Posts

Showing posts from September, 2018

Damn Vulnerable Web Application (DVWA) - File Inclusion and WebShells

today we are going to have some fun understanding the full potential of File Inclusion attacks.

my goals for today

1. a few words, Disclaimer, Lab, and links.
2. Web Shells intro with DVWA
3. How to complete the File Inclusion challenge in the new DVWA
4. Metasploit



1. a few words, Disclaimer, Lab, and links.


DISCLAIMER - if you do what i teach you today you WILL go to jail. so dont do this outside of your lab.

Setting up the lab -
For a hacking lab download either VirtualBox or VMWare, or, if you own win10pro, you have Hyper-V. With those you can create virtual machines, and you will need 2 today, one with DVWA, and another as the attacker, which for ease better be kali, download machines from osboxes.

For DVWA you can either download Metasploitable 2 or set up dvwa in some machine.
In my case i just turned them both on an internal network, so they can see each other but no internet (might need to set up DHCP if you dont have any ip).

For basic help about solving dvwa's file inclu…

Damn Vulnerable Web Application (DVWA) - installation 2018

for anyone trying today to install DVWA, thing changed a little, took me a while to get it working, so here it is:

IMPORTANT - su if you are not root user (i.e. not kali)

1. download the latest version 

to get it working with MariaDB and PHP v7.x

wget https://github.com/ethicalhack3r/DVWA/archive/master.zip && unzip master.zip

unzip under /var/www/html, rename folder to dvwa


2. config file

cd /var/www/html/dvwa/config
cp config.inc.php.dist config.inc.php
gedit config.inc.php

create captcha keys
https://www.google.com/recaptcha/intro/index.html
and set in $_DVWA[ 'recaptcha_public/private_key' ]

start at low difficulty

$_DVWA[ 'default_security_level' ] = 'low';

you need to clean cookies if the dvwa was running

3. set user in MariaDB

sudo service mysql start
mysql -u root -p

db commands...

mysql > create database dvwa;
mysql > CREATE USER dvwa@localhost IDENTIFIED BY 'p@ssw0rd';
mysql > grant all on dvwa.* to dvwa@localhost;
mysql > flush privilege…

Real Hacking Challenge - victim behind ssh

Image
the challenge is like this, i have the attacker machine (A), which connect with ssh client to another machine (B), which run ssh server (daaa...), these 2 are connected to the internet, but (B) is also connected to an internal network, and there there is a WIN10 machine (C), NOT connected to the internet but to (B) as said.

we will use the help of ssh, ShellTer to try also do it with windows defender on.

to succeed we will try to do this from bottom to top.

*DISCLAIMER - all this is illegal, and you may only do it at your lab, if you hack really you will go to jail.

*BIG NOTE : sometimes stuff just dont work, restarting (not power off) the machines, and the services refreshes stuff and then they work.


PLAN

1. prepare lab
2. test exploit on xp
3. test 3 machines ssh with 3 linux
4. exploit xp via ssh
5. exploit win10
6. test ssh with win 10
7. exploit win10 via ssh





1. preparing lab

using VBox (doesnt matter) i will create 4 machines, an arbitrary linux for ssh server, winXP for testings,…