Create an OWASP Juice Shop Container in Proxmox

In this module, we will look at creating a container in our Proxmox home lab to run OWASP Juice Shop to practice our web app pentest skills

a year ago   •   5 min read

By 0xBEN
Table of contents

This page is part of the larger series of converting an old laptop into a bare metal home lab server. Click the link to be taken back to the original post.

Proxmox VE 7: Converting a Laptop into a Bare Metal Server
In this post, we will take a look at an in-detail process of setting up a Proxmox home lab on a bare metal server.





Practice your Web App Pentesting on this Juice Shop container. I gave my container the name juiceshop. You can name yours whatever you wish.

Resources





Network Settings

⚠️
Regarding the network interface configuration, IPv4 should be set to DHCP and IPv6 should be set to Static
  • One network interface
  • On switch vmbr1
  • VLAN Tag 666
    • During initial setup, put the container on VLAN 666, so as to enable Internet connectivity. Later, we will place the container on VLAN 999 to isolate it.
    • That will give it an IP address in the 10.6.6.0/24 range





Recommended Options





Install and Configure Juice Shop

Inspect the Compatibility Matrix

This will tell you supported version of Node.js for the Juice Shop project. As of this writing, Node.js versions 14, 16, and 18 are officially supported.

GitHub - juice-shop/juice-shop: OWASP Juice Shop: Probably the most modern and sophisticated insecure web application
OWASP Juice Shop: Probably the most modern and sophisticated insecure web application - GitHub - juice-shop/juice-shop: OWASP Juice Shop: Probably the most modern and sophisticated insecure web app...



Install Dependencies

Run these commands on the container. Be sure to replace setup_xx.x with your version of Node.js to be installed based on the compatibility matrix.

apt update && apt install apt-transport-https curl software-properties-common
# The version of setup_xx.x will be determined by the compatbility matrix
curl -sL https://deb.nodesource.com/setup_xx.x | bash -
apt install nodejs



Download Latest Juice Shop Build and Configure

Get the latest Juice Shop release from here:

Releases · juice-shop/juice-shop
OWASP Juice Shop: Probably the most modern and sophisticated insecure web application - juice-shop/juice-shop

Download the proper build for your OS and version of Node.js. For example, if you installed Node.js version 16 and are downloading Juice Shop version 14.3.0 , this is the package you would download:

# Right click the link and download to the container
cd /opt
wget https://<download link here>
gunzip juice-shop-version-number.tgz
tar -xvf juice-shop-version-number.tar
cd juice-shop-version-number

# Change the port from 3000 to 80 in the default.yml file
nano config/default.yml 





Run Juice Shop

The npm start command here is illustrated using the path /opt/juice-shop_12.7.1 . Update your command accordingly with the correct path in your environment.

npm start --prefix /opt/juice-shop_12.7.1/ 2>&1> /opt/juice-shop_12.7.1/log.txt &





Cron Job to Start at Boot and Restart on Failures

crontab -e # Edit the root crontab file
    # Choose option 1 for nano

The cron job here is illustrated using the path /opt/juice-shop_12.7.1 . Update your cron job accordingly with the correct path in your environment.

# Enter the following cron jobs
    # Job 1: Run juice shop when the container starts
    # Job 2: Every minute check if node is running and start it if not
        # Cron jobs always run in the background

# Job 1
@reboot npm start --prefix /opt/juice-shop_12.7.1/ 

# Job 2
* * * * * if [ -z "$(pidof node)" ] ; then npm start --prefix /opt/juice-shop_12.7.1/ ; fi





Move the Container to VLAN 999

Now that the container is setup, we can move the it to VLAN 999 to isolate it and only allow it to talk to Kali. This will cause the container to get an IP address on the 10.9.9.0/24 network.

Change the VLAN tag to 999

The networking settings have not changed on the container, and they won't until the lease period on the current DHCP IP address expires. We can force it to get a new IP address by restarting the networking service.

root@juiceshop:~# systemctl restart networking

The container now has the IP address of 10.9.9.11/24





Check Connectivity

Now, try ping from Kali to the container's IP address. If you can ping the container, you should be ready to have some fun. Open your browser and try navigating to https://juiceshop.cyber.range .





Start Hacking Juice Shop

Here's the official Pwning OWASP Juice Shop book for free online. Follow along while testing against your own local instance.

Introduction · Pwning OWASP Juice Shop





Next Step: Adding Vulnhub VMs to the Cyber Range

Adding Vulnhub VMs to Our Proxmox Cyber Range
In this module, we will look at how to import VMs from Vulnhub into our Proxmox home lab

Spread the word

Keep reading