Project 1 - DVWA
During the latest FXBG Hackers meeting, a newcomer attended for the second time. He expressed an interest in cybersecurity and hacking but found himself unsure of where to start practicing. I empathized with his situation. About a year and a half ago while in college for Information Security, I yearned to work on projects that could serve as both learning experiences and impressive additions to my portfolio for potential employers. I understood the struggle of not knowing where to begin.
?
Reflecting on my own growth and experiences over the years, I've decided to take action. I'm committed to sharing a weekly series of project walkthroughs. These guides will not only serve as valuable educational resources for aspiring students but also as blueprints for them to roll up their sleeves and dive into practical work. By following these resources and documenting their progress, newcomers can build their own solutions and assemble a portfolio to showcase their journey in the world of hacking and cybersecurity.
?
If you don't already have a desktop hypervisor like VMware Workstation or Virtual Box you'll want to download one so you can spin up virtual machines to build your labs. I use VMware Workstation Pro myself and if you're a student I think you get a discount for a lifetime product key. I haven't used Virtual Box, but I know a lot of people speak highly of it as well.
?Or
This will be a beginner project and the subsequent walkthroughs in the future will vary in difficulty.
?
So, let's kick things off with a pretty straightforward project that you can jump into right away. We will setup Damn Vulnerable Web Application (DVWA) on a VM so the user can practice web application penetration testing and later, remediation of the vulnerabilities.? You might be wondering, 'Why not just use Hack the Box or Try Hack Me?' Well, I actually use both of those platforms and a bunch of others for training. But here's the deal: when you build your own solution, you're gonna run into issues, and you'll have to do some digging to figure out what's going wrong. Personally, I think that's way better for learning than being handed a turn-key solution.
?
Download and Launch Kali VM
First we'll get a Kali VM up and running. You can download Kali from the link below:
On VMware Workstation Pro:
?
File > Open > Navigate to the image you downloaded > Power on virtual machine
?
Default credentials:? u- kali p- kali
Install Apache:
Next we'll open up a terminal to do a quick update and install apache2 web server.
sudo apt update
sudo apt-get install apache2
Install DVWA:
DVWA is a PHP application, so we need to install php and the required extensions on our Apache2 server.
?
sudo apt-get install php libapache2-mod-php php-mysql php-gd php-curl
Install MySQL Database
On the back-end, DVWA uses a database, so we're going to install MySQL MariaDB as our preferred solution.
?
sudo apt-get install mysql-server
sudo systemctl start mysql
sudo systemctl enable mysql
sudo mysql_secure_installation
You will be asked a few questions about authentication, answer them however you'd like to set up your database.
?
Now, let's move on to the exciting world of database creation. If you're new to SQL, don't worry; this is your chance to dip your toes into it. If you're reading this as a newcomer, it's likely that you're committed to learning, with a clear goal of using your newfound skills to safeguard an organization's valuable assets from both external and internal threats.
With that said, if you don't already have a basic understanding of SQL, it's time to start learning. Being able to execute fundamental database queries is a crucial skill that will greatly benefit your budding career.
?
Now we're going to log in and create a new database:
mysql -u root -p <enter the pw you created for your server>
Now to create the database (db):
?
CREATE DATABASE <your database name>;
CREATE USER '<new database username>'@'localhost' IDENTIFIED BY '<your database pw>';
GRANT ALL PRIVILEGES ON <database name>.* TO '<database username>'@'localhost';
FLUSH PRIVILEGES;
领英推荐
EXIT;
Clone and Install DVWA
Next we'll install git and switch to the 'html' directory so we can clone and install DVWA:
?
sudo apt-get install git
cd /var/www/html
sudo git clone https://github.com/ethicalhack3r/DVWA.git
Now we're going to rename the config file and add user details and database name to the file.
?
cd /var/www/html/DVWA/config
sudo mv config.inc.php.dist config.inc.php
nano config.inc.php
And change these settings to match the settings you added to your database:
?
$_DVWA[ 'db_user' ]???? = '[db_user]';
$_DVWA[ 'db_password' ] = '[db_password]';
$_DVWA[ 'db_database' ] = '[db_name]';
Next we will set permissions for the web server user:
?
sudo chown -R www-data:www-data /var/www/html/DVWA
?
Lastly we will restart the server:
?
sudo systemctl restart apache2
Now you can go to your attack VM and add https://127.0.0.1/DVWA/login.php into a browser to access DVWA. From there you will follow the instructions to further set it up so you can begin your web attacks.
Login with the credentials we used when we created our database.
Next you will scroll down to the bottom reset the database.
?
It will prompt you to login and you will be using the default credential which is -u admin -p password.
?
From here on out you can follow the instructions and begin hacking! Good luck, enjoy and take notes!
For more information about DVWA and configurations you can visit their GitHub page: