The next step in this project is to setup a website on the web server. I could just dump a simple ‘Hello World’ index.html file in the web root as a quick and easy website demonstration, but I decided to do something a bit more interesting and install Damn Vulnerable Web Application (DVWA). DVWA Application is essentially a website that comes with existing vulnerabilities built into it. Security professionals, or aspiring penetration testers, can use the website to practice and hone their bug finding skills legally. I plan on using this website later to demonstrate exactly why a DMZ is necessary. For now, I am just going to install it.
DVWA is downloadable from GitHub, so to download and install it I will need to install the git utility on the server. To do that I’ll use:
apt install git
Using sudo isn’t necessary because I am logged in as the root user:
Next, I’ll navigate to the web root folder:
cd /var/www/html
Now, I’ll use the git utility to clone the DVWA git repository:
git clone https://github.com/digininja/DVWA
Personally, I don’t like that the folder is named using all caps so I’ll rename it to dvwa:
mv DVWA dvwa
Now I need to make the new folder writable (the -R makes it recursive, so the changes are written to all sub folders as well):
chmod -R 777 dvwa/
So that takes care of the website files, but now I need to make sure that it has a database to use. So I need to install MySQL as DVWA uses a MySQL database.
apt-install default-mysql-server -y
Once it’s installed, start the server:
Login to mysql using the username root and no password (these are the defaults):
mysql -u root -p
Next I’m going to create a user for the DVWA database to use. DVWA uses a default user of ‘dvwa’ and a default password of ‘p@ssword’. I’m not going to change these because I want this installation to be as vulnerable as possible. To create the user, use this command:
create user ‘dvwa’@’127.0.0.1’ identified by ‘p@ssw0rd’;
I’ll give this new user privileges over any database with the dvwa prefix:
grant all privileges on dvwa.* to ‘dvwa’@’127.0.0.1’ identified by ‘p@ssw0rd’;
Type exit to exit mysql. Now that the database is set up, I also need to install php, as DVWA is a php website:
apt install php -y
In order for DVWA to work as expected, there are some php modules it will need. I’ll use this command:
apt install php-gd -y && apt install php-mysql -y
Once the modules are installed, there needs to be some changes made to the php configuration file. Navigate to your apache2 folder:
cd /etc/php/8.2/apache2
Note: You may need to check your version of php (command: php -v). Mine is version 8.2 so that’s why I use /8.2/). Make sure to input your version.
Open the configuration file php.ini:
nano php.ini
There are 2 settings that need to be updated. Set both allow_url_fopen and allow_url_include to ‘On’ as shown above. To quickly find these lines press Ctrl+W and enter a keyword to search for them. Press Ctrl-X to exit and ‘y’ to save then restart the apache server:
service apache2 restart
Now, I’ll go to my Administrator Xubuntu machine and navigate to the setup page for DVWA at 192.168.2.2/dvwa/setup:
There are a few warnings in red, but I can go ahead and click on ‘Create/ Reset Database’. It will take a few seconds and then present the login page. Use the default credentials of admin/password:
Once logged in, there will be a functioning website that I will revisit later:
For the next stage of this project, I will build the internal network by adding some new clients to it.
