Day1:(Sometime last Week, prolly Monday because the wife-unit00 and I spent the rest of the week cleaning the apartment because of my parental-unit's were visiting) - Server setup
Setting up server number 2 for web app pentesting, OS and I decided to just stick with CentOS, installed the WebServer option with Desktop which means I checked off WebServer and then customized it by adding everything in the desktop option minus KDE desktop since I prefer the GNOME desktop.
Downloaded everything that I needed for WebGoat which at first seems a bit trivial, but I found the SourceForge that had the web goat stuff. Downloaded it.
I've never messed around with web servers and know absolutely nothing about them so this is completely new to me.
Next I downloaded Java which was abit painful to find, downloaded and installed Java1.5_11
I followed the instructions on WebGoats website to edit the .sh file
Change "1.5" on lines 17, 19, and 23 of webgoat.sh to "1.6".
After editing the webgoat.sh I ran sh webgoat.sh start8080, got error
Please set JAVA_HOME to a Java 1.6 JDK install or JVM Is not 1.6
So I thought maybe I don't have Apache installed even though I chose the "WebServer" install option. I then learned that there are different flavors of Apache and I needed Apache Tomcat. So here we go.
I download Tomcat Apache and installed it, to the best of my knowledge. I reboot, for the sake of rebooting.
Once I again I run .sh webgoat.sh start8080, and again I got error
Please set JAVA_HOME to a Java 1.6 JDK install or JVM Is not 1.6
I then looked into setting the "JAVA_HOME", found this Cyberciti.biz post, I set my JAVA_HOME
export JAVA_HOME=/usr/java/jdk1.5.0_11/
export PATH=$PATH:/usr/java/jdk1.5.0_011/bin
Once I again I run .sh webgoat.sh start8080, and again I got error
Please set JAVA_HOME to a Java 1.6 JDK install or JVM Is not 1.6
I shutdown and called it a day... night.
Day2:(4/2) I said, lets try from the beginning again. I noticed that I had installed jdk1.5.0_11 instead of a version 6. This was probably due to tireness and close to mid night hours lol, whatever the reason may have been.
First thing first, remove old java, I used
rm -r -f /usr/java/jdk1.5.0_11
Downloaded jdk6(jdk1.6.0_20) and installed it following this post from stackoverflow, which covered install for both jdk and tomcat. COOL COOL. I thought I had it figured out and was on my way to getting my webgoat on... yea ok, that was quickly shutdown by another "Please set JAVA_HOME to a Java 1.6 JDK install or JVM Is not 1.6".
NOTE: I didn't follow stackoverfollow's post to the letter. I installed java just by running the rpm.bin. Mostly followed it more for the variable sets JAVA_HOME, PATH, CLASSPATH, etc
export JAVA_HOME=/usr/java/jdk1.6.0_20
export PATH=$PATH:$JAVA_HOME/bin
export CLASSPATH=.:$JAVA_HOME/jre/lib:$JAVA_HOME/lib:$JAVA_HOME/lib/tools.jar
export TOMCAT_HOME=/usr/local/tomcat
export CATALINA_HOME=/usr/local/tomcat
export CLASSPATH=$CLASSPATH:$CATALINA_HOME/common/lib
export PATH=$PATH:$JAVA_HOME/bin
export CLASSPATH=.:$JAVA_HOME/jre/lib:$JAVA_HOME/lib:$JAVA_HOME/lib/tools.jar
export TOMCAT_HOME=/usr/local/tomcat
export CATALINA_HOME=/usr/local/tomcat
export CLASSPATH=$CLASSPATH:$CATALINA_HOME/common/lib
I then remember on the WebGoat install page mentioned that version 5 didn't need tomcat or java installed. So I tried pointing the JAVA_HOME to the java folder in the Webgoat 5.2 folder, no luck. Made no difference.
I started googling for answers or to see if anyone else had this same problem. Some did, I saw a post about someone having the same problem in Ubuntu but was fixed by install Java... that didn't help. I was clueless but not THAT clueless. I then came across WebGoat's GoogleCode page that had a newer version, version 5.4. Looked in the README-5.4 and it mentioned that Java and Maven needed to be installed separately. Well Maven was just another Apache flavor and to my luck I had already installed Java1.6 and Tomcat. I download Webgoat5.4 zip and extract it. In "Option 4: Run from the WebGoat 5.X Standard distribution (Ubuntu)" all it said was run " ./webgoat.sh start8080". I did and I got a "Permission denied" WTF?!?!? Permission denied? I'm fucking root. I then remembered I had saw somewhere else someone mentioned chmod +x on the webgoat.sh file and I ran the chmod +x
chmod +x webgoat.sh
Once again I ran ./webgoat.sh start8080 and now I got the same error message that I've been getting the dreaded "Please set JAVA_HOME to a Java 1.6 JDK install or JVM Is not 1.6"
At this point I'm steaming and frustrated. Once I again I go back to Google, but this time I come across my light at the end of the tunnel, carnal0wnage.attackresearch.com had an old post about the same problem. So I followed their instructions and removed the Java check shit from the beginning of the webgoat.sh
Below is a copyPasta of my webgoat.sh file. If anyone from webgoat wants me to take this down just email me. I don't know if this is ok or not but just email me and I'll take it down, other wise it's here for my historical reference and to help others
#! /bin/sh
SYSTEM=`uname -s`
CATALINA_HOME=./tomcat
PATH=${PATH}:./tomcat/bin
export CATALINA_HOME PATH
export JAVA_HOME=/usr/java/jdk1.6.0_20
chmod +x ./$CATALINA_HOME/bin/*.sh
case "$1" in
start80)
cp -f $CATALINA_HOME/conf/server_80.xml $CATALINA_HOME/conf/server.xml
$CATALINA_HOME/bin/startup.sh
printf "\n Open http://127.0.0.1/WebGoat/attack"
printf "\n Username: guest"
printf "\n Password: guest"
printf "\n Or try http://guest:guest@127.0.0.1/WebGoat/attack \n\n\r"
sleep 2
tail -f $CATALINA_HOME/logs/catalina.out
;;
start8080)
cp -f $CATALINA_HOME/conf/server_8080.xml $CATALINA_HOME/conf/server.xml
$CATALINA_HOME/bin/startup.sh
printf "\n Open http://127.0.0.1:8080/WebGoat/attack"
printf "\n Username: guest"
printf "\n Password: guest"
printf "\n Or try http://guest:guest@127.0.0.1:8080/WebGoat/attack \n\n\r"
sleep 2
tail -f $CATALINA_HOME/logs/catalina.out
;;
stop)
$CATALINA_HOME/bin/shutdown.sh
;;
*)
echo $"Usage: $prog {start8080|start80|stop}"
exit 1
;;
esac
SYSTEM=`uname -s`
CATALINA_HOME=./tomcat
PATH=${PATH}:./tomcat/bin
export CATALINA_HOME PATH
export JAVA_HOME=/usr/java/jdk1.6.0_20
chmod +x ./$CATALINA_HOME/bin/*.sh
case "$1" in
start80)
cp -f $CATALINA_HOME/conf/server_80.xml $CATALINA_HOME/conf/server.xml
$CATALINA_HOME/bin/startup.sh
printf "\n Open http://127.0.0.1/WebGoat/attack"
printf "\n Username: guest"
printf "\n Password: guest"
printf "\n Or try http://guest:guest@127.0.0.1/WebGoat/attack \n\n\r"
sleep 2
tail -f $CATALINA_HOME/logs/catalina.out
;;
start8080)
cp -f $CATALINA_HOME/conf/server_8080.xml $CATALINA_HOME/conf/server.xml
$CATALINA_HOME/bin/startup.sh
printf "\n Open http://127.0.0.1:8080/WebGoat/attack"
printf "\n Username: guest"
printf "\n Password: guest"
printf "\n Or try http://guest:guest@127.0.0.1:8080/WebGoat/attack \n\n\r"
sleep 2
tail -f $CATALINA_HOME/logs/catalina.out
;;
stop)
$CATALINA_HOME/bin/shutdown.sh
;;
*)
echo $"Usage: $prog {start8080|start80|stop}"
exit 1
;;
esac
No comments:
Post a Comment