In this blog post we’ll set up an environment of a list of virtual machines (ubuntu and windows) that includes some intentional vulnerabilities ready to exploit using Metasploitable 3 as the target machines and Kali as an attacker, but before that, there is the list of requirements you need:
Software requirements
- macOS Mojave (Version 10.14)
- VirtualBox
- Packer
- Vagrant
You can install VirtualBox, Packer and Vagrant manually from the links below, or you can use https://brew.sh/:
brew cask install virtualbox
brew cask install vagrant
brew install packer
System requirements
- VT-x/AMD-V Supported Processor recommended
- 65 GB Available space on drive
- 4.5 GB RAM
Our environment, in the end, will have these 2 virtual machines, one running Ubuntu metasploitable3-ub1404 and one running Windows metasploitable3-win2k8.
We’ll build the boxes manually, but first, you need to clone the Metasploitable3 repo somewhere on you macOs machine:
git clone https://github.com/rapid7/metasploitable3.git
Install vagrant-reload we’ll need to reload vagrant provisioner:
vagrant plugin install vagrant-reload
Then a cd to the metasploitable3 folder:
cd metasploitable3
Build the base VM image for Ubuntu using packer, the first parameter --only use the name of the virtualization platform plus the template file:
packer build --only=virtualbox-iso ./packer/templates/ubuntu_1404.json
Build the base VM image for Windows:
packer build --only=virtualbox-iso ./packer/templates/windows_2008_r2.json
These two builds take a will to download the Operating Systems Installation.
Now and after the vagrant boxes are created, you need to check the result of vagrant box list:
vagrant box list
And this is what your list should looks like:
metasploitable3-ub1404 (virtualbox, 0)
metasploitable3-win2k8 (virtualbox, 0)
Now let’s add each created vagrant box to the corresponding vagrant environment:
Ubuntu Box:
vagrant box add packer/builds/ubuntu_1404_virtualbox_0.1.12.box --name=metasploitable3-ub1404
Windows Box:
vagrant box add packer/builds/windows_2008_r2_virtualbox_0.1.0.box --name=metasploitable3-win2k8
Now you’ve to start each VM separately which will run the installation and set everything up, but before that let’s edit the VagrantFile and change the value of these two variables ub1404.vm.box and win2k8.vm.box
ub1404.vm.box = "metasploitable3-ub1404"
win2k8.vm.box = "metasploitable3-win2k8"
Starts the VMs
Start the Ubuntu VM
vagrant up ub1404
Start the Ubuntu VM
vagrant up win2k8
If everything is OK you can see the list each VM on VirtualBox:
Get the Windows VM IP
Now you’ve to check the IP of the windows VM by following these steps:
1 - Right-click on the metasploitable3-win2k8 and show:
2 – Select the VM and from the VirtualBox top menu click on input, keyboard then insert Ctrl-Alt-Del (Host+suppr)
3 – From the users list choose Administrator and enter the default password vagrant, be careful if you have an azerty keyboard like me, because the VM keyboard is set up by default to qwerty.
4 – Open Powershell and type ipconfig
5 – Take the value of IPv4 Address and from your computer (macOs) not the virtual machine, open the terminal and use nmap to scan the open ports on the win2k8 VM, the ip address on your case should be different:
sudo nmap -sV -p- -T4 172.28.128.3
Password:
Starting Nmap 7.31 ( https://nmap.org ) at 2018-10-13 16:57 WEST
Nmap scan report for 172.28.128.3
Host is up (0.00062s latency).
Not shown: 65517 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.1 (protocol 2.0)
1617/tcp open nimrod-agent?
3000/tcp open http WEBrick httpd 1.3.1 (Ruby 2.3.3 (2016-11-21))
4848/tcp open ssl/http Oracle Glassfish Application Server
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
8020/tcp open http Apache httpd
8022/tcp open http Apache Tomcat/Coyote JSP engine 1.1
8027/tcp open unknown
8080/tcp open http Sun GlassFish Open Source Edition 4.0
8282/tcp open http Apache Tomcat/Coyote JSP engine 1.1
8383/tcp open ssl/http Apache httpd
8484/tcp open http Jetty winstone-2.8
8585/tcp open http Apache httpd 2.2.21 ((Win64) PHP/5.3.10 DAV/2)
9200/tcp open http Elasticsearch REST API 1.1.1 (name: Dougboy; Lucene 4.7)
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49179/tcp open unknown
49182/tcp open tcpwrapped
MAC Address: 08:00:27:BC:ED:80 (Oracle VirtualBox virtual NIC)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Now you can take any open http port from the nmap command result, as an example 8585 that uses Apache httpd 2.2.21 ((Win64) PHP/5.3.10 DAV/2) an from your computer open the browser and access to it using http://172.28.128.3:8585:
You can follow the same steps for the ubuntu ub1404 VM.
That’s it, now you have a couple of vulnerable web apps ready to be hacked.
Top comments (1)
I have followed all the steps but...
1 error occurred:
* Deprecated configuration key: 'iso_checksum_type'. Please call
packer fixagainst your template to update your template to be compatible with the current
version of Packer. Visit packer.io/docs/commands/fix/ for more
detail.
==> Wait completed after 3 microseconds
==> Builds finished but no artifacts were created.
I think packer is newer than the script.