How to set up Metasploitable 3 on macOS Mojave

Today we’ll set up an environment of a list of virtual machines (ubuntu and windows) that includes some intentional vulnerabilities ready to exploit using Metasploitable 3 as the target machines and Kali as an attacker, but before that, there is the list of requirements you need:

Software requirements

You can install VirtualBox, Packer and Vagrant manually from the links below, or you can use brew:

brew cask install virtualbox
brew cask install vagrant
brew install packer

System requirements

  • VT-x/AMD-V Supported Processor recommended
  • 65 GB Available space on drive
  • 4.5 GB RAM

Our environment, in the end, will have these 2 virtual machines, one running Ubuntu metasploitable3-ub1404 and one running Windows metasploitable3-win2k8.

We’ll build the boxes manually, but first, you need to clone the Metasploitable3 repo somewhere on you macOs machine:

git clone https://github.com/rapid7/metasploitable3.git

Install vagrant-reload we’ll need to reload vagrant provisioner:

vagrant plugin install vagrant-reload

Then enter the metasploitable3 folder:

cd metasploitable3

Build the base VM image for Ubuntu using packer, the first parameter --only use the name of the virtualization platform plus the template file:

packer build --only=virtualbox-iso ./packer/templates/ubuntu_1404.json

Build the base VM image for Windows:

packer build --only=virtualbox-iso ./packer/templates/windows_2008_r2.json

These two builds take a will to download the Operating Systems Installation.

Now and after the vagrant boxes are created, you need to check the result of vagrant box list:

vagrant box list

And this is what your list should looks like:

metasploitable3-ub1404 (virtualbox, 0)
metasploitable3-win2k8 (virtualbox, 0)

Now let’s add each created vagrant box to the corresponding vagrant environment:

Ubuntu Box:

vagrant box add packer/builds/ubuntu_1404_virtualbox_0.1.12.box --name=metasploitable3-ub1404

Windows Box:

vagrant box add packer/builds/windows_2008_r2_virtualbox_0.1.0.box --name=metasploitable3-win2k8

Now you’ve to start each VM separately which will run the installation and set everything up, but before that let’s edit the VagrantFile and change the value of these two variables ub1404.vm.box and win2k8.vm.box

ub1404.vm.box = "metasploitable3-ub1404"
win2k8.vm.box = "metasploitable3-win2k8"

Start Ubuntu VM:

vagrant up ub1404

Start Windows VM:

vagrant up win2k8

If everything is OK you can see the list each VM on VirtualBox:

Now you’ve to check the IP of the windows VM by following these steps:

1 – Right-click on the metasploitable3-win2k8 and show:

2 – Select the VM and from the VirtualBox top menu click on input, keyboard then insert Ctrl-Alt-Del (Host+suppr)

3 – From the users list choose Administrator and enter the default password vagrant, be careful if you have an azerty keyboard like me, because the VM keyboard is set up by default to qwerty.

4 – Open Powershell and type ipconfig

5 – Take the value of IPv4 Address and from your computer (macOs) not the virtual machine, open the terminal and use nmap to scan the open ports on the win2k8 VM, the ip address on your case should be different:

sudo nmap -sV -p- -T4 172.28.128.3
Password:

Starting Nmap 7.31 ( https://nmap.org ) at 2018-10-13 16:57 WEST
Nmap scan report for 172.28.128.3
Host is up (0.00062s latency).
Not shown: 65517 filtered ports
PORT      STATE SERVICE       VERSION
22/tcp    open  ssh           OpenSSH 7.1 (protocol 2.0)
1617/tcp  open  nimrod-agent?
3000/tcp  open  http          WEBrick httpd 1.3.1 (Ruby 2.3.3 (2016-11-21))
4848/tcp  open  ssl/http      Oracle Glassfish Application Server
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
8020/tcp  open  http          Apache httpd
8022/tcp  open  http          Apache Tomcat/Coyote JSP engine 1.1
8027/tcp  open  unknown
8080/tcp  open  http          Sun GlassFish Open Source Edition  4.0
8282/tcp  open  http          Apache Tomcat/Coyote JSP engine 1.1
8383/tcp  open  ssl/http      Apache httpd
8484/tcp  open  http          Jetty winstone-2.8
8585/tcp  open  http          Apache httpd 2.2.21 ((Win64) PHP/5.3.10 DAV/2)
9200/tcp  open  http          Elasticsearch REST API 1.1.1 (name: Dougboy; Lucene 4.7)
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49179/tcp open  unknown
49182/tcp open  tcpwrapped
MAC Address: 08:00:27:BC:ED:80 (Oracle VirtualBox virtual NIC)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Now you can take any open http port from the nmap command result, as an example 8585 that uses Apache httpd 2.2.21 ((Win64) PHP/5.3.10 DAV/2) an from your computer open the browser and access to it using http://172.28.128.3:8585:

You can follow the same steps for the ubuntu ub1404 VM.

That’s it, now you have a couple of vulnerable web apps ready to be hacked.

Leave a Reply

Your email address will not be published. Required fields are marked *