For the past several weeks, i’ve been struggling to find a suitable OS to practice web penetration testing. SamuraiWTF is good, but its not enough for my taste. I have decided to create my own lab on a Ubuntu Server.

For those who don’t know what Mutillidae is, it’s a vulnerable web-application providing a target for web-security enthusiast.

Check out this youtube playlist for visual instructions, by Jeremy Druin himself (the current maintainer of Mutillidae).


Lamp Server Installation

First you’ll need to install Apache, enable its rewrite module, and restart the service:

sudo apt-get install apache2 -y && a2enmod rewrite && systemctl restart apache2

after that, open the /etc/apache2/apache2.conf file and edit this line:

<Directory /var/www/>
        Options Indexes FollowSymLinks
        AllowOverride all   # edit this line: replace none with => all
        Require all granted
</Directory>

Restart the apache2 service, and verify the apache default page by typing localhost in your favourite browser or use a terminal browser like lynx. You should see something like this(partial list):

Apache2 Ubuntu Default Page: It works (p1 of 4)
Ubuntu Logo Apache2 Ubuntu Default Page
It works!

Next, let’s install Php and its apache module:

sudo apt-get install php libapache2-mod-php

To verify if php is communicating with apache2, run:

echo "Hello World. Php is here." >> /var/www/html/index.php

Then, browse to localhost/index.php:

Hello World. Php is here.

And the last component of the Lamp stack is MySQL, and its php counterpart is to communicate with the database:

sudo apt-get install mysql-server php-mysql

Now, we have to reset the password for the ‘mysql’ database. Login as the root user:

sudo mysql -u root

If MySQL is already configured with a password, use mysql -u root -p, and enter the password. If not, omit the -p, and press enter.

Change into the mysql database:

mysql> USE mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql>

Note: Restart the apache server after every lamp stack component installation, and verify if everything is up and running by browsing to localhost.**

Reset the password:

mysql> UPDATE user SET authentication_string=PASSWORD('mutillidae') WHERE user='root';
Query OK, 0 rows affected, 1 warning (0.00 sec)
Rows matched: 1  Changed: 0  Warnings: 1

mysql>

Note: Your prompt should return ‘1 rows affected’ and ‘Changed: 1’. I’m just executing those mysql statements for the sake of this article. My prompt basically says nothing has changed.**

Next, we gonna allow MySQL to authenticate with passwords:

mysql> UPDATE user SET plugin='mysql_native_password' WHERE user='root';
Query OK, 0 rows affected (0.00 sec)
Rows matched: 1  Changed: 0  Warnings: 0

mysql>

Now, we execute flush privileges to enable the changes to take effect:

mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)

mysql>

and exit :

mysql> exit
Bye

Mutillidae depends on a bunch of php libraries that’s not included by default. Before we do that, verify your php version by running:

php -v | head -n 1 | cut -d ' ' -f 1-2
PHP 7.2.15-0ubuntu0.18.04.1

Install those libraries according to your version:

sudo apt-get install php7.2-curl php7.2-mbstring php7.2-xml

Now everything is ready. Let’s install Mutillidae:

cd /var/www/html && git clone https://github.com/webpwnized/mutillidae

Browse to localhost/mutillidae. If you see ‘The database server appears to be offline’, click on setup/reset the DB and then click on ok. Happy Hacking.

Note: To update Mutillidae, just cd into /var/www/html/mutillidae and run: git pull.


“Behind every successful Coder there is an even more successful De-coder to understand that code.” ― Anonymous