Create an OWASP Juice Shop Container in Proxmox

In this module, we will look at creating a container in our Proxmox home lab to run OWASP Juice Shop to practice our web app pentest skills

2 years ago   •   5 min read

By 0xBEN
Table of contents

This page is part of the larger series of converting an old laptop into a bare metal home lab server. Click the link to be taken back to the original post.

Proxmox VE 8: Converting a Laptop into a Bare Metal Server
In this post, we will take a look at an in-detail process of setting up a Proxmox home lab on a bare metal server.

What is OWASP Juice Shop?

Juice Shop is a deliberately vulnerable web application where you can practice a wide variety of web attacks.

The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!

The official project page can be found here:

OWASP Juice Shop | OWASP Foundation
Probably the most modern and sophisticated insecure web application for security trainings, awareness demos and CTFs. Also great voluntary guinea pig for your security tools and DevSecOps pipelines!

Dockerized Installation

When I first wrote this guide, I don't believe Juice Shop was available as a Docker image. Previously, I had shown readers how to get up and running using the packaged distributions and Node.JS.

There is — however — a Docker image available now and this latest iteration of Juice Shop step of my Proxmox security lab guide makes several improvements over the previous version.

Create the Linux Container

Create a new Linux Container
I'm using a Debian 11 image
Some names on your end may differ
Put it on VLAN 666, as we'll need outbound access for setup
These are the local domain and gateway of VLAN 666 in my environment
Click 'Finish'
Do not start the container!

Prepare to Run Docker on LXC

I've already written a post some time ago showing readers how to get Docker Engine up and running on a Linux Container in Proxmox.

You can skip the part in the post below where you create the Linux Container, as we've already done that part just before. So, do everything else other than creating the Linux Container.

Come back here when you've finished getting the Docker environment all set up.

Proxmox: Run Docker on Linux Containers (LXC)
In this post, I show you how to run Docker in your Linux Containers (LXC), allowing you to save on resource requirements typically required by a VM.

Pull and Run the OWASP Juice Shop Image

If you've successfully followed along with the post linked above, the following should be true:

  • FUSE OverlayFS is installed on the PVE hypervisor
  • FUSE OverlayFS is installed on the LXC
  • Docker Engine is installed on the LXC and the Docker Hello World image was pulled and run, indicating Docker is installed and ready

Now, we're ready to pull the OWASP Juice Shop Docker Image and test. Open a shell on the Linux Container.

# Download the latest Juice Shop Docker iamge
docker pull bkimminich/juice-shop

# The OWASP documentation runs Juice Shop on TCP/3000, I prefer TCP/80
# Also, pass in some options to ensure the container always runs at boot, and always restarts for any reason other than manual stoppage
docker run -d -p 80:3000 --restart unless-stopped bkimminich/juice-shop

Managing the Docker Process

docker ps
See if the container is running
ss -tanup | grep -i 80
Make sure it's bound to TCP/80
docker stop <container_id>
Stop the container
docker run -d -p 80:3000 --restart unless-stopped bkimminich/juice-shop
Re-run the container
docker pull bkimminich/juice-shop
Update the Juice Shop container image to the latest

Check Kali Connectivity

Optional: Move to Isolated VLAN

Select your container
Go to 'Network' options
Double-click on 'net0'
VLAN 999 is the isolated VLAN in our lab environment
Change the container's DNS settings as needed for the new VLAN
systemctl restart networking.service
Restart the networking stack on the LXC

Confirm Kali Connectivity

My firewall rules (and yours if you've followed this guide) should be such that you can access the Juice Shop container at its new address on the Isolated VLAN.

Need to Update your Container?

Just reverse the steps above and put your LXC back on VLAN 666 to reallow Internet access while you perform your update activities. When finished, repeat the procedure shown above to place it back on VLAN 999.

Next Step: Adding Vulnhub VMs to the Cyber Range

Adding Vulnhub VMs to Our Proxmox Cyber Range
In this module, we will look at how to import VMs from Vulnhub into our Proxmox home lab

Spread the word

Keep reading