A Beginners Guide to Vulnhub: part 1

Who should read this and why

This is a guide for anyone who has an interested in penetration testing but no experience with it. To control scope, I’m going to assume that you have some development experience and are familiar (if not comfortable) using a command line interface. But as much as possible I’ll try to tell you exactly what command to enter or button to press as well as what each command and button is doing.

I’m hoping that this will expose more developers to the world of ethical hacking. And even if your journey stops after this tutorial, hopefully you will leave with a better understanding of some of the tools and techniques that hackers might use to attack your projects.

Setting up a simple pen testing lab for absolute beginners

There are probably innumerable ways to set up a pen testing lab. But the simplest (imho) involves just three things:

  • A intentionally vulnerable victim virtual machine
  • An attack virtual machine
  • A virtualization application to run them

Caveat: working with intentionally vulnerable environments can be dangerous because they introduce vulnerabilities into whatever network they are part of (but later I’ll go over how to mitigate this risk).

The victim

In order to practice hacking you will need a vulnerable system that you have permission to hack. A great place to find these is vulnhub.com. Vulnhub is great because not only does it have a ton of intentionally vulnerable environments, it also has a lot of community generated walkthroughs of how to take advantage of them. For this guide I’m going to use “NullByte: 1” go ahead and download it (via zip or torrent) here.

The attacker

You’ll also need a machine to attack from, ideally one that already has a number of common hacking tools preloaded. Kali linux is a great choice for this since it is designed specifically for penetration testing. After reading through this guide I decided to just download a prefab Kali VM from Offensive Security. Go ahead and download one of the Kali Linux VirtualBox Images here.

The network

Now you will need a virtualization application to run your victim and attack machines. VMware is a popular choice for this but, again, at the advice of the guide I mentioned above I went with VirtualBox. You can download and install it here.

Now you should be able to import the victim and attack machines you downloaded earlier simply by opening each .ova file with VirtualBox. At this point you should see something like this:

Kali-linux is your attack machine, and NullByte is your victim.

Now for each of the two VMs:

  • Right click on the VM and select “settings”
  • Start by going to the “Ports” tab and make sure “Enable USB Controller” is uncheckers (you won’t need usb for this exercise)
  • Now go to the “Network” tab and select “internal network” from the dropdown menu labeled “Attached to”
  • You can keep the default network name or set your own, here I used “test-network”

Now that both machines are set to run on an “internal network” they will not be able to communicate with either the internet or the host (i.e. your computer). This separation is why we can run the intentionally vulnerable victim machine without worrying about someone else explointing it to penetrate our network or the vulnerable machine potentially corrupting our host machine. But in order for the two virtual machines to communicate with each other on the internal network you will need to add a DHCP server to your new network in order to assign IP addresses to the VMs. To do this open a terminal window and enter this command:

vboxmanage dhcpserver add — netname test-network — ip — netmask — lowerip — upperip — enable

You can find details about what each component of this command does in this youtube video. Basically, we are adding a DHCP server to the virtualbox network named “test-network” (if you named your network something else make sure to enter the command above with your network name) and giving it the IP address and telling it to assign other machines on the network IP addresses in the range of to

Now your lab is set up and you can start up your victim and attack machines from VirtualBox by double clicking them. Each machine should start in their own window. The victim machine should look like this:

And the attack machine should look like this:

We don’t need to do anything with the victim machine so we can just leave it alone for now. To log into the attack machine use the default username “root” and password “toor” (set up by Offensive Security).

Once you are logged in, open up the the linux terminal from the dock on the left.

Even though we are on an isolated network and I’m not planning to store anything on this machine, the first thing I did was set the password to something more secure (since I’m neurotic about passwords). If you’re neurotic about passwords like me you can do the same by using the linux command


Now we are all set up for our first pen testing exercise with a VM from Vulnhub! For a beginner oriented walkthrough of the actual hack keep reading part 2 of this serise!