Creating Metasploitable 3 in a nested VM environment completely blind like maniacs do

Disclaimer: I’m a hacker and I’m also slightly insane.

Translation: I break software for fun, profit and because I don’t like to follow the rules all the time. This means I like to install software in ways no one else has or the developer intended.

Typically software installs are provided in such a way as to make it easier for the end-user to get it on their system and get up and running with it as fast as possible.

No end-user ever said to themselves “Gee, I want to spend fifteen hours trying to install this software in an environment it’s not intended to be in for no other reason than I’m curious and I CAN.”

Except, I say that all the time and I believe in trying new things so I can learn.

I am a fan of Rapid7 and I use Metasploit just like any other hacker. I hacked Metasploitable 1 & 2. They were easy to import and fun to play around with.

Then came Metasploitable 3. Before you can play with it, you have to create it. This is actually a brilliant idea on the part of Rapid7’s staff because it teaches you how a VM is built with Vagrant and Packer but it’s this idea where the problems started for the users.

Because not that many people build VMs this way.

I began to notice two weeks ago that a lot of people on Twitter were having issues installing this vulnerable VM using the Windows 10 way. This is the *accepted* way to do it. Rapid7 even supplies us with a video made by a man named Jeremy who does just that.

I didn’t want to go through all that trouble even though in the end it probably would’ve been a lot faster. I wanted to install it in a NESTED VM environment that had Ubuntu, NOT Windows 10.

Why Ubuntu? Because it keeps you on your toes and if something is going to break, Ubuntu will make sure it does. You have to know workarounds with this OS and so when I do experiments of this kind, I like to throw Ubuntu into the mix to make it all that much harder.

 

————–Pre-Requisites—————

***Before you begin, you must make sure that Hardware Virtualization is enabled in your BIOS – Stop reading right now, reboot and check. Chances are if you already have VM labs set up it’s already set but doesn’t hurt to check.

My system is already configured this way so I didn’t need to do this. If your chip doesn’t support this, stop, you can’t do this but you’re free to read how this maniac did 🙂

What I have: Windows 8.1 host computer running VMWare Workstation 12 loaded with a 64-bit Ubuntu 17.10 VMWare image which has Virtualbox installed inside of it.

**You cannot use Virtualbox to create the Metasploitable 3 VM because VirtualBox does not support Nested Virtualiation (VMs within VMs). VMWare does. I forgot about this rule and tried to do this in Virtualbox yesterday and got all the way to the end, saw the AMD-V error and realized where I went wrong.

Whoops! First world hacker problems.

My attack and research lab environments are all in VirtualBox. I have two SSDs dedicated to them as they start up very fast.

Before I get to my steps, I want to clearly explain what you are doing here. In previous versions of the Metasploitable ( 1 & 2 ) they were already pre-made into Virtual images you could attach to VMs in your fav hyper-visor.

This time, because the VM is made in a Windows OS and because of licensing issues with redistributing Windows OSes, Rapid7, the makers of Metasploit and the Metasploitable vuln VMs, created a way for you to create the VM yourself.

They can’t give you a ready-made image, it would be against Microsoft’s terms. But they can give you a framework in which to build the image which points directly to Microsoft’s servers to download the Windows 2008 ISOs needed (main OS and guest additions)

So, what I’m about to show you is this:

This means I’m running the Ubuntu VM guest on a Windows 8.1 host in VMware and then inside that guest Ubuntu VM I’m going to install VirtualBox again to get Metasploitable 3 created.

I’m spelling this out so there’s no confusion as you progress through this. Any questions, DM me on Twitter. I respond within 24 hours usually.

Set aside several hours for this. No distractions. You’ll just wind up getting aggravated further if you run into issues and have to get up to go walk the dog or cook dinner.

 

 

  1. I downloaded the Ubuntu 17.10 VMware image from OsBoxes http://www.osboxes.org/ubuntu/#ubuntu-1710-vmware

    Username: osboxes  Password: osboxes.org

  2. I downloaded VMWare https://my.vmware.com/en/web/vmware/free#desktop_end_user_computing/vmware_workstation_player/12_0
  3. I added the vmdk virtual disk file to the VMware machine, please do the following:

    Open your VMware virtual machine and make sure it is powered off;
    Choose VM -> Settings;
    On the Hardware tab, click Add to start the Add Hardware wizard, select Hard Disk and click Next.
    On the Select a Disk page, select Use an existing virtual disk and click Next.
    On the Select an Existing Disk page, enter the path name and filename for the existing disk file, or browse to the file and click OK.

  4. I enabled Bridged Adapter in the Networking section so as not to futz around with my special NAT environment I have for my VMs. Specific VMs require they be air-gapped, either because you’re analyzing malware or because they are vulnerable and opening them up fully to the Internet (public-facing) is a BAD idea. But for right now don’t worry about that. Let’s just get it Internet access so we can download what we need right away without restrictions.
  5. I gave the VM 12 GB of RAM and like 100 GB of space so it wouldn’t run out and I wouldn’t have to expand anything or play around with Gparted.
  6. I know my system supports it but if you’re following along, check if your system supports Nested VirtualizationFor Intel processors, cat out

    /sys/module/kvm_intel/parameters/nestedFor AMD processors into /sys/module/kvm_amd/parameters/nested.

    You should receive 1 or Y, if nested virt is supported, 0 or N otherwise. AMD processors should have it enabled by default, (certain) Intel processors might not. Example:

    $ cat /sys/module/kvm_intel/parameters/nested
    Y
    $ cat /sys/module/kvm_amd/parameters/nested
    Y

  7. Start up the Ubuntu VM.
  8. Change the ubuntu user’s password. It is “osboxes.org” to begin with.
  9. Now download Git

    sudo apt-get install git

  10. Git clone the Metasploitable 3 repo

    sudo git clone https://github.com/rapid7/metasploitable3.git

  11. I downloaded the ISOs required for Metasploitable 3 direct from their sources as described in one of the README.md files.
  12. I then edited the windows_2008_r2.json file in the metasploitable3 repository. At the end of the file look for ISO URL and put my file path in there instead of the Microsoft URL because why download it a second time?

    “variables”: { “iso_url”: “/home/osboxes/metasploitable3/7601.17514.101119-1850_x64fre_server_eval_en-us-GRMSXEVAL_EN_DVD.iso”, “iso_checksum_type”: “md5”, “iso_checksum”: “4263be2cf3c59177c45085c0a7bc6ca5″,”autounattend”: “./answer_files/2008_r2/Autounattend.xml”

  13. Installed latest version of Vagrant

    sudo apt install vagrant

  14. You can check if vagrant is installed by typing vagrant -v in Terminal or vagrant version.
  15. Now download the vagrant plugin. In Terminal type

    sudo vagrant plugin install vagrant-reload

  16. Install Packer and VirtualBox

    sudo apt install packer virtualbox

  17. Now test that it’s installed by typing packer in a terminal and then virtualbox. If you see options you’re good.
  18. At this point we have all the pre-reqs in place and should be able to start the shell script to build the VM. But trying to build it with sudo ./build_win2008.sh was failing epically. I had to figure out another way for it to work.

    I knew I could build it manually using the supplied JSON script and the command “packer build”

    So I tried that.

    packer build windows_2008_r2.json

    This failed. VBoxManage: error: Details: code NS_ERROR_FAILURE (0x80004005), component MachineWrap, interface IMachine

    So I did some research https://www.virtualbox.org/ticket/7367 and it said to do a headless start. This means there’s no GUI and you’re essentially blind running this.

    Also, there’s an additional problem which is that I’d be invoking VBoxManage through a JSON script not directly through the command line.

    So that meant I needed to edit the JSON file. I searched through it for the word “headless” and found it was set to false. I set it to true.

    And then I waited.

    I could see it was writing the Metasploitable VDI file in a new directory it created “output virtualbox-iso” F5ing (refreshing) allowed me to see it kept writing to it. I figured this was a good sign.

    I waited an agonizing 15 mins to see “Waiting for SSH to become available”

    It took another hour to fully build.

    Then it failed at the end with a VMWare error but I had the ovf, vmdk, vagrantfile and json file.

    I tried to start vagrant up but that failed too. I have something wonky somewhere. Not to worry, I can import it!

    Part of being a hacker is thinking on your feet and being able to consider your options, on the fly, if necessary, and trying what you can with the least amount of damage. Since this is an experiment, I don’t care about damage.

  19. I fired up Virtualbox and used File > Import Appliance and selected the “box.ovf” file it had created in a subdirectory in the metasploitable3 folder.

    It fails saying it’s corrupted.

    But it had created a backup zip of the four files so I extracted them someplace else and imported from there.

    This was successful! 🙂

    Now all I have to do is mount one of my external drives, transfer the zip to it and import it into my host computer’s Virtualbox environment.

    I can then attack it with Kali or whatever else.

    I’m going to follow my steps again this week, recreate this entire scenario from scratch and see if I missed anything in this tutorial. If I do, I’ll edit this guide.

    This required a lot of thinking on my part when things failed so I may have missed a few steps.

    In closing, remember that there is always an alternate way to do things. Always try new ways even if they seem crazy because you open up your horizons that way and get to experience new things.

    I downloaded Metasploitable 3 when it first came out and forgot about it. The discussions on Twitter are what prompted me to finally create it but I just didn’t want to copy everyone else.

    Anyway, that’s that. I didn’t give up although I wanted to. Ubuntu is such a pain at times!