After using bWapp to learn my Web Application Penetration Testing techniques on INE’s Penetration Testing Student pathway, I’ve decided to set up bWapp and use it for myself so that I could practise Web App Pentesting.
To start I found that I hadn’t had docker installed into my Kali system, so to begin, the commands I used were:
Sudo apt install docker.io
Sudo systemctl status docker: check status to see if its up and running (it was)
Sudo docker pull hackersploit/bwapp-docker
After the step above, I was hit with a warning saying that the architectures were incompatible, with hackersploit’s amd64 docker not working with my arm64 UTM VM. So as a workaround this, I ended up finding an alternative on vulnhub called OWASP BWA (Broken Web Applications Project), which I could run as a separate virtual machine. And as the cherry on top, this project also happened to include bWAPP!
https://sourceforge.net/projects/owaspbwa
Knowing that all I needed was a .vmdk that I could convert into a .qcow2 file for UTM to eat up, I downloaded the 7zip and expanded the file.
However, I had no idea with vmdk file to convert using brew, so after a bit of research and after watching a VMware installation video of BWA from four years ago, I decided to copy them and use the OWASP Broken Web Apps-cl1.vmdk file.
The following is the result of using qemu-img to convert the files.
Now that I have the .qcow2 version of the file that’s readable to UTM, we SHOULD be good to go. The setup is now all that’s left.
In regards to the setup, all I needed was some help from ChatGPT and a lot of referencing from this particular setup video of Metasploitable 2 (which I highly recommend if you need help setting up Metasploitable 2 on an M1 Mac).
As a side note to anyone looking to do the same thing as me, MAKE SURE THAT YOUR NETWORK SETTINGS ARE SET TO HOST ONLY!!!!
Overall, it ended up working! And to be completely honest, OWASP BWA looks like a playground translated digitally.
Aside from bWAPP, the machine has a ton of super fun looking vulnerable servers to be able to practise my Web Application pentesting techniques on. And I can’t wait to be able to explore all the possibilities and exploits that I haven’t been able to try yet. Just by looking at what BWA offers, some other machines I have my eyes on Mutillidae 2, Damn Vulnerable Web Application and checking out outdated versions of WordPress (My arch nemesis…)
I’ll be sure to write about my experiences practising and pentesting all these machines so stay tuned!!!
Leave a Reply