In this series of posts I will detail my personal solutions to the Damn Vulnerable Web Application challenges.
In this particular post I will explain how I start the vulnerable application with Docker.
The Recaptcha challenge needs us to have a reCAPTCHA key. We can get one for free from Google if we have a Google account. Simply follow the steps from the official Google page. A good tutorial is also given here.
The domain will be
localhost as DVWA will be run on your machine.
First of all, we need Docker installed for our setup to work properly.
We can follow the official documentation to install it on Ubuntu.
Once Docker is installed and working, we need to retrieve the source code used to create our DVWA image.
We clone opsxcq's repository with the following command :
git clone https://github.com/opsxcq/docker-vulnerable-dvwa.git
We modify the
Dockerfile to add the line
COPY php.ini /etc/php/7.0/apache2/php.ini.
COPY php.ini /etc/php5/apache2/php.ini COPY php.ini /etc/php/7.0/apache2/php.ini COPY dvwa /var/www/html
We then modify the file
config.inc.php to add our Google reCAPTCHA keys generated previously.
## ReCAPTCHA settings ## Used for the 'Insecure CAPTCHA' module ## You'll need to generate your own keys at: https://www.google.com/recaptcha/admin/create $_DVWA[ 'recaptcha_public_key' ] = 'example_public_key'; $_DVWA[ 'recaptcha_private_key' ] = 'example_private_key';
Now that our key is configured, we can create our Docker image with the name
cd docker-vulnerable-dvwa docker build -t dvwa .
To start DVWA we use the command :
docker run --rm -it -d -p 80:80 dvwa f948a51fc0a758c6104bc4e1f8fa2dc1a0a0be25a30badb1075ac742c3b2ed33
Docker will give the newly created container an id used to reference the container when using commands such as
We used the option
--rm when starting the container. Because of this, the container will automatically be removed when stopped.
We can access the vulnerable application through the following URL : http://localhost.
The id and password are
We click on Create / Reset Database to initialize the database. You can safely ignore the warning about the
allow_url_include misconfiguration, this is a bug.
We are then redirected to the login page, use the same credentials as before.
You can now use the left menu to access the challenges.
There are four levels of difficulty in DVWA :
Use the menu DVWA Security to set the levels of difficulty.
You are now set up and can try breaking the application.
To stop the container, get its id with
docker ps :
docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES f948a51fc0a7 dvwa "/main.sh" 12 minutes ago Up 12 minutes 0.0.0.0:80->80/tcp goofy_feistel
You can then user
docker stop f948 to stop the container.