How To: Set Up a Pentesting Lab Using XAMPP to Practice Hacking Common Web Applications

Hello friends! This tutorial will teach you how to build a local pentesting lab on your Linux machine which will enable you to easily install common web applications so you can practice locating and exploiting their known vulnerabilities (or discover new ones!). In particular, this is an excellent way to learn how to hack Wordpress, Joomla, and Dupral plus many more!

Basically it's the same idea as building an intentionally vulnerable virtual machine to practice hacking against, except strictly focuses on the most common web applications.

The set up is essentially the same for Windows, although the locations of the folders might be different.

This is the only complete and accurate tutorial online that demonstrates:

1. How to install XAMPP
2. How to install Wordpress locally on XAMPP
3. How to fix pesky error warnings
4. How to change themes without knowing ftp username/password

Ready? Let's begin!

Step 1: Download XAMPP

Navigate to the following URL and download the version of XAMPP appropriate for your operating system.
https://www.apachefriends.org/download.html

Step 2:

After downloading, navigate to your download folder and double click the XAMPP 'installer.run' file. This will install XAMPP onto your system. At the end of the installation, make sure the 'run XAMPP now' tick box is checked and click 'finish'.

Step 3:

On your XAMPP interface, click 'manage servers' then click 'start all'.

Step 4:

Now it's time to download and install an old version of wordpress so I can practice exploiting it's known vulnerabilities. Click the link below and download the version of wordpress you'd like to practice exploiting. In this tutorial, I am installing wordpress 3.1.3

https://wordpress.org/download/release-archive/

Step 5:

After Downloading, Extract the Zip File into /Opt/Lampp/Htdocs.

Step 6:

In your browser, navigate to 'localhost/dashboard and click 'phpMyAdmin' in the menu bar in the right upper corner of the page.

Step 7:

In the upper left hand corner of the screen, under 'phpMyAdmin', click 'new' to create a new database. Set 'wordpress' as the name of your database, then click 'create'.

In the pic, ignore the wp3.1.3 stuff. At the bottom you'll see my database named 'wordpress'' just like I told you to create

Step 8:

Turn to your folders and navigate to /opt/lampp/htdocs/wordpress and double click the 'wp-config-sample.php file. We will need to edit it appropriately.

Step 9:

Replace 'databasenamehere' with the name of your database, which in my case is 'wordpress'. Replace 'usernamehere' with 'root' and leave 'passwordhere' blank.

Click 'save as' and rename the file 'wp-config.php'.

Step 10:

Now we can get on with actually installing WordPress. Open your browser and go to http://localhost/wordpress/

You should see the translation screen that comes before the famous five minute WordPress installation process. Select your language and click 'continue'.

Step 11:

Enter the title for your site (you can change this later), chose a unique username and password, enter your email address and click 'finish'.

Viola! Your wordpress installation is now complete!

Step 12: Fix Pesky Warnings

Now it's time to fix those pesky 'warning' messages showing up on your posts and pages. Navigate to and open your wp-config.php file and add the following line just above the 'define DB_Name' line.

ini_set( 'display_errors', 0 );

Step 13: Change Your Theme

Fix the issue that will prevent you from changing themes. If you go and try and change your theme, you will notice that it asks for your ftp user name and password. To disable this, add the following line below the line you added in the last step in your wp-config.php file

define('FS_METHOD','direct');

Step 14: ENJOY!

Pat yourself on the back you've completed something a decent amount of people find difficult.