Web App Pentesting Practice Environment

Introduction

A getting started guide for a local web application pentest practice environment using Kali Linux and OWASP’s Juice shop, powered by UTM and Docker, running on an Apple silicon Mac.

A note on Apple Silicon - there are a few quirks in this setup as Apple Silicon Macs use ARM processors and the AArch64 versions of software are generally newer or less supported.

Prerequisites:

• A Mac with an Apple Silicon processor (M1-M4)
• The Homebrew package manager

Installing UTM and Docker with Homebrew

Ensure Homebrew is updated and ready to brew:
brew update
brew doctor

Install UTM and Docker:
brew install --cask utm docker

After installation, open both apps and grant necessary system permissions. By default, Docker will run at login.

Configuring Kali Linux in UTM

Download the most recent Kali Linux ISO here - be sure to select the Apple Silicon/ARM64 version.

Create a new VM by clicking the + sign, then:

• Select Virtualize -> Other
• Boot ISO Image -> Browse (and select the Kali ISO image you downloaded)

• Continue, selecting the default settings (unless you have specific requirements and experience), noting that you can customize the name of the VM (e.g. Kali) on the Summary screen.

• Back in the main UTM window, right click and Edit the new VM

• Under Devices right click and Remove the Display device, then right click again and add a Serial device
  As of writing, there is a bug, possibly within UTM or Kali, requiring this step. I suspect it may be the latter, and related to window system protocol needing to be Wayland instead of X11 in this use case. A bit more on this later during install.

• Start the VM, noting that you will be in terminal mode.

• On the first screen, be sure to select *Install (non-graphical), then proceed with the default settings, or customize as needed.

As mentioned previously, regarding the need for a Serial device, I’ve only had success with Kali installations that use a Wayland desktop environment, and thus recommend selecting KDE (for a Windows-like experience) or GNOME (for a Mac-like experience.) The default XFCE desktop environment resulted in a non-bootable system for me, which I believe is a result of its use of X11 and this specific ARM64 setup. More information on the X11 and Wayland window system protocols can be found here.

After installation completes, stop the VM, clear the ISO from the drive, edit and Remove the Serial Device, and add a new Display device.

Start the VM to boot into a graphical session of Kali Linux running the desktop environment of your choosing.

Configuring Juice Shop in Docker

Docker can be used to host a number of services and applications in a home lab/server environment, some of which I will cover in future posts. For now, we’ll focus on a (purposefully) vulnerable web application, Juice Shop.

You can follow the instructions here to pull and run the Juice Shop docker image, but to summarize:
docker pull bkimminich/juice-shop
docker run --rm -p 127.0.0.1:3000:3000 bkimminich/juice-shop

Now, you should have functional web ui available at http://localhost:3000

Wrapping up

At this point, you have a fully-functional virtualized pentesting practice environment with a vulnerable web application to test against. If you are just getting started in web appsec and pentesting, take a look at this learning path from TryHackMe. Additionally, see here and selecting the Challenges tab for the specific challenges and vulnerabilities that can be found within Juice Shop.

Run into any issues or have an alternative setup? Have Questions about any of the above, linux, or virtualization in general? Let me know on Bluesky or via email. Thanks for reading!