Installation and Deployment

Pikachu is an intentionally vulnerable web application designed for practicing common web security exploitation techniques, built with PHP and MySQL. A LAMP or LEMP stack is a prerequisite to host this platform.

1. Acquire Source Files

Extract the downloaded archive directly into your web server’s public directory. For Linux-based systems running Apache, the typical path is /var/www/html:

cd /var/www/html
curl -L -o pikachu_source.zip https://github.com/zhuifengshaonianhanlu/pikachu/archive/refs/heads/master.zip
unzip -q pikachu_source.zip
mv pikachu-master secure-lab-pikachu
chown -R apache:apache secure-lab-pikachu  # Adjust web user/group as needed (e.g., www-data for Nginx)

2. Configure Database Credentials

Open the configuration file located at /var/www/html/secure-lab-pikachu/inc/config.inc.php and update the database username, password, and host to match your local/remote MySQL instance:

<?php
define('DBHOST', '127.0.0.1');
define('DBUSER', 'root');
define('DBPASS', 'your_secure_mysql_password');
define('DBNAME', 'pikachu');
define('DBCHARSET', 'utf8mb4');
?>

3. Perform Initialization

Navigate to http://your-server-ip/secure-lab-pikachu in a browser. A red banner will prompt you to initialize the database; click it to automatically set up tables and populate test data.

If a blank screen appears instead of the initialization prompt, install the missing PHP MySQLi extension:

dnf install php-mysqli  # For RHEL/CentOS Stream
# apt install php-mysqli  # For Debian/Ubuntu
# Restart your web server afterward

---

Brute-force Vulnerability Exercises

Brute-force attacks involve iterating through large credential sets to guess valid authentication details, often automated with dictionary tools. A system is considered vulnerable to brute-force if it lacks robust safeguards, such as: strict password complexity rules, time-limited secure CAPTCHA/OTP, login attempt throttling/account locking, or multi-factor authentication.

1. Form-Based Brute-force

1. Use an HTTP interception tool like Burp Suite to capture a failed login POST request, then forward it to the Intruder module.
2. Configure the attack type as Pitchfork, set the username and password fields as payload positions.
3. Load a username list into Payload Set 1 and a password list into Payload Set 2.
4. Run the attack and sort results by response length or status code to identify successful login attempts (valid credentials will produce a distinct response).
5. Verify identified credentials by logging in manually.

2. Server-Side CAPTCHA Reuse

This variant uses a CAPTCHA that remains valid indefinitely without regeneration.

1. Submit random credentials along with a valid CAPTCHA, capture the POST request, and test reusing the same CAPTCHA multiple times with different credentials to confirm it does not expire.
2. Send the request to Intruder, select Pitchfork attack type, set username and password as payload positions, leaving the CAPTCHA value fixed.
3. Execute the attack and analyze results to find valid logins.

3. Client-Side CAPTCHA Validation

Here, CAPTCHA verification happens entirely in the browser, making it easy to bypass.

1. Submit invalid credentials with a wrong CAPTCHA; if an error alert appears immediately without a server round-trip, client-side validation is active.
2. Choose one of three bypass methods:
   • DOM Manipulation: Open browser DevTools, locate and delete the CAPTCHA enput and validation script elements, then perform a brute-force attack.
   • Disable JavaScript: Turn off JavaScript in your browser settings, then proceed with a brute-force attempt.
   • Omit CAPTCHA Field: Use Burp Suite to remove the CAPTCHA parameter entirely from the intercepted POST request before sending it to Intruder with Pitchfork setup.
3. Use DOM manipulation to delete CAPTCHA controls, then run the brute-force attack to crack valid credentials.