Building a Virtualbox and VMware Windows 2008 R2 Metasploitable3 VM on Windows
How to fix packer build issues to get Metasploitable3 on Windows Server 2008 R2 running on Virtualbox and VMware.
There are many tutorials on how to build Metasploitable3 and in fact before doing it, I have read some of those. I thought initially, that writing another one was kind of redundant, but I had bumped into some funky issues that got me stuck to which I hadn’t found the solution online, I don’t know, maybe I suck at googling? So for those that are having the same issues that I had, this tutorial may probably save you some time.
The plan was to Build and add Metasploitable3 to my half-assed “Cyber-Range” lab on which I like to test my wannabe pentesting skills. My lab runs on VMware, and Metasploitable3 uses packer that can build Vagrant images for different platform including VMware, so I thought it would be easy right?
What you need and what I have used for this build
Metasploitable3 (https://github.com/rapid7/metasploitable3)
VMware (I have used VMware Workstation v12 Pro)
Virtualbox (I have used v 6.1)
Packer (I have used v1.5.6 x64, this is not the latest version but I had trouble with the metasploitable3 template and I had to downgrade to this version )
Vagrant (I have used v2.2.214 x64)
Vagrant Reload Plugin (You install it using Vagrant cli)
Windows Server 2008 R2 + SP1 (You need this ISO: en_windows_server_2008_r2_with_sp1_x64_dvd_617601.iso)
Building the Metasploitable3 VM
Just bear with me, I’m not very good at writing, so take this like you are reading a page of “My Little Shitty Diary” about the steps I took to build the Metasploitable3 VM. I’m sure that for some, most of the steps here are trivial but I wanted to make it as easy as possible so even a complete novice can get this VM up an running on his box, ok let’s go!
First I downloaded the Metasploitable3 repository from the rapid7 github “https://github.com/rapid7/metasploitable3". You can clone the repo or download it as a .zip file, I downloaded it as a .zip file and extract the archive into a folder I have previously created on my desktop.
I wanted to build the VM manually instead of using a prebuilt one, so I had to find and download a Windows Server 2003 R2 SP1 ISO image and place it in the /iso folder where I extracted the Metasploitable3 repo. While in the past the ISO was downloaded automatically during the build process, due to technical issues, you now have to do this manually. A ReadMe file inside the /iso folder explains the reason in more detail. Don’t ask me where to find the Windows Server image, but you can find it easily using your Google-Fu. To allow packer to successfully build the image and also avoid some very nasty surprises, it is very important that you verify that the SHA1 hash of the official MSDN ISO image matches the SHA1 hash of ISO image that you have.
The official MSDN ISO image name and SHA1 hash is the following:
Windows Server 2008 R2 + SP1:
File Name: en_windows_server_2008_r2_with_sp1_x64_dvd_617601.iso
SHA1 Hash: D3FD7BF85EE1D5BDD72DE5B2C69A7B470733CD0A
Next I downloaded packer here https://www.packer.io/downloads Be aware that the last packer version may or may not work with the provided Metasploitabe3 packer template used to build the image, for sure it didn’t work for me, more on this issue later. Once I got the Windows 2008 Server ISO image and the packer binary, I copied the packer binary in the same folder of the Metasploitable3 repo and the ISO in the /iso subfolder.
With everything in place, I was ready to build the Metasploitable3 VMWare image. To do so I opened a PowerShell console as an Administrator, navigated in to the Metasploitable3 folder and then issued the following command:
.\packer build --only=vmware-iso ./packer/templates/windows_2008_r2.jsonAnd I got the first error of the day.
Using the most recent version of packer v1.6.6 at this time, shortly after the build started, packer was throwing an error “* unknown configuration key: ‘“iso_checksum_type” and then exiting the build process. After scratching my head for a while, I concluded that packer really had trouble understanding the JSON configuration template, to solve this I had to downgrade packer version.
I went to this page https://releases.hashicorp.com/packer/ and downloaded the previous version of the binary, then restarted the build. If encountered the same error or some other error, I would download the version before that one and try to build again, rinse and repeat. Finally, I found a version that worked. To save you some fun time I found that version 1.5.6 is not that picky, and the build was able to start.
Not so fast buddy! After packer started doing his thing like starting VMware create the VM installing the server, launching it, restarting, downloading stuff and running various installation scripts, it then suddenly hung with the message “waiting for SSH to become available…” nothing seemed to happen for a very long time so at that point I terminated the script deleted the packer-cache folder and started all over again.
And then it hung again at the same point in the build with the same message trying to connect to SSH, and seemly not being able to do so. Some now closed issue threads on rapid7 Github suggested that the OpenSSH ssh-agent must be started manually which I did but it didn’t solve the problem for me. The Metasplotable3 project seems abandoned or not very active and I didn’t find any other useful information about this problem. Unable to solve this issue and after having spent too much time on figuring it out, I decided to try to build a Virtualbox image instead, and if that worked I will export the image to VMware. To build the Virtualbox image I only have to change provider in the packer command:
.\packer build --only=virtualbox-iso ./packer/templates/windows_2008_r2.jsonMore fun! After about 10 minutes in this new build, and PowerShell throws an error, packer kills the VM and dies. This time the error is different than the previous, it seems that an installation script cannot download the Elasticsearch zip file which is one of the vulnerable software being installed in the Windows 2008 VM. Looking at the log output just before the error happened, I can see that at that point a batch file “install_elasticsearch.bat” executes a group of PowerShell commands which in series downloads the file elasticsearch-1.1.1.zip from elastic.co, put it into C:\Windows\Temp\ extract the zip file into C:\Program Files\ then install it configure it, start it and other funny things. The problem is that the file is never downloaded so when the next PowerShell command runs 7-zip to extract it, PowerShell throws an error since the file is not in the expected location.
I checked again the Github and read some closed issue threads and found that someone “fixed” the PowerShell one liner that downloads the zip file, so I look at the commit, grabbed the modified line of code and replaced it in my .bat script, ran the build and again..same error, the file is not downloaded and the build failed again. Well it seems that the fix didn’t work, in the /script folder there are other .bat files which also download and install other stuff, in the build log I can see that Manage Engine is downloaded and installed without issues. I looked at the bat file “install_manageengine.bat‘ and just copy the file download one liner, change the download URL with the elasticsearch one and run it in a PowerShell console to test it and I get back a “308” which is a permanent redirect that probably redirects http requests to https. I changed the URL from http to https and this time PowerShell downloaded the zip file and put the zip file in C:\Windows\Temp\ great!
Original
powershell -Command "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ; (New-Object System.Net.WebClient).DownloadFile('http://download.elastic.co/elasticsearch/elasticsearch/elasticsearch-1.1.1.zip', 'C:\Windows\Temp\elasticsearch-1.1.1.zip')" <NULFixed
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://download.elastic.co/elasticsearch/elasticsearch/elasticsearch-1.1.1.zip', 'C:\Windows\Temp\elasticsearch-1.1.1.zip')" <NUL
Finally, the build now was able to continued past that error point, completing that specific task and ultimately building the VM which produced the vagrant box “windows_2008_r2_virtualbox_0.1.0.box” as expected, the file is located in the packer/build folder.
Now is a good time to install Vagrant if you haven’t do that already, just go to Hashicorp website and download the last x64 bit version. After Vagrant is installed, you need to install also the Vagrant Reload Plugin. To do that, from the command line type:
vagrant plugin install vagrant-reloadTo get the VM up and running in Virtualbox, you need first to add the “windows_2008_r2_virtualbox_0.1.0.box” that was just created to the Vagrant environment and then start the VM up. Navigate to the Metasploitable3 repo folder root, if you see a file named “Vagrantfile” you are in the right place. Open a PowerShell console in that location and type:
vagrant box add packer/builds/windows_2008_r2_virtualbox_0.1.0.box — name=metasploitable3-win2k8If the box was added successfully, you should get a confirmation message.
Now that the box was added to the environment, you can get it up and running it on Virtualbox by typing the following command:
vagrant up win2k8Vagrant will now start and configure the box in Virtualbox
The VM should now be up and running in your Virtualbox
As I was initially planning, I want Metasploitable3 to join my VmwWare “CyberRange”, to do so I stop the VM and export it as an .ova
Once the export process is completed, I open the .ova image in VmWare. As expected, I got an error message saying that the import failed since the ova image did not pass OVF specification conformance blah,blah. I clicked retry to relax OVF specs and this time the image was imported without further issues. I needed to add a CD drive to the machine to be able to install the VmWare tools. The VM is configured with two NIC, one was set for NAT the other for host only networking, I changed the host only NIC to use instead a custom VMnet like the other VM in the lab, and allow the Metasploitable3 VM to obtain an IP address from the PFSense DHCP server to be able to “talk” with all her other VM ladies in the same network.
So that’s about it, have fun and see ya!
“Always pass on what you have learned.”
— Yoda