Ubuntu 16.

04_Vulnerability
images 使用手冊
本次簡報使用版本 ::VirtualBox 5.1.18 r114002
VirtualBox
下載 VirtualBox
https://www.virtualbox.org/wiki/Downloads
安裝 VirtualBox
匯入 VM

1 點擊 ova

務必勾選初始化 MAC 位址 2
3 匯入
橋接介面卡模式
橋接介面卡
如 DHCP Server 具連網功能， VM 也具連網功能

VM 間可互相溝通

192.168.1.29 192.168.1.28
DHCP Server VM 與主機間可互相溝通

192.168.1.27
192.168.1.1
Images
 Ubuntu 16.04 Vulnerability
請確認當前機器 IP ，本範例機器 IP 為 :192.168.1.28 。

帳號 :ksu
密碼 :ksulab8 務必確認是否有獲取 DHCP IP
Web Vulnerability
Web Server

因教學方便 , 故開啟網站伺服器瀏覽網站目
錄功能 , 開啟會發生 Directory traversal attack

如需關閉瀏覽網站目錄功能可
至 /etc/apache2/apache2.conf
修改設定

<Directory /var/www/>
Options -Indexes
AllowOverride None
Require all granted
</Directory>
 DVWA:
DVWA http://192.168.1.28/DVWA/
DVWA 帳號 :admin Version : 1.10
DVWA 密碼 :password
題目類型
Brute Force
Command Injection
CSRF
File Inclusion
File Upload
Insecure CAPTCHA
SQL Injection
SQL Injection (Blind)
Weak Session IDs
XSS (DOM)
XSS (Reflected)
XSS (Stored)
OWASP Mutillidae
Version : 2.6.48
OWASP Mutillidae:
http://192.168.1.28/mutillidae/
題目類型
A1 - Injection (SQL)
A2 - Broken Authentication and Session Management
A3 - Cross Site Scripting (XSS)
A4 - Broken Access Control
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Insufficient Attack Protection
A8 - Cross Site Request Forgery (CSRF)
A9 - Using Components with Known Vulnerabilities
A10 - Underprotected APIs
 WebGoat
Version : 7.1

WebGoat:
http://192.168.1.28:8081/WebGoat

題目類型 題目類型
Access Control Flaws Injection Flaws
AJAX Security Denial of Service
Authentication Flaws Insecure Communication
Buffer Overflows Insecure Storage
Code Quality Malicious Execution
Concurrency Parameter Tampering
Cross-Site Scripting (XSS) Session Management Flaws
Improper Error Handling Web Services
Web Vulnerability
Version : 5.0.1

OWASP Juice Shop:

http://192.168.1.28:3000/

題目類型
XSS
CSRF
Password Strength
SQL Injection
NoSQL Injection
Redirects
Upload File
Forged Feedback
CTF Challenges
CTF Challenges

/home/ksu/CTF_ex2018