bee-box is a custom Linux VMware virtual machine pre-installed with bWAPP, our extremely buggy web application.
bee-box gives you several ways to hack and deface the bWAPP website. It's even possible to hack the bee-box to get full root access...
With bee-box you have the opportunity to explore all bWAPP vulnerabilities! Hacking, defacing and exploiting without going to jail... how cool is that? :)
You can download bee-box from here. Have fun!
bWAPP includes:
- Injection vulnerabilities like SQL, XML/XPath, LDAP, HTML, Server-Side Includes, Command and SMTP injection
- Cross-Site Scripting (XSS), Cross-Site Tracing (XST) and Cross-Site Request Forgery (CSRF)
- AJAX and Web Services issues (JSON/XML/SOAP)
- PHP CGI remote code execution
- Malicious, unrestricted file uploads
- Authentication, authorization and session management issues
- Arbitrary file access and directory traversals
- Local and remote file inclusions (LFI/RFI)
- Configuration issues: Man-in-the-Middle, Cross-domain policy file, information disclosures,...
- HTTP parameter pollution and HTTP response splitting
- Denial-of-Service (DoS) attacks
- HTML5 ClickJacking, Cross-origin resource sharing (CORS) and web storage issues
- Unvalidated redirects and forwards
- Parameter tampering, HTTP verb tampering and cookie poisoning
- Insecure WebDAV and FTP
- Backdoor files
- Insecure cryptographic storage
bWAPP is a PHP application that uses a MySQL database.
It can be hosted on Linux and Windows using Apache/IIS and MySQL. It can also be installed with WAMP or XAMPP.
This project is part of the ITSEC GAMES project.
You can find more about bWAPP on this blog very soon.
We will cover the installation procedure and most of the web application issues/bugs.
These are the requirements for installing bee-box:
- Windows, Linux or Mac OS
- VMware Player, Workstation or Fusion
An overview of the installation steps:
- Extract the 'rar' file.
- Double click on the VM configuration file (bee-box.vmx), or import the VM into the VMware software.
- Start the VM. It will login automatically.
- Check the IP address of the VM.
- Go to the bWAPP login page. If you browse the bWAPP root directory you will be redirected.
example: http://[IP]/bWAPP/ example: http://[IP]/bWAPP/login.php
- Login with the default bWAPP credentials, or make a new user.
default credentials: bee/bug
- You are ready to explore and exploit the bee!
Some additional notes:
- Linux credentials:
bee/bug - root/bug
- MySQL credentials:
root/bug
- Modify the Postfix settings (relayhost,...) to your environment.
config file: /etc/postfix/main.cf
- Take a snapshot of the VM before hacking the bee-box.
There is also a backup of the bWAPP website (/var/www/bWAPP_BAK). - To reinstall the bWAPP database, delete the database with phpmyadmin
(http://[IP]/phpmyadmin/).
Afterwards, browse to the following page: https://[IP]/bWAPP/install.php - Don't upgrade the Linux operating system, you will lose all fun :)
- Check the SecurityTube (www.securitytube.net) for some amazing hacking videos.
Thanks Vivek!
We also offer a 2-day comprehensive web security course 'Attacking & Defending Web Apps with bWAPP'. This course can be scheduled on demand, at your location!
This project is part of the ITSEC Games project. ITSEC Games are a fun approach to IT security education. IT security, ethical hacking, training and fun... all mixed together.
You can find more about the ITSEC Games and bWAPP projects on our blog.
Enjoy!
(Size: 1.3G)
- Download: http://sourceforge.net/projects/bwapp/files/bee-box/bee-box_v1.0.rar/download
- Download (Torrent): http://download.vulnhub.com/beebox/bee-box_v1.0.rar.torrent
- Filename: bee-box_v1.0.rar
- File size: 1.3G
- MD5: E93740BA4698DBD43213DF133B4F30D4
- SHA1: 9C1C9A8AFD8120A8403D2C5D5A00E748D816C5AC
No comments:
Post a Comment