Install & configure OWASP Mutillidae II

https://github.com/digininja/DVWA

OWASP Mutillidae II | OWASP Foundation

GitHub - webpwnized/mutillidae: OWASP Mutillidae II is a free, open-source, deliberately vulnerable web application providing a target for web-security training. Mutillidae can be installed on Linux and Windows using LAMP, WAMP, and XAMMP. It is pre-installed on SamuraiWTF and OWASP BWA. The existing version can be updated on these platforms. With dozens of vulnerabilities and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiast, classrooms, CTF, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, corporate web sec training courses, and as an "assess the assessor" target for vulnerability assessment software. A containerized version of the application is available as a companion project.GitHub

Installation Guides

Standard Installation - DockerHub

• How to Run Mutillidae from DockerHub Images

Alternative Installation - Docker

• How to Install Docker on Ubuntu

• How to Run Mutillidae on Docker

• How to Run Mutillidae from DockerHub Images

Alternative Installation - Google Cloud

• How to Run Mutillidae on Google Kubernetes Engine (GKE)

Legacy Installation - LAMP Stack

If you have a LAMP stack set up already, you can skip directly to installing Mutillidae. Check out our comprehensive installation guide for detailed instructions. Watch the video tutorial: How to Install Mutillidae on LAMP Stack

Installation via Docker - My case

Install Docker

If you haven't it, install Docker on your machine (debian/kali): How to Install Docker on Ubuntu

Install Docker Image

git clone https://github.com/webpwnized/mutillidae-docker.git

And build the docker file

cd mutillidae-docker
docker compose -f .build/docker-compose.yml up --build --detach

Website URL

The web application should be running at localhost, then we ca go there via browser

http://127.0.0.1/

Note: The first time the webpage is accessed, a warning webpage will be displayed referencing the database cannot be found. This is the expected behaviour. Just use the link to "rebuild" the database and it will start working normally.

Build/Reset DB

1. Click here to attempt to setup the database. Sometimes this works.

2. Be sure the username and password to MySQL is the same as configured in includes/database-config.inc

3. Be aware that MySQL disables password authentication for root user upon installation or update in some systems. This may happen even for a minor update. Please check the username and password to MySQL is the same as configured in includes/database-config.inc

4. A video is available to help reset MySQL root password

5. Check the error message below for more hints

6. If you think this message is a false-positive, you can opt-out of these warnings below

Alternatively, you can trigger the database build.

# Requesting Mutillidae database be built.
curl http://127.0.0.1/set-up-database.php;

Populating the LDAP database

The LDAP database is empty upon build. Add users to the LDAP database using the following command.

# Install LDAP Utilities including ldapadd
sudo apt-get update
sudo apt-get install -y ldap-utils

# Add users to the LDAP database
ldapadd -c -x -D "cn=admin,dc=mutillidae,dc=localhost" -w mutillidae -H ldap://localhost:389 -f .build/ldap/configuration/ldif/mutillidae.ldif

Using a script to test the web interface

You can test if the web site is responsive

# This should return the index.php home page content
curl http://127.0.0.1:8888/;

https://127.0.0.1/index.php?page=home.php

TMI

Running Services

Once the containers are running, the following services are available on localhost.

• Port 80, 8080: Mutillidae HTTP web interface

• Port 81: MySQL Admin HTTP web interface

• Port 82: LDAP Admin web interface

• Port 443: HTTPS web interface

• Port 389: LDAP interface