Setup a Vulnerable LAMP Server

LAMP is an acronym of the names of its original four open-source components used for building dynamic websites and web applications, These components are Linux, Apache, MySQL and PHP (or Perl).

The equivalent installation on Microsoft Windows operating system is known as WAMP.

To make this server vulnerable, we will be installing outdated versions of PHP and setting up broken web applications, these applications are used for learning how to hack\pentest using various different methods.  Be careful not to expose your vulnerable LAMP server outside your own network as it will be hacked.

I will be setting up my vulnerable LAMP server in Linux Mint which I installed recently, See my Installing Linux Mint in VirtualBox Tutorial here . But this tutorial should work with most debian\Ubuntu based Linux Distributions.

Before we start let’s update all the repositories and upgrade our Linux installation.

sudo apt-get update && sudo apt-get upgrade -y


First, we will be installing Apache HTTP server this is simply done by typing this command below.

sudo apt-get install apache2

To test its all working, just open up a web browser and type either or http://localhost and you should be presented with a page like this.




Now its time to install MySQL Database, this is done by typing.

sudo apt-get install mysql-server

This will start the installer and then ask if you want to continue, hit Y and enter and it should start installing.


Then you will be asked to set a Password for MySQL, as this is a vulnerable Server we are going to set the password to P@ssword. In the real world, you would use a password much more secure.




The latest version of PHP is version 7 but as this a vulnerable server we will need Version 5.6 to make sure the vulnerable sites we will be setting up later work properly, but the only version in the Mint repositories is the latest version 7. To get around this we need to edit the repository list to install a older version of PHP.

sudo add-apt-repository ppa:ondrej/php



Press enter to continue and the repository will install.

Now we will need to update our newly installed repositories.

sudo apt-get update

Check if you have a version of PHP already installed.

php -v


now install PHP5.6 from our updated repository.

sudo apt-get install php5.6 php5.6-mysql php-xdebug libapache2-mod-php5.6 php5.6-mbstring

just to make sure everything has installed correctly type php -v and check the version.

Next, we are going to create a PHP info page that will show PHP is Setup correctly.

firstly lets change to the root directory of our web server

cd /var/www/html/

Then using a text editor we can create our phpinfo.php file.

sudo nano phpinfo.php

when nano opens up our blank php file type..




…and press ctrl x to exit and it will ask you if you want to save your changes just hit y, check the file name and hit enter.

Now navigate to that PHP file in your web browser by typing

and you should get presented with a page like this showing you all you PHP configurations.




DVWA (Damn Vulnerable Web App)

Go to the site (link above) and click their download link which should give you a prompt asking you what you want to do with the file just click Save File and click OK, this should save the file to your downloads folder.


Open up a Terminal and we will need to navigate to where we downloaded DVWA.

cd ~/Downloads

If you do a ls you should be able to see the file you already downloaded.

Now unzip the DVWA zip file extract it into a folder called dvwa.


Rename the unziped DVWA-1.9 folder to dvwa

mv DVWA-1.9 dvwa

Then move newly created dvwa folder to the apache directory.

sudo mv dvwa/ /Var/www/html/

Next navigate to the dvwa config folder so we can enter in the MySQL details to get DVWA working.

cd /var/www/html/dvwa/config/

then use a text edititor to endit the config file.


edit the password to match the password of P@ssword which we setup earlyer in MySQL

$_DVWA = array();
 $_DVWA[ 'db_server' ] = '';
 $_DVWA[ 'db_database' ] = 'dvwa';
 $_DVWA[ 'db_user' ] = 'root';
 $_DVWA[ 'db_password' ] = 'P@ssword';

now we just need to reload the apache settings

sudo service apache2 reload

Open up a Web browser and navagate to the dvwa folder we have just created

You should get presented with this Database Setup page



Anything highlighted in red needs to be dealt with before we create the databases.


PHP function allow_url_include: Disabled

To set this we need to edit our php.ini file, so first navagate to the folder that contains the php.ini file.

cd /etc/php/5.6/apache2

then open up the php.ini file in a text editor

sudo nano php.ini

Then tap Ctrl + w to do a search, type allow_url_include.

this should take you to the allow_url_include line of the PHP.ini file which should state Off

change the line to say allow_url_include =On see picture below


Hit CTRL+x  to close nano and Y to save the changes we have just made.

Reload the apache2 service to make the changes available.

sudo service apache2 reload


PHP module php-gd: Missing

This can quite easly be installed from our linux reposatories.

sudo apt-get install php5.6-gd

Then we just need to restart our apache services

sudo service apache2 reload


reCAPTCHA key: Missing

Go to to create and generate your own keys for the Insecure CAPTCHA module.

You will need to then login with a google account and select the big blue Get reCAPTCHA button.


Then in the Register a new site box add a label, type dvwa and in the domains type localhost, and click Register.


You should now be given your Keys which we need to add into the in your DVWA folder.


With a text editor open up the config document in the dvwa folder.

nano /var/www/html/dvwa/config/

Edit the ReCAPTCHA settings, adding in the keys we have just got from google inbetween the two ‘ ‘. Site key going into the recapture_public_key and Secret Key going into recaptcha_private_key.


Then hit Ctrl+x to close and y to save the changes and reload the apache services.

sudo service apache2 reload


Writable folder /var/www/html/dvwa/hackable/uploads/:No

This Error means you need to make uploads a writable folder you use Chmod and chown to do this.

sudo chmod 777 /var/www/html/dvwa/hackable/uploads/

sudo chown root:root /var/www/html/dvwa/hackable/uploads/


Writable file /var/www/html/dvwa/external/phpids/0.6/lib/IDS/tmp/phpids_log.txt: No

same as above you need to use chmod to change the permissions on this file and make it writeable.

sudo chmod 777 /var/www/html/dvwa/external/phpids/0.6/lib/IDS/tmp/phpids_logs.txt

Now every thing should be green on our Database setup page, click Create  / Reset Database button at the bottom of the DVWA setup window this will connect to MySQL and create all the required databases.


and you should now get automatically presented with the login screen.


The default username and password for this site is  admin:password .


OWASP Mutillidae 2

Download the latest Mutillidae zip file from and save it to your downloads folder.

navigate to your downloads directory.

cd  ~/Downloads

If you do a ls you should see something like in this folder, we need to now unzip it.


And move the unziped folder to your apache directory

sudo mv mutillidae/ /var/www/html/

Now we need to setup the Mysql Password  in the MySQLHandler.php file, so mutillidae can connect to MySQL and setup the databases.

sudo nano /var/www/html/mutillidae/classes/MySQLHandler.php

Scroll down the document until you find static public $mMySQLDatabasePassword = “”; and enter P@ssword between the speech marks” ” as below.


Then hit Ctrl+x and then  y to save changes.

next we need to modify the apache directory config to add index.php to be first in the list.

sudo nano /etc/apache2/mods-enabled/dir.conf

Hash (#) out the the current DirectoryIndex line and on a new line type out a new DirectoryIndex see below.

DirectoryIndex index.php index.html index.cgi index.xhtml index.htm


Ctrl + x to exit the document and hit y and enter to save.

Then you need to add php5.6-Simplexml from the Linux repositories  this allows the server to easily manipulate and get XML data.

sudo apt-get install php5.6-simplexml

Then reload the apache2 service.

sudo service apache2 reload

Now open up your web browser and in the address bar type and you should get a message saying the database is offline.


Click setup/reset the DB  this should run through and setup all the database for you and you should get a pop-up saying No PHP or MySQL errors were detected when resetting the database.


Click OK and the page should reload and you get redirected to the Mutillidae home page.


Notice the Yellow warning message that says we don’t have php5-curl installed so open up a terminal and type.

sudo apt-get install php5.6-curl

and reload apache again.

sudo service apache2 reload

If you reload the mutillidae page, we should see the error has gone away.





Download Sqli-labs by following this link and saving it to you downloads directory.

change to you downloads directory

cd ~/Downloads

if you do a ls you should see in this folder now we need to unzip the folder.


and then rename the unzipped folder to sqli

mv sqli-labs-master sqli

Now we need to move this folder to our apache directory

sudo mv sqli /var/www/html/

next we need add the Mysql password to the database configuration file .

sudo nano /var/www/html/sqli/sql-connections/

and edit between the two ‘ ‘ for dbpass = ”; as below


then Ctrl + x to exit and hit y and enter to save.

In your web browser navigate to your sqli folder and you should get a page as below.


Lastly, click Setup/reset Database for labs this will create all the databases needed.




bWAPP (Buggy Web Application)

The bWAPP home page can be found here

And you can download the latest version of bWAPP from here

The current version when i write this is bWAPPv2.2

Save the file to your Downloads folder then navagate to your downloads folder.

cd ~/Downloads

type ls just to check is in your Downloads folder and we can now unzip it.

unzip -d bWAPP

Now move the folder to your apache directory.

sudo mv bWAPP /var/www/html/

With a text editor add the database connection settings to bWAPP

sudo nano /var/www/html/bWAPP/bWAPP/admin/settings.php

navigate to the part of the document that says // Database connection settings and add the MySQL password between the speech marks on db_password = “P@ssword”; as below.


press Ctrl + x  to exit settings.php and hit y to save the file.

cd .. to go back one directory and we need to change some permissions to make the application Vulnerable.

chmod 777 passwords/

chmod 777 images/

chmod 777 documents/

after making the above permission changes, open up your web browser and navigate to the bWAPP install.php

you should see the bWAPP install page, just click the here to install bWAPP link.


This will quickly setup all the databases and the screen will display bWAPP has been installed sucessfully!

You can now navigate to your bWAPP installation


default login and password for bWAPP is bee:bug


and thats our vulnerable Server all setup, I will be useing this setup for future tutorials, so keep checking back as i have some exciting things planned and as always please comment in the Reply box below if you have any issues setting this up or have any comments for me.



IT and security Expert with 20+ Years of Experience. _______________________________________________________ With over two decades of experience in the dynamic field of Information Technology and security, I have honed my skills to become a leading expert in safeguarding digital landscapes. My passion for technology and an unquenchable thirst for knowledge have driven me to stay at the forefront of the ever-evolving IT industry.

17 thoughts on “Setup a Vulnerable LAMP Server

  1. Awesome Article 🙂 Very well explained! works perfectly. Tried a lot of articles but only this worked without even a single error. Good job guys…Thanks a lot 🙂

  2. This article is very useful for me :-). while i was installing mutillidae, i stuck. Now i am clear. How do install/setup complete lap setup.
    Thanks a lot. I appreciate your effort 🙂

  3. Thanks a ton Hemp !
    My hours of struggle finally got a solution from your blog !
    Everything is crisp & guided very well.
    Once again thanks a lot !

  4. Hey Hemp,

    Nice tutorial you’ve got there. I have downloaded buggy app but never had the time and the knowledge to properly installed it, got it configured and running.
    Well, you’ve just made my life a bit easier. Cheers

    1. Hi MiNDTH3G4p thanks for your comment, I had the same issues when I was starting out and that’s exactly the reason I made this blog post.

      bWAPP team also do a Pre-built virtual machine called the bee-box which is a custom Linux image that you should have no problems adding into something like VirtualBox.

      Bee-box can be downloaded from this link


    1. Hi ccarter, I have not had any Access denied for user ‘root’ @ ‘localhost issue myself but thanks for sharing this.

      If anyone else is finding this Issue please let me know here in the comments.


      1. Hi Hemp!
        I have an error when I try to click on the button for “create /reset database”. Everything is green but I got the following error:
        “Could not connect to the database service.
        Please check the config file.
        Database Error #2054: The server requested authentication method unknown to the client.”.
        I tried to run the commands suggested in the link that ccarter provided, even I tried the solutions proposed here
        But I am stuck in this point.
        Can you help me, please?
        By the way, your tutorial is amazing, thank you

        1. Hi Moe

          Hope i can help…. so if i read your question right “you are having problems with the DVWA Database setup”.

          nano into the file

          nano /var/www/html/dvwa/config/

          and check what you have set in the DVWA array. This needs to be the same root user and password you set when you installed mysql

          $_DVWA = array();
          $_DVWA[ ‘db_server’ ] = ‘’;
          $_DVWA[ ‘db_database’ ] = ‘dvwa’;
          $_DVWA[ ‘db_user’ ] = ‘root’;
          $_DVWA[ ‘db_password’ ] = ‘P@ssword’;

          Dont worry if you cant remember what you set it too, you can always just remove mysql with the command below and run through the mysql setup section.

          sudo apt purge mysql*

          or as your not to deep in, just try re-installing the VM or roll back to a checkpoint in virtual box. might be worth actually setting a checkpoint after each section as this will allow you to roll back to any point and try again.

          hope this helps…. let me know what you did to fix it as others may come across the same issue.


  5. hey , hemp.
    i wanted to download bWAPP and it told me it was a virus and allows remote access to the computer it’s installed on. look forward from hearing from you!

    1. Hi demtions

      Thanks for letting me know I got the same in windows defender even after going through the download link on the bWAPP homepage. It reported that it contains a Backdoor:php/Remoteshell.c but this is probably due to some of the buggy code that bWAPP contains. If in doubt make sure its run in a segmented network without any access to your actual network


Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top