DVWA 1.9+: lab setup

Published in

Hacker Toolbelt

4 min readMay 10, 2019

In a previous article I’ve used Metasploitable 2 for a lab. In Metasploitable 2 there are several web apps available for pentesting. One of those apps is Damn Vulnerable Web Application 1.07.

After some consideration, I’ve decided to create a new lab using the latest version of DVWA (1.9 at the time of writing) since it will be a good exercise to install it, review its configuration and them try to crack it open.

If you don’t want to go through all this trouble, use Metasploitable 2 DVWA or get the docker version here.

This is the first article of the DVWA series. You can grab all articles here.

Install server

I’ll be using Ubuntu 18.04 lts for the guest and my hypervisor will be Virtualbox, but the instructions will be similar to VMWare or Hyper-V.

First download Ubuntu 18.04 lts.

Now create your Guest machine with the following settings:

1 processor
512 MB RAM
10 Gb HDD

Append the Ubuntu ISO install and boot (or boot and append).

Select the first option ,choose your language, country and keyboard layout. Next you’ll have to configure the network.

I’ll name the system DVWA for simplicity.

Add a new user and a password. Then choose your timezone. Time to partition the disk:

Use the entire disk for DVWA and confirm it. No need for automatic updates.

Now, for package selection

Choose OpenSSH server (for easy access from host machine) and LAMP server (Linux, Apache, MySQL, PHP).

Finish installing GRUB and reboot.

Update server:

$ sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get -y dist-upgrade && sudo apt-get autoremove -y

Install DVWA 1.9

To access this server with Virtualbox we need to define a forward rule as showed below:

Open your browser and go to http://localhost and you’ll get apache default page:

Install dependencies

$ sudo apt-get install php php-gd

Configure MySQL

$ sudo mysql -u root
> CREATE USER ‘dvwa’@’localhost’;
> ALTER USER ‘dvwa’@’localhost’ IDENTIFIED BY ‘p@ssw0rd’;
> CREATE DATABASE dvwa;
> GRANT ALL PRIVILEGES ON ‘dvwa’.* TO ‘dvwa’@’localhost’ WITH GRANT OPTION;
> FLUSH PRIVILEGES;
> exit

Clone DVWA and copy to apache2 folder:

$ cd ~
$ git clone https://github.com/ethicalhack3r/DVWA.git
$ sudo mv ./DVWA/ /var/www/dvwa/

Change folder permissions and create config file:

$ sudo chmod 757 -R /var/www/dvwa/hackable/uploads
$ sudo chmod 757 -R /var/www/config
$ sudo chmod 757 /var/www/dvwa/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt
$ sudo cp /var/www/dvwa/config/config.inc.php.dist /var/www/dvwa/config/config.inc.php

Change db_user and get recaptcha public and private key:

$ sudo nano /var/www/dvwa/config/config.inc.php

$_DVWA[ ‘db_user’ ] = ‘dvwa’;

Now configure PHP and the Apache service:

$ sudo nano /etc/php/7.2/apache2/php.ini

allow_url_include = On

$ sudo cp /etc/apache2/site-available/000-default.conf /etc/apache2/site-available/dvwa.conf
$ sudo nano /etc/apache2/site-available/dvwa.conf

DocumentRoot /var/www/dvwa

$ sudo a2dissite 000-default.conf
$ sudo a2ensite dvwa.conf
$ sudo service apache2 restart

Check the URL http://localhost/setup.php

And now we’re ready to click the button ‘Create Database’ and login with ‘admin’ ‘password’.

Remember, DVWA is a vulnerable application. Be careful where you place it in your network.

Conclusion

In the following articles I’ll go through several vulnerabilities in this Web App. For security reasons I’ll change the network configuration to ‘host only adapter’.