Vulnerable Web Application Lab
- Mutillidae – Vulnerable Web App (requires XAMPP)
- OWASP Broken Web Application (OWASPBWA)
Vulnerable Targets
- Metasploitable Lab
- Windows Lab
- Damn Vulnerable Linux (DVL)
- OWASP Web Testing Environment (WTW)
- OSCP lab
- megacorpone.com domain represents a fictitious company created by Offensive Security.
Metasploitable 2 Lab
Metasploitable 2 is an intentionally vulnerable Linux virtual machine.
https://sourceforge.net/projects/metasploitable/files/Metasploitable2/
The default login and password is msfadmin:msfadmin
Never expose this VM to an untrusted network (use NAT or Host-only mode if you have any questions what that means).
Exploitation guide (with SPOILERS!):
Download the metasploitable-linux-2.0.0.zip file. It includes Mutillidae.
- In Virtual Box
- Create new VM, Name: Metasploitable2, OS: Linux, Version: Ubuntu 64-bit
- Memory size: 1024 MB
- Use existing virtual hard disk file, select Metasploitable.vmdk
- In a web browser, go to <your IP>/mutillidae
Fix for SQLmap
ssh msfadmin@x.x.x.x (IP for Metasploitable)
[pass: msfadmin]
vi /var/www/mutillidae/config.incMake sure that $dbname = ‘owasp10’; (was originally ‘metasploit’)
Mutillidae – Vulnerable Web App (requires XAMPP)
Vulnerable web application
#-------------------------------------------------------------------------------
# Download
#-------------------------------------------------------------------------------
https://sourceforge.net/projects/mutillidae
Click on Download
Alternatively, git is updated more frequently:
git clone git://git.code.sf.net/p/mutillidae/git mutillidae-git
#-------------------------------------------------------------------------------
# Install Mutillidae
#-------------------------------------------------------------------------------
Install XAMPP first. See XAMPP documentation.
Extract downloaded file.
Copy the mutillidae folder in C:\xamp\htdocs
Edit file C:\xamp\htdocs\mutilidae\.htaccess
Add line (assuming network is 10.0.0.0/24, adapt if necessary):
Allow from 10.
In a browser, go to
http://[your machine ip]/mutillidae
Click on setup/reset the DB and Mutillidae will installOWASP Broken Web Application (OWASPBWA)
#-------------------------------------------------------------------------------
# Download the OWASP Broken Web Application (OWASPBWA) virtual machine
#-------------------------------------------------------------------------------
https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project
Download the zip file v 1.2 (will give an .ISO file)
OWASP Broken Web Applications Project is a collection of vulnerable web applications that is distributed on a Virtual Machine.
#-------------------------------------------------------------------------------
# In VMware Fusion
#-------------------------------------------------------------------------------
Click Open a virtual machine
choose file OWASP Broken Web Apps
user: root
pass: owaspbwa
Note that this VM is highly vulnerable. Disable drag & drop, copy/paste, and run in "Host or Internal Network" in the VM settings
#-------------------------------------------------------------------------------
# How to use it
#-------------------------------------------------------------------------------
# OWASPBWA virtual machine doesn't have a graphical interface.
# Get the ip address
ifconfig to get ip address
# In Kali Linux, type the ip address in a browser to access web applications
# OWASPBWA Bricks has a database and login page, so good target to start
#-------------------------------------------------------------------------------
# Setting up a CMS Lab (WordPress)
#-------------------------------------------------------------------------------
Download a wordpress application
www.turnkeylinux.org
In the search box, type "wordpress"
Click on "WordPress - Blog Publishing Platform"
Download it and install in a VM