Introduction
Recently, I became aware of a new CTF (Capture the Flag)-style vulnerable VM image from OWASP by +g0t Milk and +VulnHub :Updated VM! OWASP Broken Web Applications Project: v1.2 by @owaspbwa ~ https://t.co/U7pwJ95l1g— Vuln Hub (@VulnHub) August 17, 2015To say the least, I have been captivated by Capture -the- Flag hacking games since my first experience with Infosec Institute. In fact, I won bounties -- (twice) just from hacking, so that should be an incentive for any of you to try the sport!! :)
So, it turns out that Weakerthan Linux proves to be a good tool for CTF as shown in the playlist of videos I made for InfosecInstitute.com:
And another from a TopHatSec Freshly OVA Challenge were I actually get a root shell :D
Not only does CTF a great way to make some cash, but more importantly, it's a great way to practice, and learn penetration testing skills for not only web applications, but also OS and networking thanks to the capabilities of virtualization software. Once you have honed your skill, you might want to consider become an actual bounty hunter:
— Jay Turla (@shipcod3) August 18, 2015Tutorial
In this tutorial, I will be walking us through the process of using Weakerthan Linux 6 as an attacker VM (Virtual Machine) and the OWASP Broken Web Application Project VM as the victim. In the past, I have found the documentation on getting multiple VMs to communicate with each other rather confusing from many sources. This guide can be used to set up any victim guest system, and a great place to find them is at VulnHUB. To tell you the truth, I am not a fan of Oracle's VirtualBox, but most of my software/Linux user's seem to use it. My goal is to have you ready within a few short minutes of reading through, with a lab-like environment for practicing penetration testing.This tutorial may seem like tl;dr, so I tried my best to take good screenshots that we can simply read from without having to actually read the descriptions or my text for anyone who is impatient.All command line i/o will be monospace, all links will open in a new windows/tabs, and all screenshots can be clicked to view larger/full sizes.
Begin
First, grab a copy of Weakerthan Linux (current) and a copy of the OWASP BWA Project image. Extract the OWASP BWA image using any extraction tool, such as Peazip for Microsoft Windows by right clicking on it and extracting to a new folder.Setup VM Disk and CPU
Open VirtualBox and add the image by clicking on the NEW button at the top left as shown in the image below.
Next, choose a name for the image that will be displayed in Oracle's VirtualBox Management window. Choose Linux, and Debian (or Ubuntu) 32bit. This is a generic i686 32bit kernel with PAE, so we will need to set up PAE in the CPU settings later. The screenshot below shows the naming and system type to choose.
Next, choose how much RAM you want the machine to have access to. Since this is a PAE 32 bit kernel, we can choose over 4GB of RAM if we really want to. Though the web server does have Tomcat and Java installed, it actually doesn't require that much RAM. In the screenshot below, I simply chose 1GB (1024 bytes).
Finally, we need to setup the processor after clicking "Create" in the screenshot above. Right click on the machine in the VirtualBox Management window on the new VM and click "settings". Then, click on "System" and then the "Processor" tab. Make sure the "Enable PAE/NX" box is checked, as shown in the screenshot below, and now we can move on to networking.
Networking
Networking two VMs is quite simple. In my setup, I enable two network adapter devices in Weakerthan Linux, one for a virtual-host connection to the victim, and another for a NAT connection to the internet, in case I need to update any tools as I am hacking. In the victim machine, which we will setup first, I have a single connection to other virtual hosts. When we click on the "Network" item in the left side, for the OWASP BWA image, we only use a single adapter, and choose "Host-only Adapter", "Allow All" for Promiscuous Mode, and then click "OK" as shown in the screenshot below.
We are now done configuring the victim VM. Now, we need to setup Weakerthan. We can do all of the same steps, with exception to adding PAE to the CPU and selecting the ISO instead of the VM disk image. When we finally get to the "Network" item in the left side and set up the first adapter to be the "Host-only Adapter," just as we did for the OWASP BWA victim VM as shown in the screenshot below,
Next, click on the "Adapter 2" tab at the top and check the "Enable Network Adapter" box and leave it as a NAT device as shown in the screenshot below.
Now we are done setting up our environment. Start up both VMs and wait until the OWASP BWA terminal outputs IP information as shown in the screenshot below,
Since our victim OWASP BWA VM device adapter is a "Host-only Adapter" it cannot be accessed directly from machines that are not within the virtual network according to Oracle - "cannot talk to the world outside the host since they are not connected to a physical networking interface" We should, however, heed the warning stated in the VM and not leave the machine on while not in use!
in the Weakerthan Linux VM, start up the web browser from the dock icon and browse to the OWASP BWA environment as stated in the terminal window. In my case, it's "http://10.0.2.15/" as shown in the screenshot below,
NOTE: The Weakethan Linux ISO will only be able to talk to the Host machine and any other guest VMs that are within the virtual network until we "turn on" the second network adapter. The one we established as NAT in the Network section of Settings. To turn the second adapter on, open a terminal and type,
ifconfig
This will display the network devices already "turned on" or enabled.
In my case, I have "lo" and "eth0" to show all devices, add the "-a" argument to ifconfig,
ifconfig -a
My second device is shown as "eth1". This is the NAT adapter that will have access to the internet. To enable it, we can use WICd, a graphical tool, or simply do,
dhclient eth1
from the command line. We should now have a full network setup for both devices in our virtual lab environment!
Conclusion
If you come into any errors or have any suggestions or comments, I will gladly update this tutorial. Leave a comment or email me directly! Again, this is not just a game, you actually learn information security practices and penetration testing skills from CTF. Oh, and you can also win money! My next post will most likely be a new playlist of tutorial videos for hacking this VM image. I am trying to not have any duplicates of hacking particular vulnerabilities, so I will skip over a few that I have done in the previous CTF playlists.~Douglas