How to set up bWAPP – Linux

bWAPP, or a buggy web application, is a deliberately insecure web application. bWAPP helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities.

bWAPP is a PHP application that uses a MySQL database. It can be hosted on Linux and Windows.


1. Download the main file

2. make a directory in /var/www/html and unzip the downloaded file there

  • sudo mkdir /var/www/html/bWAPP
  • sudo mv /var/www/html/bWAPP/
  • cd /var/www/html/bWAPP/
  • ls
  • sudo unzip

3. Having all the files extracted navigate to ./bWAPP/admin

  • cd bWAPP/admin/
  • ls

4. Make sure to start apache & mysql services

  • sudo service mysql start
  • sudo service mysql status
  • sudo service apache2 start
  • sudo service apache2 status

5. Modify the SQL credentials in settings.php, credentials used to log in to mysql

  • cat settings.php

Confirm you can log in to mysql, using the same credentials you put on settings.php

  • mysql -u root -p
  • show databases;


If you still have issues you can set the database password by logging into the mysql and run

Change user and password at will

  • ALTER USER 'root'@'localhost' IDENTIFIED BY 'bug';
  • flush privileges;

6. Give full permissions to the following directories documents, images, passwords & logs

  • sudo chmod 777 documents/
  • sudo chmod 777 images/
  • sudo chmod 777 passwords/
  • sudo chmod 777 logs/
  • ls -ld documents images passwords logs

7. Now access the application from the browser. Probably you will face the following error


8. To fix it access /bWAPP/bWAPP/install.php, and, click on “here”


9. After that this message should show

10. Now click on log in to get back to the page where we got the error


11. The credentials are bee/bug

12. There you can do the following

  • Change current password
  • Create a new user
  • Change security level
  • Reset the database
  • Select the instance to test “choose your bugs”

How to set up Mutillidae – Linux

Mutillidae is a vulnerable framework where you can practice OWASP top 10,


  • sudo git clone

1. Install the required repositories (in this case I’m using php 7.3)

  • sudo apt-get install php7.3-curl php7.3-mbstring php7.3-xml


Show php version

  • php --version

2. Extract the Mutillidae content in /var/www/html

  • ls -ld mutillidae
  • pwd

Run the site

1. Start the web server process

  • sudo service apache2 start
  • sudo service apache2 status

2. Access you web service via browser

  • http://localhost/mutillidae/

This tells us that the MySQL service is not running, so, we need to start it the same way we did with apache

3. Start the database

  • sudo service mysql start
  • sudo service mysql status

4. Click on “setup/reset the DB”

This time we are getting issues with authentication

5. Set up the accounts for mutillidae to access the database, user root & password mutillidae

  • sudo mysql -u root
  • use mysql;
  • update user set authentication_string=PASSWORD('mutillidae') where user='root';
  • update user set plugin='mysql_native_password' where user='root';
  • flush privileges;
  • quit;

6.Now configure the file that connects to the database

  • sudo vi /var/www/html/mutillidae/classes/MySQLHandler.php



7. Go again to the browser and click again “setup/reset the DB”, now it was able to set up the database, click OK

8. Now, we got access to the application


SMTP lab (hMailServer)

This has been writen to explain the steps to set a basic insecure SMTP lab. We are using hMailServer to act as a mail server & Thunderbird as mail client.

Mail Server (hMailServer)

1. Start the wizzard

2. Next, Accept the license

3. Select the install folder, next

4. Full installation, next

5. Use built in database, next

6. Create a shortcut, next

7. Choose the password for accessing hMailServer

  • Password

8. Complete the installation

9. This may pop up, click yes, to install some dependencies

10. The installation begins


1. Connect as Administrator

2. Enter the password we just created

  • Password

3. You will enter to the main view

4. First thing start up process

  • Click on “Welcome”

5. We need to create a domain

  • Add domain…

In that we have different tabs

  • General: The name of the domain. To be considered valid, a domain name must include a dot. You must set up your DNS servers so that email can be sent to your mail server.
  • Names: One domain can have several names. These are also known as domain aliases. For example, your organization might own the domain,, but it might also own
  • Signature: you can configure hMailServer to add a signature to all email sent from this domain, If no HTML signature is specified, hMailServer will use the plain text signature as HTML signature as well.
  • Limits: If you have specified 500MB, the total size of all messages in the domain will not exceed 500MB
  • DKIM Signing (encryption): DKIM, Domain Keys Identified Mail, is a method to sign the content of messages. The recipient can verify that the message is sent from a server authenticated to send from the sender's domain, and that the message content has not been modified in transit.
  • Advanced: This tab contains the advanced settings for the domain. You normally don't need to modify these settings.


For this lab I will only modify general tab


6. After saving the changes, we see the domain added

7. Now, it’s time to add user accounts

  • Accounts
  • Add

8. Add a user (leave the rest as default), then save

  • Address: vry4n
  • Password: pass1

9. In accounts we see our first user created

We will add a second user named john

  • john
  • pass1

At this point we are done with the mail server set up. Now it is time to run an email client to be able to send/receive emails

Email client (Thunderbird)

For this exercise we will use Thunderbird and a Linux machine to connect.

1. Install Thunderbird

  • apt-get install thunderbird

2. Run the application

  • thunderbird &

The application will now show up.

3. Add the SMTP server

  • Edit -> Account Settings

4. Select the default account or add a new one

  • Edit/Add

Edit the settings

  • Description: VK9 SMTP
  • Server Name:
  • Port: 587
  • Connection security: (optional TLS)
  • Authentication method: (optional)
  • User Name: Administrator
  • OK

4. Add the domain name and server address to DNS records, we will use /etc/hosts

  • vi /etc/hosts
  • add ->
  • cat /etc/hosts | grep

5. Test connectivity

  • ping -c 2
  • telnet 587
  • telnet 110

5. Now it is time to set up our accounts, when ThunderBird is first opened it requests to add an account.

  • File -> New -> Existing mail account

Fill the blank spaces

  • name: vry4n
  • email address:
  • password: pass1

We have already created the accounts in the previous steps, in hMailServer

6. Now, click on “Manual config”, correct the server name. and, adjust the settings to match the server’s. I use POP3, I manually changed that

7. Test connectivity

  • Click on “Re-test”

Doin gthis auto adjusts the settings, now it’s time to click on “Done”

8. Accept the risk, since, we are not using encryption.

9. The account know shows up in the main page.

Now, we do the same for the other account. John

  • File -> New -> Existing mailing account
  • john
  • pass1

10. Send an email as a test

  • File -> New -> Message