Building a Personal Containerized Web Pentest Lab

Problems to Solve

When learning Web Pentest, we often would need some variety of "boxes" to play around with. However, it is always dreaded when it comes to building our own playground. Most of the time the reasons will be resource issues (VMs are resource intensive), lack of resource/dependency isolation (similar to python dependency issues) if we were to try to set up multiple web applications within the same server VM as well as long set up time.

Containers to The Rescue

Hence we set out to use containers specifically Docker to solve the three problems stated above : resource intensive, lack of resource/dependency isolation as well as long set-up time.

Benefits of Containerized Lab

We do not need to research too much to know the benefits of containerization. This journal neatly sums up what Docker is and its usefulness for school labs.

"Docker can quickly build and deploy applications, as well as build a highly flexible distributed system, making full use of hardware resources to reduce corresponding costs"

Whilst a distributed system is not relevant for our use case, a highly flexible system, making full use of hardware resources is what we are looking for. In addition to that this blog illustrates what a dependency problem is and how docker can be used to solve the problem.

Imagine you had two applications. Both have various third-party libraries they depend upon. However, both share a common dependency. The problem? They depend on different versions of the same library!

The idea is to put your application and its dependencies inside of an encapsulated container. This way, you isolate the application from other applications on your host system... ...

Therefore we know that Docker is the solution to our problem.

Ready-made Containers for Learning Web Pentest

There are many "ready-made" containers for vulnerable web applications that has been published online and one reliable source we can get these containers from is OWASP. The place to get these ready made containers is in the Vulnerable Web Applications Directory and to further simplify our search, we simply go to the "Containerized" tab.

Personal Implementation of Docker-based Web Pentest Lab

My personal implementation of Docker-based Web Pentest Lab is simply an Ubuntu Server VM that has Docker installed and a Kali VM that will act as the attacker machine.

The network connection of the VMs are set to NAT so that they are within the same subnet, have internet access but not directly connected to the router like in "bridge" mode.

Basic Docker Commands

Below are some basic docker commands to get started in managing our docker instances.

• docker pull is used to pull the image from Docker Hub.

  docker pull <userid/image name>
  

• docker image / docker images is used to list images that are in the host.

  docker image list
  docker images
  

• docker run is used to run the image that has been pulled.

  docker run --name <container name> -itd --rm -p <ip address>:<host port>:<container port>
  

• docker exec is used to execute commands inside the docker container without being in the container. The second command below is to execute /bin/bash to get a shell of the docker container.

  docker exec <container name/container id> <commands>
  docker exec -it <container name/container id> /bin/bash
  

• docker ps is used to list containers that are running

  docker ps
  

• docker commit is used to save the state of docker container that is running.

  docker commit <container name> <user id>/<image name>:<tag>
  

• docker kill is used to destroy a running container

  docker kill <container name/container id>
  

Example : Deploying Generic University

Generic University is a Web Application Pentest Lab developed by InsiderPhD and busk3r turned it into a container. The docker version of Generic University is found here with some set-up instructions. In general the commands used are similar to what was given above, just with some extra tweaks due to the way this image is developed.

Firstly, we do a docker pull to pull the container image from docker hub.

We then do a docker image list to list the images that exist within our host.

Secondly, we do a docker run to start up the container.

Lastly, to complete the set up we do a docker exec to start the relevant services (mysql and php) that are used in the web application.

As can be seen above, server logs are generated when we visit the webpage.

We can save the state of the container by doing a docker commit like below.

Then, we can simply destroy the container using docker kill.

The docker with the saved state can be run with the following command

docker run --name <image name>:<tag name> -itd --rm -p <ip address>:<host port>:<container port> 

As can be seen below, when we run a new docker. Apart from restarting php and mysql service, the last actions like changes to SQL database are saved.

With this example, we can see that it is very easy to set up a vulnerable web application and save the state so that we can continue from where we left off with docker.

Conclusion

Docker is a really convenient means to help deploy a vulnerable web application in an efficient and "clean" manner. It also abstracts the infrastructure side of things away so that we can focus on the testing of web application rather than worry about setting the web application up correctly.

Afterthought

This exercise is can also a good primer for us to familiarise ourselves with Docker. More can be done to learn more about Docker and web applications that relies on Docker like building a reverse proxy baremetal and hiding the containers behind that reverse proxy. A step further would then be to build a reverse proxy container with apache or nginx and channeling traffic through the reverse proxy container.

Learning Docker is important as cloud-based web applications are becoming commonplace and the infrastructure of cloud-based web applications are moving away from the traditional web server structure and more to a containerized structure.