Hacking for b33r

Learn how to discover and exploit web application vulnerabilties and hack for b33r in a Capture The Flag competition

Comment

Inspiration

I would like to organise a hands-on workshop to demonstrate several tools that will help you to discover and exploit common web application vulnerabilities.

What it does

Thinking and acting like a hacker for just a single day will facilitate you later on in defensive programming.

How I built it

There will be 3 parts. In the first part we target a vulnerable application Mutillidae 2.0 with tools available in Kali Linux. This application contains sufficient challenges to explain, discover and exploit basic web application vulnerabilities. In the second part we’ll chain several attacks on another vulnerable application to compromise an administrative user, retrieve access, exploit an injection vulnerability to load executable content in order to pown the server. The third part is hacking for b33r. Your mission is to discover as many clues in a remote application by means of the lessons learned in the previous two parts.

Challenges I ran into

Making it as interactive and practical as possible.

Requirements

No specific skills are required to attend the workshop. It is only necessary to prepare your laptop before attending the workshop with VirtualBox, Kali Linux and Mutillidae. See installation instructions below.

Schedule

The schedule for this workshop is Friday March 18 from 9h00 till 16h00. Be there and hack for b33r!

What's next for Hacking for b33r

Chears!

Installation instructions

-Download and install VirtualBox for your host from https://www.virtualbox.org/ -Download Kali Linux 64 bit VBox from https://www.offensive-security.com/kali-linux-vmware-virtualbox-image-download/ -Unzip the file, run VirtualBox and import the Kali-Linux-2.x.x-vbox-amd64.ova via File>Import Appliance. You may keep the default settings. -Before launching the Kali Linux VM, enable a second network adapter. Make sure you have the first adapter configured as NAT and the second as host-only. Start the Kali Linux VM. -Open a terminal in Kali Linux and check with ifconfig –a your network adapters. You should have an eth0 and eth1 adapter, one with 10.0.2.1x address (NAT) and one with 192.168.56.10x address (host-only). If an adapter does not show an IP address, release it with dhclient –v –r ethx and enable it with dhclient –v ethx. Note: you will need the host-only adapter for the second and third part of the workshop. -Download Mutillidae from https://sourceforge.net/projects/mutillidae/, unzip it and move it to /var/www/html/ -Change the permission of mutillidae with chmod -R 0777 /var/www/html/mutillidae -Update and install php5-curl with apt-get update && apt-get install php5-curl -Start apache with service apache2 start. Start mySQL with service mysql start. -Open a browser session (Iceweasel). You can access mutillidae on http://localhost/mutillidae/ and create/reset the database from the application. -With about:addons search and install FoxyProxy Standard and Cookies Manager+ -When closing the Kali Linux VM save the machine state to keep the changes.

Optional: Create a folder on your host to share information with the Kali Linux VM. In VirtualBox click on Shared Folder and add the shared folder. You can mount this shared folder in Kali Linux with mount –t vboxsf sharedfoldername mountpoint

Built With

Share this project:

Updates