Building Metasploitable 3 on Ubuntu/Debian

Recently I attempted to build the new Rapid 7 Metasploitable 3 VM for use in my pentest lab on Ubuntu 16.10. Followed the instructions on their Github page to the letter, but failed in variety of areas. The good news is that I was able to hack my way through all them to get it built. This blog entry is going the steps you need to take to successfully build the VM on a Ubuntu/Debian based system. I’m assuming you may run into similar issues on a Fedora-type system, but your mileage may vary.

 

Packer

No issues with Packer, beyond just installing it with: sudo apt-get install packer

Vagrant

First you to need to install Vagrant: sudo apt-get install vagrant

Second, you before you can build the vagrant-reload plugin, you need to install the ruby-dev package with:

sudo apt-get install ruby-dev

Now you can install the plugin with: vagrant plugin install vagrant-reload

Due to the dependency upon WinRM and with the Vagrant version in the Ubuntu/Debian repo you will need to install:

vagrant plugin install winrm --plugin-version 1.8.1
vagrant plugin install winrm-fs

The 1.8.1 version is key in order for the build to complete successfully.

Metasploitable 3 Build Script

The Metasploitable 3 build script has some checks that fail due to the latest version of Virtualbox that’s in the Ubuntu/Debian repo. The main reason is they are checking for a specific version of Virtualbox and since with Ubuntu/Debian your running a newer version than what the build script requires, it fails.

Since we know we already have the necessary dependencies built, we can just run the build commands manually:

TMPDIR=/home/tmp packer build windows_2008_r2.json

The TMPDIR directive was another gotcha as I only had 1GB of space allocated to my /tmp filesystem and the process ran out of space. Point the TMPDIR variable to a path where you have enough space.

Now we can create the Vagrant box with:

vagrant box add windows_2008_r2_virtualbox.box --name metasploitable3

And then start it up with just: vagrant up and your good to go.

Happy Hacking!

Python Script for Searching ExploitDB

biblical_apologetics_degree_wide

So I was looking to cleanup my Twitter favorites list and starting with the oldest one that was dated from 2011, it was from an article for using a Python script for searching the local ExploitDB instance on Backtrack.So of course it peaked my interest and click on the source link directed me to a parked domain. Common problem with Open Source tools. After performing some Google-Fu, I found a copy and downloaded it to my Kali instance and of course it didn’t work as the path for the ExploitDB path has changed.

 

So after a trivial change of pointing it to the correct path, bingo, it works.I have created a ‘Kali‘ repo on my Github if you want to grab it and I’m probably going to be making some updates to it over time.