Easy script to install and run WebGoat, DVWA, Mutillidae II, bWAPP, Juiceshop and more in Kali Linux (update 2020)

If you are a developer looking for insight into web security or a security professional looking to practice a bit, deliberately vulnerable web applications is a great way to practice and educate yourself on web application security.

There are quite a few to choose from, and they all have their pros and cons.

Installing them, on the other hand, could be a bit of a time waster. Before docker was widely adopted, making sure all dependencies where met and running all of them along side each other did require some time and effort.

With Docker it’s now really easy. But I like to automate stuff as much as possible, so I put together a quick bash script to make it even simpler (and faster).

Note! All scripts are tested on 64-bit only (not x86). Tested on installed systems running Kali Linux 2020.1b. Seems other distros also work fine.

Currently these applications are supported by the script.

  • bWAPP
  • WebGoat 7.1
  • WebGoat 8.0
  • Damn Vulnerable Web App
  • Mutillidae II
  • OWASP Juice Shop
  • WPScan Vulnerable WordPress
  • OpenDNS Security Ninjas
  • Altoro Mutual
  • Vulnerable GraphQL API

So let’s get started. First fetch the script. If you got git installed just clone the repo on github. If you do not have git installed go to https://github.com/eystsen/pentestlab and download the zip file there.

git clone https://github.com/eystsen/pentestlab

If you get a question about username/password then you probably typed something wrong. After cloning is completed (takes a few seconds), enter the new folder that contains the script with the cd command.

cd pentestlab

f you haven’t installed Docker, then you need to do so. Prevously this required some custom steps, but lately you can just install docker using apt.
Just run the following command.

sudo apt install docker.io

The included docker install script (in the git repo) was needed for older kali linux releases. It’t no longer needed.

Now you are ready to run webapps.
You can start bWAPP just by running this command:

./pentestlab.sh start bwapp

The script will download the docker file for bWAPP and run it with localhost network mapping. It will let you know where it is available and list any actions or info you need the first time you use the app, like default username/password.

Most of these applications require you to click a link or a button to kickstart the database initialization. bWapp needs you to do this, but it is as easy as clicking the link.
Next time you start bWAPP it will not be necessary.

# The other apps can be started with one (or all) of these commands
./pentestlab.sh start webgoat7
./pentestlab.sh start webgoat8
./pentestlab.sh start dvwa
./pentestlab.sh start mutillidae
./pentestlab.sh start vulnerablewordpress
./pentestlab.sh start juiceshop
./pentestlab.sh start securityninjas
./pentestlab.sh start altoro
./pentestlab.sh start graphql

You can get the updated list (new application are added from time to time) by running

./pentestlab.sh list

If you would like to expose the application to others on your network you can use the startpublic command.

./pentestlab.sh startpublic bwapp

WARNING! This will allow anyone with network access to hack your machine. Only do this in trusted lab environment.

It will prompt for the detect IP. If you have multiple interfaces and/or IPs you need to specify it together with the port. Also remember that only one application can listen on a given port.

./pentestlab.sh startpublic bwapp 8080

The script can also show you status of all local running application.

./pentestlab.sh status

Will show you status like this:

bWaPP                                             running at http://bwapp
WebGoat 7.1                                    not running
WebGoat 8.0                                    not running
DVWA                                               running at http://dvwa
Mutillidae II                                     not running
OWASP Juice Shop                          not running
WPScan Vulnerable WordPress   not running
OpenDNS Security Ninjas              not running
Altoro Mutual                                   not running
Vulnerable GraphQL API               not running

Remember to stop the app when you are done. You can continue any time by just running start command again.

./pentestlab.sh stop bwapp

Just running the script without parameters will give you a help screen.


Like this one:

Local PentestLab Management Script (Docker based)

Usage: ./pentestlab.sh {list|status|info|start|startpublic|stop} [projectname]

This scripts uses docker and hosts alias to make web apps available on localhost

./pentestlab.sh list
List all available projects
./pentestlab.sh status
Show status for all projects
./pentestlab.sh start bwapp
Start project and make it available on localhost
./pentestlab.sh startpublic bwapp
Start project and make it available on localhost
./pentestlab.sh stop bwapp
Stop the docker container
./pentestlab.sh info bwapp
Show information about bwapp proejct

So, that is it. I created this script for myself, but hopefully it can be useful for others too.

Have fun! And happy hacking! 🙂


    1. Hi,

      I’ll see if I can add this feature to the script, but in the meantime you can use docker directly.
      Like this:
      docker run -d -p 80:80 –name dvwapublic vulnerables/web-dvwa

      That command will bind DVWA to port 80 on your machine and give the container a name (dvwapublic).
      After this command you can then start or stop dvwa using:
      docker start dvwapublic
      docker stop dvwapublic

      You can list running dockers like this:
      docker ps

      DVWA will be available on your IP address. (just an example, your machines IP address will be different)

      If port 80 already is in use already you can bind using a different port.
      Like this example for port 8888
      docker run -d -p 8888:80 –name dvwapublic vulnerables/web-dvwa

      If you use a different port than 80 you need to add the port number in the URL, like this:

  1. hi friend~ i have a question.
    i want to change docker0 ip address.
    i’ve tryed to search the way.but i woun’t change default ip 172.x.x.x
    i want to change docker 0 ip as PC real nic interface range ip. (
    so i want to other pc to connect mutillidae url (
    i just want to other people access way. is it possible to do ?
    and i can’t find the /etc/docker/daemon.json. how do i do?

    1. Hi BaekNan,

      It is possible to bind the docker to an IP other than localhost.
      I’m currently adding this kind of feature to the script. Should be available in a couple of days.

    2. Latest version will bind to IP.
      Just run:
      ./pentestlab.sh startpublic mutillidae

      It will then be available on your IP like this (if y:our IP is
      It will not change the path (i.e. /mutillidae, since not all web apps are dynamic enough to handle moving root path).

      1. Wow you make it so easy for them, and they just keep asking hard questions , lol.

  2. Dude, I’m S0Ooooo in L0V3 with you, your the best man at best. I totally appreciate what you have done. I just learned Docker which is amazing tool, much better than vmware. WOW!!! And you put all the best webapps to pentest all in one place, by writing a super elegant script in bash. I’m flabbergasted. I’d love to send you some cash, do you have a patreon. I’ll totally support you. I have tons of friends in the cyber security fields and no one has even mentioned this at any webinar or conferences. This is a gold mine. I’ll be sharing this, if you dont mind. I’m still in Awe, my jaws just hanging. Can you tell I have a passion for this field. I’m not sure why, I guess it’s my addicted nature. I had a bad past, pentesting has actually saved my life. My God had a hand in it all for sure. Thanks again . Ryan. Aka ~☆ Malikode, some say Kalikode, hehe.

    1. Hi Ryan!
      Thanks for the kind words. It’s nice to hear people use and appreciate the script. Feel free to share with anyone!
      It’s easy to be addicted to this field, and it’s probably the only way to become really good.:) Take care!

  3. hi ! thank you for your kind words.
    i have a other question. i’m testing the bwapp resently.
    i want to access database (mysql). how can i access(login in) database? is it possible?
    plz~ tell me how can i access database.

    1. Hi BaekNan

      This can be done in at least two ways. So here is one easy/fast and one more robust (but a bit more complicated to set up).

      The easiest way (this being a vulnerable application) is to use sqlmap. If you don’t want to run sqlmap for each query you can even do an interactive session. First start bwapp as usual with:
      ./pentestlab.sh start bwapp

      Then get interactive sql shell using sqlmap, like this:
      sqlmap -u “http://bwapp/sqli_1.php?title=test&action=search” –cookie=”PHPSESSID=1h2u89n5mseres39anu8an22k5;security_level=0″ –batch –dbs –sql-shell

      Now you should be able to run queries, but you can’t run “show tables”. Only sql statements. So for metadata you need to query information_schema. Tables can be listed like this:
      SELECT table_schema, table_name FROM information_schema.tables WHERE table_schema=’bWAPP’

      If you want to use mysql you need to connect to the mysql instance running inside the bwapp docker. To do that you need to manually run some docker commands.


      First we need to clean up.
      In order to replace the already running docker named bwapp, these two lines will stop and delete all dockers on the system.
      You can of course look up and target the specific docker, but that requires more explanation and I’m trying to keep this short.
      So if you have a purpose installed kali this is the easiest way to clean up.

      sudo docker stop $(docker ps -q)
      sudo docker rm $(docker ps -a -q)

      NB! First one will report and error if no dockers are running. Don’t worry about it.


      Run bwapp and map http and mysql ports (the script only maps http by default). You only need to run this once,
      before you can continue running start and stop through pentestlab.sh script as usual.

      sudo docker run –name bwapp -d -p -p raesene/bwapp

      Finding the random password generated when starting the sql can be done by looking in the logs.

      sudo docker logs $(docker ps -q)

      At the top there will be a line with admin and password. Copy it.
      mysql -uadmin -pvPDBt8FyMFOB

      Add bwapp localhost to the line copied in step 3.
      Now you should be able to connect.
      mysql -uadmin -pvPDBt8FyMFOB -h

      NB! Passwords will be different for you compared to this example
      NB2! Notice that localhost is not for bwapp, it’s

      Fix bwapp alias in the hosts file by running
      ./pentestlab.sh start bwapp

      Recreate the bwapp database by going to
      and click the link


      Have fun!

  4. Hi blg132,

    Just wanted to say thanks very much for this. Fantastic implementation; KISS at it’s finest.

    BTW I use Docker

Leave a Reply to BaekNan Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s