Making a move to more web application testing recently I decided an update was required to the lab with the OWASP Broken Web Applications VM to get better at web application testing. I’ve played with it in the past and used it for one of my first blog posts regarding Shellshock aka CVE-2014-6271. I never however wrote about configuring this system or attacking it in the lab. When creating the Shellshock blog post I had to modify some of the OWASP BWA configuration to make it vulnerable to attack. In this post however we’ll just download it and configure it to boot which is all that’s needed to get started. A word of advice before we continue, don’t connect this to a local network outside of your lab as the system is highly vulnerable and easy to gain access for those who poke at it, this makes it great for learning by creating a system vulnerable to attack safely in your lab environment.
What you’ll need is the following:
1 – VirtualBox installed with guest additions downloaded
2 – Pfsense Configured
3 – OWASP Broken Web Applications VM downloaded
4 – 7zip to unzip the OWASP VM
Once you have obtained and configured all of the above you are ready to boot up the VM.
Let’s get to it!
To keep everything contained within the lab environment we’ll use an internal NIC setup in the lab as this keeps the traffic in isolation which means you won’t be scanning or attacking a real system that you didn’t mean to! It happens easily so be careful. Following along with the Pfsense guide you’ll see how this is done. NIC Configuration for the OWASP system is as simple as selecting the same option for one NIC as that’s all you need to get going and get a DHCP lease for it in your lab.
Click new then give your machine a name, select the type ‘Linux’ and the version ‘Linux 2.6 / 3.x / 4.x (64Bit)’ or the version of your own architecture if it is 32 Bit for example and then click ‘Next’
Next allocate a chunk of memory, 1GB should be fine but if you have more 4GB’s is a nice amount to make everything run smoothly.
For the hard disk option choose “Use an existing virtual hard disk file” and navigate to your unzipped OWASP BWA file you downloaded. Select “OWASP Broken Web Apps-cl1” and then click “Create”.
Once you have this done you’ll be back in the main Virtual Box system select interface, click on settings up the top left.
Remove the Floppy disk drive as it’s not needed and configure the system settings as I have mine below. You don’t need the Optical drive but I chose to keep it so I can boot off other disks for analysis when I want to.
Modify the NIC to the same as I have below so it says “Attached to: Internal Network” then click OK.
Boot the system!
That’s it for now as everything is configured and the OWASP system requires no configuration to get up and running. Providing you have Pfsense running with the internal NIC settings as specified in the previous guide you should be getting a DHCP lease from it that you can ping and scan etc. Log into the OWASP BWA VM to check your IP address and you’re good to start poking around the system using Kali and tools like OWASP Zed Attack Proxy (ZAP) or BURP suite you will get a wealth of information to gain access to the system from your remote attacking system. Have fun!