Tuesday, July 16, 2013

bee-box - Hacking & Defacing bWAPP

The bee-box is a custom Linux Ubuntu virtual machine (VM), pre-installed with bWAPP.

bee-box is compatible with VMware Player, Workstation, Fusion, and with Oracle VirtualBox. It requires zero installation!

bee-box gives you several ways to hack and deface the bWAPP website, currently there are 10 different website defacement possibilities! It's even possible to hack the bee-box, using a local privilege escalation exploit, to get full root access… Actually, with bee-box you have the opportunity to explore, and exploit, ‘all’ bWAPP vulnerabilities! Hacking, defacing and exploiting without going to jail... how cool is that?

You can download bee-box from here.



 

These are the requirements for installing bee-box:
  • Windows, Linux or Mac OS
  • VMware Player, Workstation or Fusion

An overview of the installation steps:
  • Extract the 'rar' file.
  • Double click on the VM configuration file (bee-box.vmx), or import the VM into the VMware software.
  • Start the VM. It will login automatically.
  • Check the IP address of the VM.
  • Go to the bWAPP login page. If you browse the bWAPP root directory you will be redirected. 
    example: http://[IP]/bWAPP/
    example: http://[IP]/bWAPP/login.php
  • Login with the default bWAPP credentials, or make a new user. 
    default credentials: bee/bug
  • You are ready to explore and exploit the bee!



Some additional notes:
  • Linux credentials:
    bee/bug - root/bug
  • MySQL credentials:
    root/bug
  • Modify the Postfix settings (relayhost,...) to your environment.
    config file: /etc/postfix/main.cf
  • Take a snapshot of the VM before hacking the bee-box.
    There is also a backup of the bWAPP website (/var/www/bWAPP_BAK).
  • To reinstall the bWAPP database, delete the database with phpmyadmin
    (http://[IP]/phpmyadmin/).

    Afterwards, browse to the following page: https://[IP]/bWAPP/install.php
  • Don't upgrade the Linux operating system, you will lose all fun :)
  • Check the SecurityTube (www.securitytube.net) for some amazing hacking videos.
    Thanks Vivek!

We also offer a 2-day comprehensive web security course 'Attacking & Defending Web Apps with bWAPP'.
This course can be scheduled on demand, at your location!




This project is part of the ITSEC Games project. ITSEC Games are a fun approach to IT security education. IT security, ethical hacking, training and fun... all mixed together.
You can find more about the ITSEC Games and bWAPP projects on our blog.

Enjoy!

Regards

Malik Mesellem
@MME_IT