This post is part of a series on the Ubuntu Linux version of Metasploitable3. The following posts are part of the series:
- Part 1: Building the Ubuntu Linux Version (You are here!)
- Part 2: Customizing the Ubuntu Linux Version
- Part 3: Pentesting the Ubuntu Linux Version - SQL Injection
- Part 4: Pentesting the Ubuntu Linux Version - Attacking Services
- Metasploitable2, Metasploitable3 and InfoSec Assignments
- Building the Metasploitable3 Linux Version
Metasploitable3 is an intentionally vulnerable machine build for exploit testing (aka. pen testing). Back in November, 2016, Rapid7 released Metasploitable3. I had used the previous version, Metasploitable2, to learn the basics of penetration testing. It was an excellent platform for exploratory testing, and I was sure Metasploitable3 was going to be the same experience… it was!
Metasploitable2, Metasploitable3 and InfoSec Assignments
In my first semester of teaching Introduction to Information Security in Semester 1, 2017, I used Metasploitable2 for in-class practical lab exercises. I did the same again this year. For the first assignment in the paper, students have to perform an information security audit and document all findings in a security audit report. It is a fun assignment! Last year, I choose Metasploitable3 in the hopes that they wouldn’t find out what system they were auditing. I went to great lengths to ensure there was no trace of the phrase Metasploitable3 in the system. I am pretty sure it went un-noticed! This year I was looking for something new, and I accidentally stumbled across Metasploitable3… the Linux version! It’s an exciting story, but in summary, I was building the Windows Server 2008 version on Linux and noticed the BASH script was expecting an argument…
A sense of great interest filled my heart. I had just re-read the Metasploitable3 Wiki, perused over the source code on the GitHub repository and had seen nothing about a Linux version. I checked the first Rapid7 blog post about Metasploitable3 and noticed the following statement:
Although our first image is Windows, the planning part of the Linux version has already begun. If you would like to jump on this train, please feel free to leave a comment on Github, or contribute.
A bit of further digging revealed a GitHub issue was opened by a user named prateepb who stated that they’d be happy to create a Linux version. There was a bit of chatter back and forth, and even a post summarising a selection of tasty vulnerabilities for the system:
SSH with weak passwords PHPMyAdmin [I'm currently working on this one locally] WebDAV (with PUT method enabled) ProFTPD 1.3.5 (proftpd_modcopy_exec) Apache Continuum 1.4.2 (apache_continuum_cmd_exec) > rapid7/metasploit-framework#6962 VNC (vnc_keyboard_exec) Cacti 0.8.8 (cacti_tree_sqli) Samba (samba_symlink_traversal) Apache with mod_cgi (apache_mod_cgi_bash_env_exec) Cups 1.7.2 (cups_bash_env_exec) JBoss AS 6.1.0.Final (JDK 6, 7) ActionPack 4.2.4 (rails_actionpack_inline_exec) Custom PHP login page that's vulnerable to SQL injection Splunk 6.1.1 (splunk_upload_app_exec) MySQL binding 0.0.0.0 UnreaIRCD IRC daemon (unreal_ircd_3281_backdoor) Drupal 7.5 (drupal_restws_exec) Linux kernel >=4.4 bpf_priv_esc Docker (docker_daemon_privilege_escalation) Linux Local CVE-2016-4997
Very recently, in February 2018, the user jbarnett-r7 submitted a push request on GitHub to include the code for the Linux box that was used for the capture the flag competition hosted by Rapid7 in December 2017. This addition was after I built the Metasploitable3 Linux version for my assignment.
Even with the odds against me, I decided to use the Metapsploitable3 Linux version for my assignment. It was new and interesting, and I needed a challenge. Also, I luckily started planning the classes in advance so had the time to tinker and test!
Building the Metasploitable3 Linux Version
The problem I initially faced was that there was no formal documentation about the Metasploitable3 Linux version. There was no information on building the Linux version, and no (robust) information about the vulnerabilities in the system. I am guessing that is because the build was (and seems to still be) in active development. This was in stark contrast to the Metasplotable3 Windows Server 2008 version, which is heavily documented on the Rapid7 GitHub Wiki. There are configuration instructions, tips and tricks and, most importantly, a list of vulnerabilities.
The README.md file from the Metasploitable3 repository has the most up-to-date information on building the system. They specify the following system requirements:
- OS capable of running all of the required applications listed below
- VT-x/AMD-V Supported Processor recommended
- 65 GB Available space on the drive
- 4.5 GB RAM
In terms of the selected build operating system, the only requirement is that the system can run the applications listed in the next section. Technically, this could be achievable on Microsoft Windows, but building on Linux is much more sensible. This tutorial uses Ubuntu Desktop 18.04 amd64 LTS as the operating system.
As usual, make sure your system is up-to-date by running the
Now it is time to install the application/tool dependencies.
Install Application Requirements (Dependencies)
In addition to the system requirements specified above, the README file also specifies the following collection of package requirements:
- Vagrant Reload Plugin
- Internet connection
When I started trying to build Metasploitable3, I ran into dependency issues. Specifically, I had problems with the versions of the tools I had installed. On a closer inspection of the build.sh script, I noticed there were a collection of variables that checked the tool requirement version numbers. A snippet of the code is displayed below:
The above tools were all marked as minimum, guessing that these were the minimum versions required to build Metasploitable3. The following instructions specify how I set up my build environment to match the above requirements.
Installing Oracle Virtual Box
VirtualBox is an open source (GPLv2) x86/x64 virtualization product that runs on Windows, Linux, OS X, and Solaris systems. In this tutorial, it is used to host the virtualized guest operating system (Metasploitable3) while it is being built.
In Ubuntu 18.04, VirtualBox is provided in the default
apt repositories. This is a decent option to install as the application will be tested with Ubuntu and updates provided when a new stable version is added to the package repository. But you could install from the Debian package provided on the Download VirtualBox for Linux Hosts page. This tutorial uses the package repository, which (at time of writing) provides version 5.2.10. You can search the package repository using the following command:
As specified in the Metasploitable3 README, VirtualBox version 5.1.10 or higher is required. You can install VirtualBox using the following command:
Once VirtualBox has been installed, check the version by running the
virtualbox command and the
--help option to confirm what version you are running:
One last step for VirtualBox. The Metasploitable3 project requires the VirtualBox Guest Additions. Again, this can easily be installed from the Ubuntu repositories using the
The second requirement for building Metasploitable3 is the vagrant tool. Developed by HashiCorp, Vagrant is a tool for building and managing virtual machine environments which automates system configuration. We are going to use the Debian package provided by HashiCorp.
We will start by moving into the
/tmp directory, a good place for temporary files:
Now, download the Debian package. This tutorial uses Vagrant version 2.1.2. It would be worth checking if there is an updated Debian 64-bit package when you are building. Check the Download Vagrant website and use an updated URL if an update is available. Download Vagrant using the following command:
Install the Debian package using the following command:
Make sure you check the install:
The third requirement for building Metasploitable3 is the packer tool. Again, this tool is produced by HashiCorp and is used to automates the creation of any type of machine image.
There is only a binary available for packer, distributed in a zip archive. Now, download the Debian package. This tutorial uses Packer version 1.2.4. It would be worth checking if there is an updated version when you are building. Check the Download Packer website and use an updated URL if an update is available. Download Packer using the following command:
Unzip the file. Note the
unzip tool is provided by default in Ubuntu Desktop 18.04 but has not been in the past. If the following command does not work, make sure to install the
unzip utility using:
sudo apt install unzip. Not extract the zip archive:
The archive only contains one file, named
packer. We need to make this binary file available. You could add a path, but that is a little more work, so we are going to move the
packer binary file to the
/usr/local/bin/ directory. Basically, this means that we can run, or execute, the
packer command from any location in the file system. Move the executable file using the command below:
If you ever want to remove the file in the future, just delete the file using:
sudo rm /usr/local/bin/packer.
Check that packer works and is the correct version using the following command:
Installing Packer Vagrant Reload Plugin
The fourth, and final requirement is a Vagrant plugin named vagrant-reload. This plugin allows a reload during virtual machine provisioning. The Metasploitable3 build requires this plugin, so we must install it. Luckily, the installation is straightforward. Execute the following command:
Building Metasploitable3 Linux Version
In the previous section, we install all application requirements including VirtualBox, Vagrant, vagrant-reload, and packer. We are now ready to actually build Metasploitable3!
This tutorial specifies the home directory to download the GitHub repository and build the project. However, you can perform these steps in another location. It shouldn’t make a difference, as none of the commands specify a full path.
Go back to your home directory, or somewhere you want to build the project:
Make sure you have
git installed. This is required to download the source code of the Metasploitable3 project from GitHub. Use
apt to install
git if you do not already have it installed:
Clone the Metasploitable3 GitHub repository:
It is approximately 175MB, so be patient! Now, change directory to the downloaded Metasploitable3 source code:
This step is very important. When building Metasploitable3 for this tutorial, I found a bug in the configuration for one of the flags… specifically, the
7_of_diamonds flag. If the following bug fix is not implemented, your build will fail!
flags.rb file, where the configuration for the system flags is performed.
Locate line 38. Basically, we need to change one of the lines which have an error. The specific flag is the
7_of_diamonds, and the docker image that is built for this flag refers to an incorrect name. In the code, it is specified as
7 of diamonds, while it should be
7_of_diamonds. The original code is listed below:
Make sure to change the code to the following listing (note the added underscore character to the first line!):
OK! We are ready to start the build process. Run the build script using
ubuntu1404 as an argument to the script. This will specify that we want to build the Linux version, not the Windows Server 2008 version:
Get a coffee, do the dishes or find something else to do for the next 30 to 45 minutes. The build process takes quite a while, but due to the automated tools used (Vagrant and Packer), it requires no intervention from the user.
When finished you will see output that is similar to the code snippet below.
The specific build will complete, resulting in a
.box file. According to HashiCorp, a
.box file is is a compressed (
zip) file that is specific to a single provider (e.g., VirtualBox or VMWare) and can contain anything. In the case of Metasploitable3, it is the virtual machine that we just built. You can find the
.box file in the
To start the virtual machine, essentially exporting it to VirtualBox, run the following command:
This will export the
.box file to VirtualBox. More specifically, we should probably run:
vagrant up command looks the
.Vagrantfile in the base directory of the Metasploitable3 source code. If we have a look at the code in this file, we can see that running
vagrant up will try to export both types of virtual machines (Ubuntu Linux and Widnows Server 2008). The Linux-specific part of the
.Vagrantfile is displayed below:
As you can see, there are two configurations for each type of virtual machine. The
ub1404 configuration is for the virtual machine we just built. We can see some interesting configuration options including the name of the
.box file (
metasploitable3-ub1404), the hostname (
metasploitable3-ub1404), the username and password (
vagrant/vagrant), the IP address of the virtual machine (
172.28.128.3), the name of the virtual machine (
Metasploitable3-ub1404) and RAM allocation (
2048). You can edit these values to change any configuration when the virtual machine is exported, or you can change these values through VirtualBox as well.
vagrant up or
vagrant up ub1404, the virtual machine will be exported and become available in VirtualBox. You can open the VirtualBox application and see that the
Metasploitable3-ub1404 virtual machine is running and available for use. Like previously mentioned, you can now easily customize the virtual machine using the VirtualBox application; for example, modify the network adapter configuration.
Hopefully, this tutorial got a Metasploitable3 Ubuntu Linux version virtual machine up and running. The platform is excellent for testing and learning in a virtualized environment. Stay tuned for my next Metasploitable3 tutorial, customizing Metasploitable3 Ubuntu Linux version, where we will look at how to customize the vulnerabilities, users, and flags for the virtual machine we build today.