2.3. Setting Up a Pentest Lab Environment


Required Software

Let's now move on to the practical part and create a virtual laboratory for pentesting. In the simplest setup, you will need a hacker's computer and a victim's computer or server.

For the attacking machine, you have several options:

  • Kali Linux
  • Parrot Security
  • Dojo

All of these are based on Ubuntu Linux and share many similarities. Dojo combines both an attacking machine and a victim server, but I would recommend using Kali Linux. Kali is actively developed and includes an extensive suite of tools for testing.

For a vulnerable web application, there are many educational applications available that you can install locally on your computer. Additionally, you can find online applications, although many of them operate in a Capture The Flag (CTF) style, where you need to find a flag (usually a text file) within a vulnerable system. Tasks are categorized by difficulty levels. However, to start, I would recommend gaining the necessary skills by practicing on educational applications before moving on to CTF platforms. Moreover, on these platforms, you can also engage in bug hunting and receive rewards for it.

My recommendations for educational web applications:

  • OWASP BWA (Broken Web Applications) – This is a virtual machine that contains a collection of vulnerable web applications such as bVWA, DVWA, WebGoat, Mutillidae, and more. By installing such a machine, you can test multiple applications simultaneously, which is very convenient.
  • Google Gruyere – A vulnerable online application from Google. You don't need to install anything. Unlike OWASP BWA, it has fewer vulnerabilities, but it's still worth practicing on.
  • OWASP Juice Shop – This application is designed as an online shop and contains many vulnerabilities that you need to discover and exploit. Juice Shop can also be used as a CTF platform, so it's best to use it after mastering educational applications like OWASP BWA.


Installing Kali Linux

Kali Linux can be obtained from kali.org. You can install it locally on your computer or remotely on cloud platforms like AWS and Google Cloud. I recommend using a local installation, as the machine will always be available, even without an internet connection.

The most common method is to install Kali as a virtual machine using VirtualBox. This article will briefly describe this method.

Before you start, make sure you have at least 40 GB of free disk space and at least 8 GB of RAM.

Install VirtualBox. Additionally, install the VirtualBox Extension Pack:

Page to download VirtualBox extension

On Windows, you may need to enable the virtualization option in the BIOS if it's disabled.

Then, go to the Kali page to download the virtual machine image:

Page to download virtual machine of Kali

Choose the 32-bit or 64-bit system for the program you've installed.

After you've downloaded the image, unzip it, and import it into VirtualBox using the "Add" icon:

Button icon to add a new virtual machine on VirtualBox

Everything is ready for the machine to start. Launch it to verify that everything is functioning correctly. Use the credentials kali/kali to log into the system.

After the installation, I recommend immediately updating the system. To do this, open the terminal and enter the following command: sudo apt update && sudo apt upgrade -y:

Screenshot of Kali update

The system will prompt you for a password, so please enter "kali." After that, the system will begin downloading and installing the necessary updates. Please be patient, as this process may take some time.


Installing OWASP BWA

This project is no longer actively maintained, but you can still download the virtual machine image here. Unzip the file and move the image to the folder where you want to store virtual machine images. Then, follow the instructions below:

BWA - Icon to add a new virtual machine

Steps to import virtual machine of BWA into VrtualBox

Steps to import virtual machine of BWA into VrtualBox

Steps to import virtual machine of BWA into VrtualBox

Steps to import virtual machine of BWA into VrtualBox

Steps to import virtual machine of BWA into VrtualBox

Steps to import virtual machine of BWA into VrtualBox

Steps to import virtual machine of BWA into VrtualBox

Steps to import virtual machine of BWA into VrtualBox

After the installation, start the virtual machine. The console will display the machine's IP address along with the login and password:

IP address and login/password of imported BWA

All the applications will be accessible through this IP address:

The list of vulnerable and training apps in BWA

Please note that after installing all virtual machines, their network interface is configured in NAT mode. You won't be able to access this page from your host computer. To do so, you will need to configure the appropriate network settings in VirtualBox. We will discuss this in the next lesson. You don't need to change any settings within the virtual machine itself.


Installing OWASP Juice Shop

Juice Shop supports several installation options, but we will go with the simplest and most reliable method. We will also install it on the local machine. Documentation and downloadable images are available here.

Juice Shop runs on server-side JavaScript, so we need to start by installing Node.js, which is the runtime for JavaScript. There are two options here: you can install Node.js on your host operating system or on an existing virtual machine, such as Kali. This way, you get both an attacker machine and a vulnerable server in one. I recommend the second option.

Here's how to install Juice Shop on Kali:

  1. Download and install Node.js. On Kali Linux, open the terminal and enter the command: sudo apt install nodejs -y.
  2. After installation, enter the command node -v to check the current version. At the time of installation, the current version was 18.13.0.
  3. Next, download and install NPM (Node Package Manager) – this is the package installer. On Kali, enter the command: sudo apt install npm -y.
  4. Wait for the installation to finish, and then go to the Juice Shop documentation website. Scroll down a bit to the "Setup/Packaged Distribution" section.

Disctribution link of OWASP JuiceShop

You can refer to the installation process presented on the webpage and choose the most suitable option for yourself. Please follow the link indicated on the image above to download the appropriate distribution. Since I have Node.js version 18.13.0 installed, I will download the distribution for Linux with version 18:

Available assets of JuiceShop

Let's download the archive and navigate to the "Downloads" folder:

Icon to open a folder on Kali

Option to open Downloads folder on Kali

Then, unzip the file. To do this, select the file, right-click to open the context menu, and choose the "Extract Here" option:

Extraction of zipped file on Kali

After the operation is complete, enter the extracted folder and move all its contents to the folder where you intend to store virtual machines. Alternatively, you can leave them in the current folder if that's more convenient for you. In Kali, copying and pasting can be done using the Ctrl+C and Ctrl+V hotkey combinations, just like on Windows.

Open the folder where you've moved the files. In any empty space, right-click to open the context menu, and select "Open Terminal Here."In the terminal, run the command npm start. If everything is successful, you should see the output as indicated below:

Launching JuiceShop on Kali

After starting the application, it will be accessible at the address

Screeshot of JuiceShop home page