yashinfosec.com

Explore Security In-depth

Hello readers, Today in this blog I will explain how to setup a Vulnerable Web Application in your Home Lab using a Raspberry-Pi

If you are also a cybersecurity enthusiast like me and want to have a specific and complex Lab setup just like me then go ahead this article is for you.

Basically, if you also have a Raspberry Pi and want to host a Vulnerable Web Application on it, here are the steps you need to follow

First, let’s see the requirements of our project:-
1. Raspberry Pi (I’m using Raspberry Pi 3b+)
2. 16GB memory card
3. A laptop or computer to perform operations
4. Ethernet cable to connect it to Network
5. Memory card Reader

In this project we are going to do the headless installation, so we don’t need a monitor, keyboard, or mouse

Step 1:- Connect SD card to laptop/computer using an SD card reader and flash Ubuntu Server using Raspberry Pi Imager

here is the link to download the Raspberry Pi imager link


CHOOSE OS > Other general-purpose OS > Ubuntu >Ubuntu Server.04.2 LTS (32-bit) [You can install 64-bit if you are using Raspberry Pi 4]
choose SD card as storage and open settings > check enable SSH, and set Username and Password > write

Note:- if the imager pops any warning msg press ‘yes’

Step 2:- Now we need to download a vulnerable website, install a web server, and host the website
first, insert the memory card into Raspberry pi and power the raspberry pi, let the raspberry pi boot completely wait for a few minutes,
when the pi is booted, SSH into pi using the credentials created in the previous step

Installing web server

Now let’s see the software we will be using
1. Apache 2 as the web server
2. MariaDB as Database server
3. php-mysql as the action block
Now we have a bunch of commands to use in order to install and configure the web server
1. apt-get update && apt-get upgrade && apt-get dist-upgrade //Linux command to update
2. apt-get -y install apache2 libapache2-mod-php //command to install the web server and its dependencies
3. apt-get -y install mariadb-server mariadb-client //command to install the database server and its dependencies
4. apt-get -y install php php-mysqli php-gd //command to install the php and its dependencies
5. systemctl enable apache2 //command to run the web server on startup
6. systemctl enable mariadb //command to run the database server on startup
7. systemctl start apache2 //command to start the web server
8. systemctl start mariadb //command to start the database server
9. apt-get -y install unzip //command to install unzip

Downloading and Hosting Vulnerable WebApp:-

Now we will download and configure DVWA on port 80 and juice-shop on port 3000

  1. cd /var/www/
  2. wget https://github.com/ethicalhack3r/DVWA/archive/master.zip
  3. unzip master.zip
  4. rm -rf html/
  5. mv DVWA-master/  html/
  6. cp config/config.inc.php.dist    config/config.inc.php
    now enter these commands to create and configure the database
  7. mysql -u root
    1. create database dvwa;
    2. grant all on dvwa.* to dvwa@localhost identified by ‘p@ssw0rd’;
    3. flush privileges;
    4. exit
  8. nano  /etc/php/7.3/apache2/php.ini    >>> “allow_url_include = Off >> On”
  9. systemctl restart apache2
  10. chmod a+w hackable/uploads
  11. chmod a+w  external/phpids/0.6/lib/IDS/tmp/phpids_log.txt
  12. chmod a+w config/

Now let’s download and configure juice-shop
1. apt-get -y install docker
2. docker pull santosomar/juice-shop-arm64
3. docker run -d –name juice-shop -p 3000:3000 santosomar/juice-shop-arm64

Now we need to run this docker on the startup, we will configure crontab
1. crontab -e >1
2. @reboot docker run -d –name juice-shop -p 3000:3000 santosomar/juice-shop-arm64

The default username and password for DVWA is admin:password

Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *