Information Sharing and Analysis Center

Breach Point Intern Assessment

TASK - 01
Assessment Process: DVWA Challenges

Task 1:

Step 1: Setup DVWA on Docker To begin the assessment process, you need to set up DVWA (Damn
Vulnerable Web Application) on Docker. Follow the steps below:

1. Open the YouTube link provided: https://www.youtube.com/watch?v=4JI9n0CZ76c.

2. Watch the video tutorial, which provides a detailed guide on how to set up DVWA on Docker.
3. Follow the instructions in the video, including downloading and installing Docker, pulling the
DVWA Docker image, and running the DVWA container.
4. Make sure to note down the IP address and port number on which DVWA is running, as you
will need it to access the application later.
CHALLENGES
Challenge 1: Command Injection

Description: This challenge involves a web form that accepts user input and executes a system command
without proper sanitization. The goal is to execute arbitrary commands and retrieve sensitive information.

Steps Taken:

1. Opened the DVWA application and navigated to the "Command Injection" challenge.
2. Inspected the web form and identified the input field vulnerable to command injection.
3. Started by entering simple commands, such as ls, to see if the system executes them.
4. Notice that the input is directly concatenated into a command without any validation or sanitization.
5. Exploited the vulnerability by injecting ;ls as the input, which executes the command and lists the
contents of the current directory.
6. Gradually escalated the attack by injecting more complex commands, such as ;cat /etc/passwd to
retrieve the contents of the password file.
7. Took a screenshot of each step to provide visual evidence of successful command execution.
8. Provided a detailed explanation of the vulnerability and the steps taken to exploit it in the write-up
document.
Command Injection < LOW >
Command Injection < MEDIUM >
Command Injection < HIGH >
Challenge 2: SQL Injection

Description: In this challenge, the DVWA application is vulnerable to SQL injection attacks. The objective is to manipulate the SQL query to
retrieve unauthorised data or perform unintended actions.

Steps Taken:

1. Accessed the "SQL Injection" challenge within the DVWA application.

2. Examined the login form and identified the input field vulnerable to SQL injection.
3. Started by entering a single quote (') as the input to check for SQL syntax errors or error messages revealing the underlying
database.
4. Discovered that the input is directly concatenated into an SQL query without proper sanitization or parameterization.
5. Exploited the vulnerability by injecting ' OR '1'='1'-- as the input, which bypasses the authentication logic and logs in as the
first user.
6. Demonstrated the attack's success by accessing unauthorised pages or performing unintended actions.
7. Captured screenshots of each step, including the manipulated input and the results obtained.
8. Included a detailed explanation of the SQL injection vulnerability, the injection technique used, and the steps taken to exploit it in
the write-up document.
SQL Injection < HIGH >
SQL Injection < MEDIUM>
SQL Injection < LOW >
Challenge 3: Cross-Site Scripting (XSS)
Description: The Cross-Site Scripting (XSS) challenge involves a web application that fails to properly sanitise
user input, allowing malicious scripts to execute in users' browsers. The objective is to execute a script that steals
user cookies.

Steps Taken:

1. Navigated to the "XSS (Stored)" challenge in the DVWA application.

2. Inspected the web page and identified areas where user input is reflected without proper sanitization.
3. Crafted a malicious script that would execute when other users view the vulnerable page.
4. Injected the script into a text field and saved it, ensuring the script is stored on the server.
5. Accessed the page to confirm that the script executed successfully, capturing the cookie information.
6. Took screenshots of the injection point, the malicious script execution, and the captured cookie data.
7. Provided a detailed explanation of the XSS vulnerability, the impact it can have, and the steps taken to
exploit it in the write-up document.
Cross-Site Scripting (XSS) < HIGH >
Cross-Site Scripting (XSS) < LOW >
Cross-Site Scripting (XSS) < MEDIUM>
Task 2: Setup Mutillidae on Docker and Solve Labs

Step 1: Setup Mutillidae on Docker

To complete Task 2, you need to set up Mutillidae on Docker. Follow the steps below:

1. Watch the YouTube video titled "Setup Mutillidae on Docker" available at

https://www.youtube.com/watch?v=9RH4l8ff-yg. The video provides a detailed tutorial on how to install and
configure Mutillidae on Docker.
2. Follow the instructions in the video carefully to set up Mutillidae on Docker. The video should guide you
through the installation process, including downloading and running the Mutillidae Docker image.
3. Once the installation is complete, open your web browser and enter the URL provided in the video to access
Mutillidae.
4. Confirm that Mutillidae is running correctly by checking if the login page appears in your browser. If the
page loads successfully, you have successfully set up Mutillidae on Docker.
Step 2: Solve the Following Labs on Level 0 Security

In this step, you are required to solve specific labs in Mutillidae with Hints
enabled. The labs you need to solve are Lab 1, 6, 10, 12, 13, 14, 17, and 18.
Follow the instructions below to solve each lab and provide the necessary
documentation.
Lab 1 - Cross-Site Scripting (XSS):

1. Open your web browser and enter the URL to access Mutillidae.
2. Log in to Mutillidae using the provided credentials.
3. Once logged in, locate the lab titled "Lab 1 - Cross-Site Scripting (XSS)."
4. Read the lab description and hints carefully to understand the objective.
5. Follow the hints and instructions to identify and exploit the XSS vulnerability.
6. While solving the lab, use screen capture software to record your actions and
demonstrate the solution step-by-step. Ensure that the recording is clear and
easily understandable.
7. Capture screenshots at significant points during the lab, such as identifying the
vulnerability, injecting the XSS payload, and showcasing the successful
exploitation.
Lab 1 - Cross-Site Scripting (XSS):
Lab 6 - SQL Injection UNION Attack:

1. Log in to Mutillidae and navigate to the lab labeled "Lab 6 - SQL Injection UNION
Attack."
2. Read the lab instructions and hints to comprehend the task at hand.
3. Use the provided hints to craft a SQL injection UNION attack to retrieve
information from the database.
4. Record your screen while solving the lab, capturing your actions and explaining
the steps you take.
5. Take screenshots during critical stages, including constructing the payload,
executing the injection, and obtaining the desired information.
Lab 6 - SQL Injection UNION Attack:
Lab 17 - Unvalidated Parameters:

1. Access Mutillidae and find the lab titled "Lab 17 - Unvalidated Parameters."
2. Read the lab description and hints to grasp the lab's objectives.
3. Follow the hints and instructions to identify and exploit the unvalidated
parameter vulnerability.
4. Record your screen during the lab, capturing your actions and providing
explanations when necessary.
5. Capture screenshots at significant points, such as identifying the vulnerable
parameter, injecting malicious input, and observing the impact.
Lab 17 - Unvalidated Parameters:
Lab 18 - Authentication Bypass:

1. Log in to Mutillidae and locate the lab titled "Lab 18 - Authentication Bypass."
2. Read the lab instructions and hints to understand the authentication bypass
scenario.
3. Utilize the provided hints to bypass the authentication mechanism and gain
unauthorized access.
4. Record your screen while solving the lab, clearly demonstrating the steps you
take to bypass authentication.
5. Take screenshots at important stages, such as identifying the authentication
vulnerability, manipulating request parameters, and accessing restricted
resources.
Lab 18 - Authentication Bypass:
Lab 13 - Unvalidated Redirects and Forwards:

1. Access Mutillidae and find the lab labeled "Lab 13 - Unvalidated Redirects and
Forwards."
2. Carefully read the lab description and hints to understand the lab's objectives.
3. Utilize the hints to identify and exploit the unvalidated redirect vulnerability.
4. Record your screen as you progress through the lab, clearly showing the
steps you take to accomplish the task.
5. Capture screenshots of crucial stages, such as identifying the vulnerable
redirect, manipulating the URL, and observing the redirection behavior.
Lab 13 - Unvalidated Redirects and Forwards:
Lab 14 - Buffer Overflow:

1. Log in to Mutillidae and navigate to the lab named "Lab 14 - Buffer Overflow."
2. Read the lab instructions and hints to understand the buffer overflow
scenario.
3. Utilize the provided hints to craft a buffer overflow exploit and gain control of
the vulnerable program.
4. Record your screen while solving the lab, demonstrating the necessary steps
and explaining the techniques employed.
5. Take screenshots at important stages, such as identifying the buffer overflow
vulnerability, constructing the exploit payload, and achieving code execution.
Lab 14 - Buffer Overflow:
 CONCLUSION

I want to express my gratitude for the opportunity to participate in the ISAC

internship program and for the support and guidance provided throughout.
This experience has allowed me to further develop my skills in the field and
gain a deeper understanding of the domain.