Posts Tagged ‘hacks’
Following the steps described here will most likely help in fixing the error messages and issues below:
- Installation – unclickable buttons “next step” #5
- Installation #6
- Database problem #9
- demo_database.sql – ERROR 1452 (23000) at line 5 #13
Of all the vulnerable applications from the OWASP’s vulnerable web applications directory, Hackazon is up to date with the latest technology stack and customizable vulnerabilities. It’s is a great choice to learn and teach ethically hacking today’s web applications. As of today, although the project on GitHub reports an update nine months ago, the application still uses recent web technologies to that we can learn hacking like it is 2016. This article helps you set up hackazon on a windows machine.
Things to be downloaded before we get started:
1. Hackazon User guide
Download from https://community.rapid7.com/docs/DOC-3452
Alternative like to the Original Hackazon user guide (in case the link above goes dead) – https://renouncedthoughts.files.wordpress.com/2017/02/hackazon_users_guide.pdf
2. Wamp server
Here’s the story
I had a Wamp installed on Nov 2014 and I tried using the same Wamp server for hackazon deployment. After following the instructions on the user guide, and going to a browser, hitting http://hackazon.lc the install page came up, and after you put the credentials for the MySQL user hackazon, and hit the Next Step button, the page would load the same page over and over again. So basically I was stuck at the first step of the wizard where you supply the administrator credentials. [Bug #5 filed at “Installation – unclickable buttons "next step" ” https://github.com/rapid7/hackazon/issues/5]
I tried everything in the Hackazon User Guide (here after referred to as the user guide) on a Kali linux machine, set up went smooth, just as described in the User Guide and the site was up and running in no time. It was happiness to see the second step of the installation page where you provide the MySQL database credentials.
Though I cant technically confirm if the older version of Wamp was the cause of bug # 5. My guess was may be to reinstall the Wamp to a recent version on a window machine and try the same steps as the user guide. And it indeed, helped me get over the bug # 5.
For Windows, the User Guide describes installation on Wamp 2.some version. However the current stable version available for release is Wamp 3.0.6 at the time of this writing. So something in MySQL changed, some things in Apache changed and hopefully this post will help you fill the gaps between the Hackazon User guide and the recent changes to the Wamp.
1. Download Wamp server
Please ensure your computer has the recent version of VC++ Runtime. If you want to install the VC++ runtime to the recent version, either have it done via Windows Update, or download it from the Microsoft website as recommended by the Wamp servers download page (as in the screenshot above). It is so important for Wamp to function properly that they have even updated their installation agreements during the installation wizard to reflect the installation and update of VC++ runtime. I had to download VC++ runtime for Visual Studio 2015 here at https://www.microsoft.com/en-in/download/details.aspx?id=48145.
Ok. Install Wamp. Pretty straight forward installation, go with the defaults.
This is the current Wamp installation on my computer right now.
2. Download Hackazon source code
Head over to the hackazon source code download page at github and download a zip of the hackazon source code.
Have them zip file contents extracted to c:\home\hackazon
3. Rename db.sample.php to dp.php
Head over to C:\home\hackazon\assets\config and rename the file db.sample.php to db.php
4. Create hackazon db and username in MySQL console
Open ‘MySQL console’ from the Wamp server system tray.
Press Enter on the ‘Enter password’ prompt if you did not create a MySQL root account password, which is the default during installation. Or if you had created a password for your MySQL installation, authenticate.
Enter the below query to create a database named hackazon.
Enter the below query to create a user named ‘hackazon’ and give it a password. In the screenshot below and in the query below, admin123! is the password, feel free to choose your favorite.
The password you provide here is important as you would need it on the first step of the Hackazon Installation wizard.
After this step, if you are curious, only if you are, head over to phpMyAdmin (from the Wamp Server system tray), login with your root server credentials, to see a database named hackazon, and a user named hackazon. Or just imagine, if the above two queries worked fine, a user name and a database named hackazon would have been created.
Do a restart by selecting Restart All Services from the Wamp server system tray menu.
5. Configuring or Verifying Apache’s default port
Open apache’s httpd.conf file. From Wamp Server System tray - Apache – httpd.conf
Search for the word Listen, and ensure Apache listens on port 80. I tried changing it from the default settings and tried to configure Apache to run on 7070 port, and hackazon kept giving me 400 Invalid Referrer error message, I couldn’t find out why. So I reversed back to the default settings.
Tip: Let’s try to configure Apache on the default port 80.
If you have Skype or IIS, running on port 80, change them, at least for now to give hackazon a preference to run on apache’s port 80.
Also, search for ServerName and verify if Server localhost also says port 80. I honestly do not know what this for, read the description and figure out. For now, all we are trying to do is configure apache to run on port 80.
6. Configuring the hackazon website set up
Open apache’s httpd-vhosts.conf file. From Wamp Server System tray – Apache – httpd-vhosts.conf
Copy paste the below contents of the httpd-vhosts.conf file in to your httpd-vhosts.conf file.
Save the file. The vhost settings provided above is good enough to even access http://hackazon.lc from another machine on the LAN.
7. Edit Windows hosts file to bind hackazon.lc to loopback address
C:\Windows\System32\drivers\etc open hosts file with administrative privileges and add the below entries
8. Restart DNS service from wamp server tools (right click wamp server from system tray)
After Restarting DNS, Restart All Services from wamp server from system tray.
This is all is required to start hackazon installation wizard. For the first time you hit http://hackazon.lc, you will automatically be redirected to the installation wizard.
9. Final tinkering
If you just go with this set up and continue with the Installation Wizard, on step 4 – the final step of the installation wizard will give you an error message as below:
”Error 42S02: SQLSTATE[42S02]: Base table or view not found: 1146 Table ‘hackazon.tbl_product_options_values’ doesn’t exist”.
There is also a bug filed for it. [Bug #9 Database problem https://github.com/rapid7/hackazon/issues/9]
After digging and digging and executing the contents of the db.sql file at C:\home\hackazon\database manually at phpMyAdmin Sql console, it occurred that the default value given for the timestamp data type is not supported by MySQL anymore or you would need to turn off date zero validation for the query execution.
To fix, add the below line at the very top of the db.sql file in C:\home\hackazon\database and save the file.
Now, for one last time, Restart All Services from the Wamp server system tray.
10. Navigating through the Hackazon installation wizard
Open a browser and hit http://hackazon.lc
You will be redirected to http://hackazon.lc/install
Provide the admin123! password, that is the one we typed in the MySQL console. Hit Next Step.
Provide the same password under the Password field, and hit Next Step
Leave the defaults, hit Next Step
Leave the defaults, hit Install
In a couple of seconds, you should be automatically redirected to http://hackazon.lc
Basically, that’s it. The hackazon user guide has more information on how to use the vulnerabilities configuration and other things that are specific to the hackazon application itself.
Just to do a walk through, hit http://hackazon.lc/admin, provide user name as admin and password as the password we entered in the MySql console admin123!
Navigate to Vulnerability Config, and choose account from the drop down. Or simply hit the url – http://hackazon.lc/admin/vulnerability?context=account
to see an error page as below:
To fix, click Wamp Server system tray icon - PHP - php.ini
Go to the very end of the php.ini file and comment out the zend_extension line by adding a semi colon ; in the front.
Save the file. Restart All Services.
If you want to access http://hackazon.lc from another computer (let’s say ‘X’) on the same Local Area Network (LAN), Open drivers/etc/hosts file on computer X and add the ip address of the hackazon.lc to point to hackazon.lc.
For every computer on the LAN, modify their windows hosts file to point hackazon.lc to the Wamp servers ip address.
That’s how I set up hackazon and got it working. Do you have similar experiences?