, they are just here to Rip people Off You Can Always Identify Them With Their False Write Ups and False Testimonies Trying To Lure you Into their Arms.❌❌❌ and my advice really goes out to you looking for a Real Hacker that's a heads up so that you would fall deep into their trap no more.🚷⚠️⚠️⚠️

    ✅COMPOSITE HACKS is here to Provide you with The Best Hackers, So you can get saved from The Arms of the Fake Hackers❌❌

    ✅We have Legit Hackers and Private investigators at your service. 💻 Every member of our team is well experienced in their various niches with Great Skills, Technical Hacking Strategies And Positive Online Reviews And Recommendations💻🛠

    ✅We have Digital Forensic Specialists, Certified Ethical Hackers, Computer Engineers, Cyber Security Experts, Private investigators and more on our team. Our Goal is to make your digital life secure, safe and hassle-free.
    Some Of The Services we render includes:
    * Website hacking 💻
    * Facebook and social media hacking 📲
    * Database hacking, & Blog Cleaning🛠
    * Phone and Gadget Hacking 📲
    • CREDIT CARD Loading ( Strictly USA & UK Credit Cards Only) 💳
    * Clearing Of Criminal Records ❌
    * RECOVERY OF LOST FUNDS ON BINARY OPTIONS money 💰
    * Location Tracking 📲
    and many More

    ✅We have a team of seasoned PROFESSIONALS under various skillsets when it comes to online hacking services. Our company in fact houses a separate group of specialists who are productively focussed and established authorities in different platforms. They hail from a proven track record Called “HackerOne” and have cracked even the toughest of barriers to intrude and capture or recapture all relevant data needed by our Clients. Some Of These Specialist Includes ⭐️ PETER YAWORSKI ⭐️FRANS ROSEN⭐️ JACK CABLE ⭐️JOBERT ABMA⭐️ ARNE SWINNEN ⭐️And More. All you Need To do is To Write us a Mail Then We’ll Assigned any of These Hackers To You Instantly.

    Feel Free To Mail Us Anytime

    ✅CONTACT:
    * Email:
    compositehacks@cyberservices.com
    * Wickr: compositehacks


    ★CONTACT US AND GET YOUR PROBLEMS SOLVED IN THE TWINKLING OF AN EYE

    ReplyDelete
  5. i usually don't do this but this is me keeping to my word ,testifying to the good works of the hack group QUADHACKED @ G M A I L . C O M . they helped me fix my credit . i had history of late payment, had repossessions, inquiries and few collections i acquired on my downtime while i was struggling. this affected my finances so bad i had blemishing lurking on my report for years . i started tackling each one buy one, and on one occasion i paid $5000 once in clearing a debt and even pay advances for some. this didn't move my score to any reasonable significance, as i proposed and needed . i was seeking a mortgage loan and needed over a +100 units in credit score increase .then i met this hacker QUADHACKED@GMAIL.COM . He helped me dispute some, successfully replace them with good trade-lines that had positive effect on my credit score in just week .I was left amazed, i promised i will share on few blogs if he could help me with this . of course he did and helped several others i recommended to him. hence i'm sharing his contact email address which you can send a message of the credit repair services you're seeking and other related ethical hack jobs.
    contact email
    Q U A D H A C K E D _at_ G MA I L . COM

    ReplyDelete
  6. I know a professional hacker named ethicalhackers009@gmail.com who has worked for me this week. He offers very

    legitimate services such as clearing of bad records online without being traced back to you, He clone/hack mobile

    phones, hack Facebook account, instagram, WhatsApp, emails, Twitter, bank accounts, Skype, FIXES CREDIT REPORTs,

    track calls. He also help retrieve accounts that have been taking by hackers. His charges are affordable, reliable

    and 100% safe. For his job well done this is my own way to show appreciation, Contact him via address below...
    Email...ethicalhackers009@gmail. com

    ReplyDelete
  7. Am really happy with anonymousmaskhat@gmail. com honestly is all like a dream come through. since last year i have been having a very poor Credit score though i have been seeing so many reviews about getting credit scores fixed but i felt it was not possible until i contacted anonymousmaskhat@gmail. com for credit score fixing. this hacker really surprised me and am so happy my poor credit have been perfected. thanks once again anonymousmaskhat@gmail. com 

    ReplyDelete
  8. You guys have surpassed my expectations! James is seriously amazing and is doing everything to help my Fiancé and me, in1weeks my credit score went up 700 points and I can only imagine what is to come. Thank you for the excellent customer service and doing exactly what you all have set out to do! NO GIMMICKS OR BS with you guys.They carry out any kind of hacks You can reachout to them via Hackintechnology@gmail.com +16692252253

    ReplyDelete
  9. Do you need to hire a licenced hacker who can even stand in court If your spouse cheats contact he can help you. very talented and immaculate I call him the genius, we've had a few runnings together and I am always more than satisfied with his services. Some of the tricks he did for me are cloning my girlfriend's phone and topping my credit score to an awesome number. If you need such services drop him a mail at ghosthackercybermart@gmail.com
    you can also text him on (213) 973-7505/Send a message on Business whatsapp +19252910054 or click on this link to chat on whatsapp https://wa.me/19252910054?text=Hello%20I%E2%80%99m%20interested%20in%20one%20of%20your%20services%20 ,he offers the best services ranging from background checks, surveillance( includes access to social networks, school servers, icloud and much more), infidelity to tracing people Hack viber chats, facebook messages and yahoo messenger.
    we also offer we offer the following services;
    -University grades changing
    -Bank accounts hack
    -Erase criminal records hack
    -Facebook hack
    -Twitters hack
    -email accounts hack
    -Grade Changes hack
    -Website crashed hack
    -server crashed hack
    -Skype hack
    -Databases hack
    -Word Press Blogs hack
    -Individual computers hack
    -Control devices remotely hack
    -Burner Numbers hack
    -Verified Paypal Accounts hack
    -Any social media account hack
    -Android & iPhone Hack
    -Text message interception hack
    -email interception hack
    -Untraceable Ip etc.
    Amongst others, services we offer are listed as follows :
    *bank accounts loading
    ?social media hack, (Facebook, Instagram, snapchat etc)
    ?Credit card top up,
    ?Credit card dept clearing.
    ?database hack,
    ?money transfer,
    ?Verified Paypal Accounts hack,
    ?email hack,
    ?College score upgrade ,
    ?Android & iPhone Hack
    ?BinaryOption funds recovery.
    Also,
    HACKED ACCOUNT RESOLUTION
    STOLEN BITCOIN$
    PHISHING OF BITCOIN ACCOUNT
    LOGIN ERORS
    SCAM DURRING BITCOIN TRADINGS
    Waste no further time.

    ReplyDelete
  10. Jeajamhacker@gmail.com i don't know how to thank you. You have really been my strength when my relationship was about crashing i ran to you for help in other to break into my boyfriend phone and you where there to help me for a very affordable price. I want to say am grateful for all you have done for me and i will advice people that are having problems to get in contact with JEAJAMHACKER@GMAIL.COM. Trust me you will be happy at the service and results you will get from him. 

    ReplyDelete
  11. Its high time we all stand and fight for our right in our relationships and marriages contact Anonymousmaskhat@gmail. com to know what your wife or husband has been doing in secret. This hacker has really opened our eyes to the world of marriage and relationship where both parties leave in the same house and cheat on each other. it was with this hacker i knew a lot of things about my husband.

    ReplyDelete

  12. Am a man that loves with everything in me, i don't fake my love but recently i noticed my wife has been faking everything she fells or felt for me. With the help of JEAJAMHACKER@GMAIL.COM i saw her chats raging from her whats-app, Facebook messenger, text messages, call logs and many more with all i saw on my wife phone Its heart breaking knowing that my wife is cheating on me. Thank you to this hacker for doing a great job for me.

    ReplyDelete


  13. If you are stuck with your online management assignment then in this case you can opt for our Management Assignment help. we provide the best assignment online assignment help.
    We also provide Entrepreneurship Assignment help. for students across the globe.
    for more information contact us +16692714848

    ReplyDelete
  14. Second Innings Home is the first and only premium home & health care service in India. Second Innings Home proposed across the nation features a beautiful campus ideally located in a well-maintained gated community in the format of a Star Hotel with luxurious amenities. It’s convenient to enjoy the privacy and to be near the city and nearby facilities. And yet it retains a sense of community spirit and the warmth of a small community. best retirement homes in Hyderabad

    ReplyDelete

© Kali Tutorials, 2016. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Shashwat Chaudhary and Kali Tutorials with appropriate and specific direction to the original content.
Bitcoin: 1B5aLqJcMW7zznffTxQwta8JTZsxBDPguC