The OWASP Juice Shop is a insecure web application for use with security training, awareness demos, and CTFs (capture-the-flag). Similar to offerings by Cmd+Ctrl. Setup is easy and quick through docker.
Local/Self Hosted
We want to create network so that the juice-shop container is accessible by another separate tools container:
docker network create ctf_network
Pull down juice-shop image then run the container:
docker run --rm -p 3000:3000 bkimminich/juice-shop --name juice-shop --network ctf_network
Pull down kali Linux and run interactive bash:
docker run --name kl --network ctf_network --entrypoint "bash" -it kalilinux/kali-rolling
This image does not contain common tools. SqlMap, ping, and curl are installed with the command below in the Kali Linux container:
apt-get update \
&& apt-get upgrade -y \
&& apt-get install -y \
--no-install-recommends \
sqlmap \
&& apt-get install -y iputils-ping \
&& apt-get install -y curl \
&& apt-get autoremove -y \
&& rm -rf /var/lib/apt/lists/*
TODO: Create own image with tools installed already.
You can find out what the internal IP address is for the juice-shop container:
docker network inspect ctf_network
Output:
...
"Containers": {
"26b56f1c7d0d51f71170c10b7a46ce0446e178d0e61208aac36936f71504ff1a": {
"Name": "kali-linux",
"EndpointID": "9c2fde09945df45fb8ac1c26885ac0126241948f74c1cf35474e7ae6101eee01",
"MacAddress": "02:42:ac:12:00:03",
"IPv4Address": "172.18.0.3/16",
"IPv6Address": ""
},
"b748322d71f10e5583b36d5cf9220d8d692cdbe999c98a98dd111af7c9972339": {
"Name": "juice-shop",
"EndpointID": "0cd222c1f519d3c2c5ba2dc6029b32f11cb3ce4630f81f94e4cb86b38a92c598",
"MacAddress": "02:42:ac:12:00:02",
"IPv4Address": "172.18.0.2/16",
"IPv6Address": ""
}
},
...
From Kali LInux container, you can ping that the juice-shop container (not localhost):
ping 172.18.0.2
Azure Hosted
The team has an annual on the OWASP Top 10 Web Application Security Risks. I've been through some more extensive security training, the team however, hasn't ever done a CTF before. Setup is also super easy to host on Azure with WebApps for Containers.
I prefer using the device code when when authenticating with Azure simply due to the requirement of using logins that aren't my domain account.
az login --use-device-code
$appType = 'ctf'
$teamName = 'teamx'
$resourceGroupName = "$($teamName)__$($appType)_rg"
$servicePlanName = "$($teamName)_$($appType)_appsp"
$webAppName = "$($teamName)$($appType)webapp"
az group create -n $resourceGroupName --location 'West US 2'
az appservice plan create -n $servicePlanName -g $resourceGroupName --sku B1 --is-linux
az webapp create -n $webAppName -g $resourceGroupName --plan $servicePlanName --deployment-container-image-name bkimminich/juice-shop
You may want to adjust the sku to something appropriate for your team. B1 is the lowest Basic Service Plan.
Cleanup all the resources by just deleting the resource group. Useful if the app becomes fubar, we can re-create.
az group delete --name $resourceGroupName
This would be accessible via https://teamxctfwebapp.azurewebsites.net
The WebApp firewall can be enabled and team IP Addresses can be whitelisted.
Next
Tools for hacking/CTF/ReverseEngineering