Another great vulnerable web app to have in your repertoire is CryptOMG. If you're following along with how I did it, it's the same procedure here: install XAMPP, download and extract the contents of the CryptOMG ZIP file to the htdocs folder, and then run ./lampp start.

Hang on to this one because we'll be attacking it in the next section, too:

The attack tool we'll use for this demonstration, hash extender, is worth keeping on your Kali install for future use. There are other tools for the task (notably HashPump), but I prefer hash extender's ease of use and integration into other tasks. The easiest way to get it running on Kali is by installing it with git. Note that we're also making sure that the SSL development toolkit is installed; it wasn't present on my copy of Kali 2018.1:

# git clone https://github.com/iagox86/hash_extender
# apt-get install libssl-dev
# cd hash_extender && make

Fire up the tool with no parameters with ./hash_extender and get acquainted.