How to setup Mutillidae


OWASP provides a great project so called Mutillidae, which is a deliberately vulnerable web-application providing a target for web-security enthusiast. It comes preinstalled with SamuraiWTF, Rapid7 Metasploitable-2 and OWASP BWA, but it's also very easy to setup it by your own. This tutorial describes how to install all the required packages and the necessary configuration steps to get Mutillidae up and running on your system or a Virtual Machine (VM). If you install the project on your local machine, assure that no one else has access to this vulnerable web application. Otherwise it's possible that other people get access to your machine. So it's recommended to install Mutillidae only within a VM. For this tutorial the operating system Debian was used with the version 8.5.0.

First of all it's required to install the following packages with your package manager, in this case apt. To apply the new installed modules for the apache webservice, restart the service afterwards.

sudo apt-get install apache2 libapache2-mod-php5 mysql-server php5-mysql php5-curl

sudo service apache2 restart

During the installation there is a prompt which asks for a password. This is required for the mysql server and you can just hit enter to leave it blank, because this is the default database password for the root user used by Mutillidae. It's possible that the prompt shows up multiple times. Just hit enter each time.

Define root mysql password

If you don't want to use an empty password, you can also set one, but afterwards it's required to change that in the configuration of Mutillidae. The required steps to use a different password are described later on.

Next, you have to create the required database. To perform this, enter the following commands in a terminal:

mysql -u root
mysql> create database mutillidae;
mysql> exit

Now you have to download the Mutillidae project itself. Therefore, run the following command:

wget http://liquidtelecom.dl.sourceforge.net/project/mutillidae/mutillidae-project/LATEST-mutillidae-2.6.40.zip

The link maybe changes in the future. To get the latest version, just have a look a the website https://sourceforge.net/projects/mutillidae/ and use the download link of the latest version.

After the successful download, unzip the archive with the following command.

unzip LATEST-mutillidae-2.6.40.zip

Afterwards move the new directory to the webroot and change the permissions to allow access to the files. From a security perspective the permission aren't set very restrictive, but for a testing VM enough and it's just to avoid some permission problems.

sudo mv mutillidae /var/www/html
sudo chmod -R 777 /var/www/html/mutillidae

Now the website should be available. So just open your browser and enter the URL http://127.0.0.1/mutillidae. The following page should show up.

Mutillidae setup page

Now click on the text setup/reset the DB, which is marked in the previous picture, to initialize the database. If everything went right, the following box should show up.

Database setup sucess

Configure database credentials (Optional)

In case you don't want to use an empty password open the file /var/www/html/mutillidae/classes/MySQLHandler.php and edit the following lines:

/* ----------------------------------------------
* DATABASE USER NAME
* ----------------------------------------------
* This is the user name of the account on the database
* which OWASP Mutillidae II will use to connect. If this is set
* incorrectly, OWASP Mutillidae II is not going to be able to connect
* to the database.
* */
static public $mMySQLDatabaseUsername = "root";

/* ----------------------------------------------
* DATABASE PASSWORD
* ----------------------------------------------
* This is the password of the account on the database
* which OWASP Mutillidae II will use to connect. If this is set
* incorrectly, OWASP Mutillidae II is not going to be able to connect
* to the database. On XAMPP, the password for user
* account root is typically blank.
* On Samurai, the $dbpass password is "samurai" rather
* than blank.
* */
static public $mMySQLDatabasePassword = "";

If there weren't any errors during the setup, the following page should show up in your browser. Which means you finished the setup successfully :)

Finished setup

Links

For further information about the project Mutillidae, have a look at the following link: https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project