So i am using TryHackMe room to Complete DVWA which is in my list since i started but never Complete it.
Let’s start with low security level
So we have a login page and as we know it isn’t secured we can Bruteforce.
I am using burp intruder and fasttrack.txt.
and here we got Password
The web have a prompt which say we can ping an IP. So we can say maybe the background code is “ping ” and we are running in linux.
Okay got the injection well.
A simple LFI by changing the ?page= we can get any while in system without restrictions.
To be continued….