I build VM labs. Lots of them, but I tend to go full machines. I was checking out the new TCM web app course the other day (honestly i’ll write a review if I get time to finish it!) and it’s built around using docker for DVWA and OWASP JUICE SHOP so I figured I should write a quick blog about how to deploy these so people can get started learning in minutes.
Now here we have:
- DVWA
- JUICESHOP
- METASPLOITABLE
but you don’t have to stop there, i’m sure there’s others you can use as well!
This isn’t an exhaustive guide, but it will get the docker instances up and running.
Script
# How to Install docker on Kali Linux
#####################
sudo apt update
sudo apt install docker.io -y
sudo systemctl enable docker --now
#optional
#sudo usermod -aG docker $USER
#####################
# DVWA
######################
sudo docker pull sagikazarmark/dvwa
sudo docker run --rm -it -p 80:80 sagikazarmark/dvwa
# JUICESHOP
######################
sudo docker pull bkimminich/juice-shop
sudo docker run -p 3000:3000 bkimminich/juice-shop
# METASPLOITABLE 2
#######################
sudo docker pull tleemcjr/metasploitable2
sudo docker run --rm -it -p 8080:80 sagikazarmark/dvwa
That’s it, fire up a web browser and naviagte to localhost:port and you can start sending packets!
as always, be careful what you download and execute from the internet, just because it’s from docker hub doesn’t mean it’s safe (use at own risk etc.).
Also if you want them to keep them after use you remote the the cli option for docker (–rm) from the commands.
Rememebr there’s guides for these online, check out the JUICE SHOP guide here: https://pwning.owasp-juice.shop/
I also now see people making docker images for showcasing single exploits, we saw this with Log4Shell, so my question is what docker images would you recomend for testing? hit my up on twitter https://twitter.com/UK_Daniel_Card if you have any ideas for inclusions!