Christina E. Percy · Follow
10 min read · May 11, 2020
--
WebGoat 8: A deliberately insecure Web Application
Warning:
“It is BAD practice to host this on your host machine, so these instructions will include a virtual box virtual machine, free to use any other type 2 hypervisor.”
I am using a Windows Machine for this installation.
If you have a MAC, then feel free to follow TheHackerish’s steps: https://www.youtube.com/watch?v=tr82HB8QAWo&t=602s
Prerequisites:
If you don’t have virtual box installed, here is the download link, download the installer for your machine’s OS:
Windows: https://download.virtualbox.org/virtualbox/6.1.6/VirtualBox-6.1.6-137129-Win.exe
Mac: https://download.virtualbox.org/virtualbox/6.1.6/VirtualBox-6.1.6-137129-OSX.dmg
Linux: https://www.virtualbox.org/wiki/Linux_Downloads
Once you have virtual box installed, you’re going to need a virtual machine, for this exercise we are going to use Debian. (you can use any flavor of Linux you want)
We are going to use the Debian 10.3.0 net installer, for a faster download, click the link below, SAVE your file: https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-10.3.0-amd64-netinst.iso
*A “network install” or “net installer” is a single CD that contains the minimum amount of software to start the installation and fetch the remaining packages over the Internet. *
- Click New
2. Name it whatever you want.
a. Choose Linux for type, and Oracle (64-bit), Hit NEXT.
3. Leave the DEFAULT memory size: 1024 (MB), hit NEXT
4. Leave the DEFAULT setting for Hard disk, hit Create.
5. Leave DEFAULT Storage on physical hard disk, hit NEXT
6. Leave DEFAULT File Location and Size 12.00 (GB), Hit CREATE
7. Once your virtual machine has been created, we need to add the ISO that you downloaded earlier in the steps:
8. Once you see your settings, hit STORAGE
9. After you are brought to the Storage window, you’re going to want to click on the CD disk symbol:
10. Once the CD window pops up, you’re going to want to click on Add, which is the CD with the plus sign:
11. Once your file explorer window pops up, find and click on the Debian ISO file and click Open:
12. You should see the ISO under Controller: IDE, you can delete the empty one by right clicking and hitting remove, then click the OK button:
13. Click on Start to start up your virtual machine
14. Then once your screen pops up, if it doesn’t automatically pop up, you can hit SHOW which is in the same place as Start.
15. Click into your window and use your arrow keys and the enter key to select Install.
- Remember, your right ctrl key is how you exit your cursor outside of your VM
16. A language window is going to pop up on the screen, hit enter on English (choose any language that you can read and understand to your liking, for this exercise we shall stick with English)
17. Choose the country you are in and hit Enter:
18. Hit Enter on American English (Again choose any language you can read and understand to your liking :)
19. Wait for the load bars to finish up all the way:
20. Using your Tab key, hit continue as we will keep the default hostname:
21. You DON’T need a domain name, so tab, enter <Continue> again.
22. Come up with a ROOT password, and make sure you can remember the password:
a. Using your tab button, hit <Continue> with enter:
23. Re-enter your password, make sure they match, and using your tab button, hit <Continue> with the enter key.
24. Enter your name for the new user, and using tab hit <Continue>, and hit enter.
25. Enter a username for your account, using tab again, hit <Continue> with Enter
26. You’re going to have to create a regular password and verify it as well.
27. Enter in your time zone and hit <Continue> with your tab and enter key:
28. Keep Default for Partition Disks (Guided — use entire disk), hit your enter key
29. Hit Enter for the default settings:
30. Hit Enter key for default:
31. Hit Enter key for Finishing up your partition:
32.Using your tab key, hit enter on <Yes>
33. Wait for the Install to Finish:
34. Hit default on <No> using your enter key to continue.
35. Using tab, find your country and hit your Enter key:
36. Hit your Enter key on the default selection for “Configure the package manager”
37. Hit Enter for <Continue> on Default HTTP Proxy information (blank for none):
38. Wait for the configuration to finish:
39. Hit your enter key on <No>
40. For Software Selection, using your space key uncheck the default. Using your space key only tick SSH server and standard system utilities. Using your tab key and enter key hit <Continue>:
41. Install the GRUB boot loader on a hard disk:
42. For “Install the GRUB boot loader on a hard disk” using the arrow keys on your keyboard and enter for /dev/sda:
43. Congratulations, you have finished your installation, hit enter on <Continue>:
44. It will take a minute to load all the way, don’t worry about it. Once it has completed, you should see a CLI screen like this, press enter and enter your login information that we set up before:
45. The first thing we need to do is configure your VM’s settings to be able to access it. If you use “ip a” in your CLI, you should see a 10.x.x.x.x in your second interface “inet”
46. We must configure the network as “Bridged Adapter” located in Network tab in your settings. if you click the “Attached to:” drop down:
47. So, once we config the bridged adapter is set 45, when you type in “ip a” and run that command we should see a new ip in your second interface. We are going to use this IP to connect to this machine:
48. Open a command prompt on your host machine:
a. Commands: ssh <username>@<vm ip address>
a. Yes (for ECDSA key fingerprint)
b. Enter your password for the vm user account.
49. Congratulations, you’ve successfully connected your machine! Get a cup of coffee, take a quick break and when you come back you will be using WebGoat with JAR. Woo!
50. So, we are going back to your virtual machine, we are going to become root in order to download the JDK version 11:
51. Just to make sure we have connection to the internet, ping 8.8.8.8 (google.com)
52. Once we have established a connection, go ahead and download the jdk needed using this command:
wget https://download.java.net/java/ga/jdk11/openjdk-11_linux-x64_bin.tar.gz
53. The next steps while in ROOT include these commands, you must make a directory and unzip that archive within that directory:
a. Mkdir /usr/lib/jvm
b. Tar xzvf openjdk-11_linux-x64_bin.tar.gz — directory /usr/lib/jvm
54. Next we are going to link our extracted java binary; this command is basically saying have this folder (usr/bin/java) point to our binary. Then we are verifying that Java is downloaded:
a. Command: ln -s /usr/lib/jvm/jdk-11/bin/java /usr/bin/java
b. Command: java — version
55. After we have verified that , we are going to remove the archive from our current directory and exiting root and going back to our regular user.
a. Commands: ls
b. Command: rm openjdk-11_linux-x64_bin.tar.gz
c. Command: exit
56. Yay, now we have Java installed. So now we can go back to our host machine and access the GitHub repository for webgoat:https://github.com/WebGoat/WebGoat/releases
57. You are going to copy the link address for the most recent release, for the current publish of this document: v8.0.0.M26:
58. On your HOST machine, open a cmd and if you have to, reconnect to your vm using:
a. Command: ssh <username>@<ip address for vm>
59. Once you are connected to your vm from the cmd on your HOST machine, use this command to get the web goat archive:
a. Command: wget https://github.com/WebGoat/WebGoat/releases/download/v8.0.0.M26/webgoat-server-8.0.0.M26.jar
60. We are going to do the same thing for webwolf-8.0.0.M26.jar, copy the link address to this one below:
61. Now all we have to do is run our two web applications by default.
a. By default, webgoat listens on just localhost and we need our webgoat to listen on all interfaces:
a. Commands: java -jar webgoat-server-8.0.0.M26.jar — server.address=0.0.0.0
62. So, when that runs, what you are looking for, is this here:
63. Once you see the Started StartWebGoat, you can go to your internet browser on your HOST machine:
a. Type in your IP from your virtual machine’s second interface, then use 8080/WebGoat like the below screenshot:
64. Yay, now we have you web code instance running on your VM. We can do the same thing with WebWolf.
65. The way we can do that is opening up a second new cmd tab on your HOST machine and ssh into your virtual machine like before and run the same command:
a. Command java -jar webwolf-8.0.0.M26.jar — server.address=0.0.0.0
b. To access webwolf on your web browser, you need to use your IP address for the virtual machine, and the default web port which is 9090:
a. <localhost>:9090/WebWolf
66. So yay, congratulations you have both webgoat and webwolf up and running.
You MUST sign up on WebGoat to create your login and you can use the same login for WebWolf as well.
Here is the OWASP website that has really fun assignments you can try using webgoat and webwolf: https://owasp.org/www-project-webgoat/
