Homelab Guide Part 3: Damn Vulnerable Web App
In this part of the Homelab Guide, you will install, configure, and run the Damn Vulnerable Web App on your Windows 10 workstation.
all these notes are made from this video tutorial https://www.youtube.com/watch?v=cak2lQvBRAo
there are 2-3 steps that aren't covered in the video so if you run into a problem you may find the answer in the text below
dvwa.co.uk - download the compressed binary and extract
https://www.apachefriends.org/index.html - download and run
Select Components = Uncheck everything except for Apache, MySQL, and PHP
click next
Installation Folder = leave the default and click next
Language = English and click next
Bitnami for XAMPP = uncheck "learn more" and click next
Ready to Install = click next and wait for install
once installed run the control panel
click Start for Apache and allow access through the windows firewall - this will start the apache webserver on your machine
click Start for MySQL and allow access through the windows firewall - this will start the database that your webserver will use
once both are turned on, go to your web browser and go to the address: localhost/dashboard/
if everything worked, you should see your locally ran webapp running
navigate to the "htdocs" folder in oyur xampp install - this will probably be at c:\xampp\htdocs
delete all the files inside the htdocs folder - these are the html/favicon/css styling stuff that you saw when you went to the webapp on the web browser - you won't need this stuff for DVWA to run
create a folder "dvwa" inside htdocs and then copy and paste everything inside the "DVWA-master" extracted folder into it
go back to the browser and go to "localhost/" and you should see the file drectory with "dvwa" folder there
click on "dvwa" and you will see an error that the config file needs to be renamed because it is a ".dist" extension
now because some people run into problems converting the file into a php file, the easiest way to create any file type you need is to open the command prompt and type "echo ''
c:\xampp\htdocs\dvwa\config\config.inc.php"
the echo command creates files with whatever you pipe it (in this case an empty string)
go to the folder and find that newly created file
copy and paste all the contents of the "config.inc.php.dist" file into the new one
go back to your browser and reload the page - you should now see the DVWA webapp properly working
though the main page is up, when you go to the bottom and click "create database" you will get an error that the username and password is incorrect for MySQL - this must be fixed
open the config file you worked on before and navigate to " 'db_user' ] = 'dvwa'; "
change the user 'dvwa' to 'root' and then right below it change the password to an empty string ''
go back to the browser, refresh the page, and then click create database again - this time it should work and you will be redirected to a login screen
username = 'admin' & password = 'password'
after successfully logging in, you will be presented with a welcome page
on the navigation bar on the left click "Setup / Reset DB" to go and see what is enabled and disabled
you will want to turn on the PHP function 'allow_url_include' to allow for file inclusion exploits
open XAMPP and click the 'Config' button to the right of Apache
click on 'PHP (php.ini)'
search the file for 'url_include' to quickly navigate to the setting and replace 'Off' with 'On'
save and exit the file
restart Apache on XAMPP
reload the page and you should see the setting turned on