A Vagrant based turn-key vulnerable web application suite for pentesters in-training. No configuration necessary, simply install and attack.
This is stage 1 & 2 of my Automated Interrogation project. It leverages Vagrant to install an Ubuntu LTS 12.04 base box running
in VirtualBox. The Vagrantfile provided in this repository configures the virtual machine and executes Puppet provisioners
that install and configure essential services such as Apache, PHP, MySQL, Java etc. and a Shell provisioner that installs and
configures the vulnerable web applications.
There are now two methods for installation, either downloading the complete Vagrant Pentester Base Box (preferred) or
cloning the repository and letting the Vagrantfile run the scripts against the hashicorp/precise32 Base Box.
*** These applications should only be run in a localhost environment preferably using a Host-only network adapter.
It is assumed that VirtualBox and Git are installed and that you know how to use them. A minimum of Vagrant 1.5.2 is required. If you have an older version of Vagrant that was installed as a Ruby gem you need to remove it before installing. If you use RVM you may notice issues when executing Vagrant commands. Removing RVM path variables from your bash profiles (~/.bashrc, ~/.profile, ~/.bash_profile) should correct this.
https://www.vagrantup.com/downloads
Verify that Vagrant is installed and working by typing in the terminal:
vagrant -v
will print out the Vagrant version number
https://github.com/blackpioter/vagrant-pentester
When the script returns back to the terminal you will notice that a 'vagrant-pentester_default' machine is running in VirtualBox. By default it will start up headless. You can choose to SSH into the box or close it and reopen the box as you normally would with a GUI.
vagrant up
-- starts vagrant environment (also provisions only on the FIRST vagrant up)vagrant status
-- outputs status of the vagrant machinevagrant halt
-- stops the vagrant machinevagrant reload
-- restarts vagrant machine, loads new Vagrantfile configurationvagrant provision
-- forces reprovisioning of the vagrant machinevagrant ssh
-- connects to machine via SSHvagrant destroy
-- stops and deletes all traces of the vagrant machine
Source: https://code.google.com/p/bodgeit/
Access the application at: localhost:8999/bodgeit
Source: http://www.mmeit.be/bwapp/
Access the application at: localhost:8888/bWAPP/install.php
Follow the "click here to install bWAPP" link
login: bee
password: bug
Source: http://www.dvwa.co.uk/
Access the application at: localhost:8888/DVWA/setup.php
Select create/reset database
Login at: localhost:8888/DVWA/index.php
username: admin
password: password
Source: http://exploit.co.il/blog/
Access the application at: localhost:8888/exploit/index.php
Source: http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10
Access the application at: localhost:8888/mutillidae
Click "Setup/Reset DB" link
Source: https://code.google.com/p/puzzlemall/
Install the application at: localhost:8999/puzzlemall/install/initialize.jsp
username: root
password: mysql
Access the application: localhost:8999/puzzlemall/
Source: https://github.com/Audi-1/sqli-labs
Access the application: localhost:8888/sqli-labs/index.html
Click "Setup/reset Database for labs
Source: https://code.google.com/p/wavsep/
Install the application at: localhost:8999/wavsep/wavsep-install/install.jsp
username: root
password: mysql
host: localhost
port: 3306
Access the application: localhost:8999/wavsep/
Source: https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
Access the application: localhost:8999/WebGoat/attack
username: webgoat
password: webgoat
If you get locked out for entering the wrong password close the browser completely and reload page.