Get your own WordPress server for penetration testing

Getting WordPress in a virtual machine
Here, I will talk about how to quickly get WordPress running in a virtual machine. I will use VirtualBox. Note that this is valid for other CMS. You can download a virtual machine with WordPress fully integrated here, on the bitnami website, that provides a lot of material and solutions to make your life easier. After downloading it, check the checksum value of the file you just dowloaded, and compare it to that given on the website. You can then open the file with VirtualBox. Follow the instruction and import the new appliance. And that’s it, you have your web server with Worpress on it ready.

If you are a web pentester enthusiast, you probably already know some plateforms where you can test your skills (OverTheWire, vulnhub, hackthisite, etc.). However, sometimes, you might be targeting a specific web application. This application might have a captcha (or not) or have non standard settings. In such case, you would probably need a dummy app, that you can set as you wish, and on which you can test your tools or fine tune your scripts. One solution would be to install a web server, and then replicate the app you want to attack. Starting from scratch can be a hassle, especially if you want to test different web frameworks or different content management systems (CMS), such as Worpress, Joomla, etc. One of the solutions is to get a virtual machine with everything already implemented, for you, in it. Luckily, such solutions already exist. (more…)

Brute force JSON web token with python

JSON web token (JWT) is a standard defined for the use of secure transmission of information (https://jwt.io/introduction) between parties, using a JSON object. The information transmitted can be trusted since it is digitally signed by the server with a hashing algorithm and a key. JWT is signed using the HMAC algorithm together with a password or a public/private key using RSA. It is used when creating a session, for example, of a client on a web server. (more…)

Basic reverse engineering at Over The Wire

Today I was getting back to do some CTF on the platform Over The Wire. You can find there a lot of pentesting challenges. Either you are interested in web pentesting, linux server, cryptography, you can take a look there and see if they have what fits you. (more…)