Inspiration comes from: https://github.com/eystsen/pentestlab.
Working and tested on Ubuntu 23.04, Kali and WSL.
- bWAPP
- WebGoat 7.1
- WebGoat 8.0
- WebGoat 8.1
- Damn Vulnerable Web App
- Mutillidae II
- OWASP Juice Shop
- WPScan Vulnerable Wordpress
- OpenDNS Security Ninjas
- Altoro Mutual
- Vulnerable GraphQL API
- Java Vulnerable Lab (New 20230916) --> Offical Docker Not working :-(
- Web for Pentester I (New 20230918)
- Audi - 1 SQLI labs (New 20231215)
- OxNinja SQLi-Lab (New 20231217)
- RedTiger's Hackit (New 20231224)
- PortSwigger SQLi Labs (New 20231224)
- Hacksplanning SQLi Lab (New 20231224)
- Synk Learn (New 20231224)
- Try Hack Me SQLi Lab (New 20231225)
- Kontra SQLi Lab (New 20231225)
- TryHackMe (New 20240315)
- HackTheBox (New 20240315)
- VulnHub (New 20240316)
- Burp Web Security Academy (New 20240316)
- CTFTime (New 20240316)
Clone this repo, or download it any way you prefer
git clone https://github.com/TiiZss/BreakingLab.git
cd BreakingLab
chmod +x breakinglab.sh
This script is prepared to install Docker in Kali: https://www.kali.org/docs/containers/installing-docker-on-kali/
sudo apt install -y docker.io
sudo systemctl enable docker --now
sudo usermod -aG docker $USER
docker
For any other distro, use the prefered way to install docker. Here you have how to install Docker Desktop on linux: https://docs.docker.com/desktop/install/linux-install/
If you want to install Docker in your Mac, please follow this guide: https://docs.docker.com/desktop/install/mac-install/
If you want to install Docker in your Windows, please follow this guide: https://docs.docker.com/desktop/install/windows-install/
Now you can start and stop one or more of these apps on your system. As an example, to start w4p just run this command
./breakinglab.sh start w4p
This will download the docker, add w4p to hosts file and run the docker mapped to one of the localhost IPs. That means you can just point your browser to http://w4p and it will be up and running.
Use the startpublic command to bind the app to your IP
./breakinglab.sh startpublic w4p
If you have multiple interfaces and/or IPs, or you need to expose the app on a different port specify it like this
./breakinglab.sh startpublic w4p 192.168.1.218 8080
IP needs to be an IP on the machine and port in this example is 8080
You can only have one app exposed on any given port. If you need to expose more than one app, you need to use different ports.
To stop any app use the stop command
./breakinglab.sh stop w4p
./breakinglab.sh
Usage: ./breakinglab.sh {list|status|info|start|startpublic|stop|online} [projectname]
This scripts uses docker and hosts alias to make web apps available on localhost"
Ex.
./breakinglab.sh list
List all available projects
./breakinglab.sh status
Show status for all docker projects
./breakinglab.sh start w4p
Start docker container with w4p and make it available on localhost
./breakinglab.sh startpublic w4p
Start docker container with w4p and make it available on machine IP
./breakinglab.sh stop w4p
Stop docker w4p container
./breakinglab.sh info w4p
Show information about w4p project
./breakinglab.sh online w4p
Start w4p online webapp
- DVWA - Ryan Dewhurst (vulnerables/web-dvwa)
- Mutillidae II - OWASP Project (citizenstig/nowasp)
- bWapp - Rory McCune (raesene/bwapp)
- Webgoat(s) - OWASP Project 7, 8 & 8.1
- Juice Shop - OWASP Project (bkimminich/juice-shop)
- Vulnerable Wordpress - github.com/wpscanteam/VulnerableWordpress
- Security Ninjas - OpenDNS Security Ninjas
- Altoro Mutual - github.com/hclproducts/altoroj
- Vulnerable GraphQL API - Carve Systems LLC (carvesystems/vulnerable-graphql-api)
- Java Vulnerable Lab - Java Vulnerable Lab CSPF-Founder (m4n3dw0lf/javavulnerablelab) --> :-( Not working
- Web For Pentester I - PentesterLab Web For Pentester I (tiizss/webforpentester)
- Audi 1 SQLi Lab - SQLI labs to test error based, Blind boolean based, Time based. (c0ny1/sqli-labs)
- OxNinja SQLi-Lab - OxNinja SQLI labs (tiizss/oxninja-sqlilab)
github references means the docker is custom created and hosted in dockerhub.
- Make sure you are using HTTP not HTTPS
- Try using the IP address instead of the name (to see if the issue is with host file or docker)
Do these steps and record ouput (image, copy paste from screen, whatever works for you)
- Stop the application first (to clean up some configuration that are done during start)
- Start the application again
- Run this command to get information about running dockers
sudo docker ps
- Try to access the application using the IP address
- Try to fix JVL
- Include NoSQLi Lab
- Include SSRF-LAB
- Include Drunk Admin Web Hacking Challenge
- Include OWASP Broken Web Applications Project
- Include exploit.co.il Vulnerable Web App
- Include GameOver
- Include Web for Pentester II
- Include OWASP Bricks
- Include Vulnado
- Include BTS PenTesting Lab
- Include HackMyVM
- Include VulnMachines
- Include BlueTeamLabs