Base LAMP Image Configuration - richnadeau/Secure-Web-Application-CTF-Nadeau-Notter GitHub Wiki

This a guide for how we set up our Base Ubuntu image before configuring exploits.

After first boot up, we will want to update the server using sudo apt update.

After that is done. We can install apache and make sure it starts on start up.

sudo apt install apache2

sudo systemctl start apache2

sudo systemctl enable apache2

Next, we will install the MySQL server part of the base image.

sudo apt install mysql-server

Then we have to do secure installation to set the root password.

sudo mysql_secure_installation

VALIDATE PASSWORD COMPONENT: No > Enter and Verify New Password for Root > Y to remove anonymous users > Y to disallow root login remotely > Y to remove test database > Y to reload privilege tables

Make sure you can log in using mysql -u root -p after you do this because sometimes it does not work completely.

If it does not work, follow these trouble shooting steps:

sudo mysql -u root

DROP USER 'root'@'localhost';

CREATE USER 'root'@'localhost' IDENTIFIED BY '';

GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION;

FLUSH PRIVILEGES;

exit

Now try and redo the mysql_secure_installation step like we did before and it will work now. Also don't forget to enable the mysql service

sudo systemctl enable mysql

Lastly, we will install php onto this base image.

sudo apt install php libapache2-mod-php php-mysql

Before logging out, make sure apache and and MySQL are actively running using systemctl status. You should expect results like the ones below.

Now, shutdown your Ubuntu instance using shutdown and return back to VCenter. We will now take the base snapshot of the machine once it is completely shutdown.

NOTE: Please remember to remove ISO file from the VM's virtual CD Drive before snapshotting to save space.

To do this go to the VM you were working on, right-click it, hover over snapshots, then Take Snapshot...

Name it "Base" or something similar, then take the snapshot.

Now when we are configuring this box, we will be able to have a reset point if we mess up the configuration in any way. For future boxes, we will have this snapshot as a starting point too so we don't have to go through this process whenever we want to test out configuring a new vulnerability.