OWASP Juice Shop CTF - Setup

OWASP Juice Shop CTF - Setup

Setup

·

2 min read

The OWASP Juice Shop is a insecure web application for use with security training, awareness demos, and CTFs (capture-the-flag). Similar to offerings by Cmd+Ctrl. Setup is easy and quick through docker.

Local/Self Hosted

We want to create network so that the juice-shop container is accessible by another separate tools container:

docker network create ctf_network

Pull down juice-shop image then run the container:

docker run --rm -p 3000:3000 bkimminich/juice-shop --name juice-shop --network ctf_network

Pull down kali Linux and run interactive bash:

docker run --name kl --network ctf_network --entrypoint "bash" -it kalilinux/kali-rolling

This image does not contain common tools. SqlMap, ping, and curl are installed with the command below in the Kali Linux container:

 apt-get update \
    && apt-get upgrade -y \
    && apt-get install -y \
    --no-install-recommends \
    sqlmap \
    && apt-get install -y  iputils-ping \
    && apt-get install -y  curl \
    && apt-get autoremove -y \
    && rm -rf /var/lib/apt/lists/*

TODO: Create own image with tools installed already.

You can find out what the internal IP address is for the juice-shop container:

docker network inspect ctf_network

Output:

...
"Containers": {
    "26b56f1c7d0d51f71170c10b7a46ce0446e178d0e61208aac36936f71504ff1a": {
        "Name": "kali-linux",
        "EndpointID": "9c2fde09945df45fb8ac1c26885ac0126241948f74c1cf35474e7ae6101eee01",
        "MacAddress": "02:42:ac:12:00:03",
        "IPv4Address": "172.18.0.3/16",
        "IPv6Address": ""
    },
    "b748322d71f10e5583b36d5cf9220d8d692cdbe999c98a98dd111af7c9972339": {
        "Name": "juice-shop",
        "EndpointID": "0cd222c1f519d3c2c5ba2dc6029b32f11cb3ce4630f81f94e4cb86b38a92c598",
        "MacAddress": "02:42:ac:12:00:02",
        "IPv4Address": "172.18.0.2/16",
        "IPv6Address": ""
    }
},
...

From Kali LInux container, you can ping that the juice-shop container (not localhost):

ping 172.18.0.2

Azure Hosted

The team has an annual on the OWASP Top 10 Web Application Security Risks. I've been through some more extensive security training, the team however, hasn't ever done a CTF before. Setup is also super easy to host on Azure with WebApps for Containers.

I prefer using the device code when when authenticating with Azure simply due to the requirement of using logins that aren't my domain account.

az login --use-device-code
$appType = 'ctf'
$teamName = 'teamx'
$resourceGroupName = "$($teamName)__$($appType)_rg"
$servicePlanName = "$($teamName)_$($appType)_appsp"
$webAppName = "$($teamName)$($appType)webapp"

az group create -n $resourceGroupName --location 'West US 2'

az appservice plan create -n $servicePlanName -g $resourceGroupName --sku B1 --is-linux

az webapp create -n $webAppName -g $resourceGroupName --plan $servicePlanName --deployment-container-image-name bkimminich/juice-shop

You may want to adjust the sku to something appropriate for your team. B1 is the lowest Basic Service Plan.

Cleanup all the resources by just deleting the resource group. Useful if the app becomes fubar, we can re-create.

az group delete --name $resourceGroupName

This would be accessible via https://teamxctfwebapp.azurewebsites.net

The WebApp firewall can be enabled and team IP Addresses can be whitelisted.

Next

Tools for hacking/CTF/ReverseEngineering

References