Kali2搭建Metasploitable3靶機

Metasploitable3簡介

Metasploitable3是Metasploitable2的升級版本，它是一個虛擬靶機系統，裡面含有大量未被修復的安全漏洞，它主要是用於metasploit-framework測試的漏洞目標。不過Metasploitable3的好處是除了是升級版之外，還可以生成Windows版本和Linux版本，具體就是指可以生成windows_2008_r2和ubuntu_1404這兩種不同的系統

官方文件提示所需條件

System Requirements:

OS capable of running all of the required applications listed below
VT-x/AMD-V Supported Processor recommended
65 GB Available space on drive
4.5 GB RAM

大概意思：作業系統需要支援安裝以下的應用，主機CPU需要支援虛擬化，硬碟空間65GB以上，記憶體至少4.5GB
以下是需要安裝的應用

Requirements:

Packer
Vagrant
Vagrant Reload Plugin
VirtualBox, libvirt/qemu-kvm, or vmware (paid license required), or parallels (paid license required)
Internet connection

Kali可以執行在物理機或者是Vmware WorkStation上，不論在哪都首先要開啟硬體虛擬化，這個是前提條件，務必開啟！
這裡Kali本身是執行在Esxi上，開啟硬體虛擬化巢狀的配置如圖所示

安裝依賴包前的一些系統環境配置

1，切換到root使用者
新手才用sudo，老司機直接上root！
sudo使用者在下面命令前自動新增sudo！

sudo passwd root	# 互動模式配置root密碼
su - root		# 切換到root

2，更改shell環境
新版本的Kali預設使用zsh作為shell環境，zsh很優秀，但是習慣了bash環境的用起來多少有點不順手，如果想適應zsh的也可以不換
切換後需要退出當前會話重新登入或者新建登入標籤才能生效

chsh -s /bin/bash	# 切換bash
chsh -s /bin/zsh	# 切換zsh

3，更新source源
預設官方源慢的要死，雖然有CDN會自動適配國內源，但速度不穩定，直接更換aliyun源，速度原地飛起！

sed -i 's#deb http://http.kali.org/kali#deb https://mirrors.aliyun.com/kali#g' /etc/apt/sources.list

4，安裝更新
升級安裝包到最新版本

apt update
apt full-upgrade -y
[ -f /var/run/reboot-required ] && reboot -f	# 按需重啟Kali

開始安裝依賴包

如果按照rapid7官方Github說明安裝依賴後直接啟動Vagrant up，基本是不會成功的，下面是踩坑後的總結，希望可以幫助到新手朋友！

1，安裝VirtualBox
這是Kali官方的文件釋出的安裝方式，務必按此方式安裝，其它方式（比如預設源或deb包的方式）安裝會出現各種問題！

apt update
wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | gpg --dearmor | tee /usr/share/keyrings/virtualbox-archive-keyring.gpg
# 上一條命令執行後可能會出現一堆亂碼，正常！
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/virtualbox-archive-keyring.gpg] http://download.virtualbox.org/virtualbox/debian buster contrib" | tee /etc/apt/sources.list.d/virtualbox.list
apt update && apt install -y dkms virtualbox virtualbox-ext-pack

檢視VirtualBox版本，這裡不報任何Warning資訊說明可以正常使用！

┌──(root?kali)-[~]
└─# virtualbox -h
Oracle VM VirtualBox VM Selector v6.1.22_Debian
(C) 2005-2021 Oracle Corporation
......

2，安裝Vagrant並載入外掛
官方說明文件只載入vagrant-reload一個外掛，這裡是一個坑！若按他的說明文件，安裝後會各種報錯，這裡整理好了所需的全部外掛，全部安裝後才可以正常構建虛擬機器映象！

apt update && apt -y install vagrant
vagrant plugin install vagrant-reload vagrant-vbguest winrm winrm-fs winrm-elevated

檢視vagrant版本

┌──(root?kali)-[~]
└─# vagrant -v
Vagrant 2.2.14

3，安裝Packer
Packer是一款構建映象的工具，這裡預設安裝即可！

apt update && apt -y install packer

檢視Packer版本

┌──(root?kali)-[~]
└─# packer -v
1.6.6

獲取metasploitable3並建立虛機映象

以上依賴包安裝完成並沒有報錯資訊後，可以執行安裝命令

cd /opt && mkdir metasploitable3-workspace && cd metasploitable3-workspace
curl -O https://raw.githubusercontent.com/rapid7/metasploitable3/master/Vagrantfile && vagrant up

執行後會從網上下載檔案並自動構建映象，持續過程大概十幾分鍾，如圖所示

執行完成後，生成的ubuntu1404映象虛擬機器自動匯入到了VirtualBox並且是啟動狀態，圖形介面開啟VirtualBox可以看到，如文章最後一張圖所示

至此ubuntu1404映象自動構建完成，但是windows2008的映象不會自動構建，若要構建windows2008還需要修改Vagrantfile配置檔案

配置檔案裡支援windows2008的虛擬機器除了VirtualBox還有libvirt和hyper-V，如果不註釋掉會各種報錯，這裡又是一個坑！
我們需要把不相關的配置全部註釋，如圖所示

有效配置檔案內容如下

┌──(root??kali)-[/opt/metasploitable3-workspace]
└─# cat Vagrantfile |grep -v "^#"                                                                                                             130 ?

Vagrant.configure("2") do |config|
  config.vm.synced_folder '.', '/vagrant', disabled: true

  config.vm.define "win2k8" do |win2k8|
    # Base configuration for the VM and provisioner
    win2k8.vm.box = "rapid7/metasploitable3-win2k8"
    win2k8.vm.hostname = "metasploitable3-win2k8"
    win2k8.vm.communicator = "winrm"
    win2k8.winrm.retry_limit = 60
    win2k8.winrm.retry_delay = 10

    win2k8.vm.network "private_network", type: "dhcp"

    # Configure Firewall to open up vulnerable services
    case ENV['MS3_DIFFICULTY']
      when 'easy'
        win2k8.vm.provision :shell, inline: "C:\\startup\\disable_firewall.bat"
      else
        win2k8.vm.provision :shell, inline: "C:\\startup\\enable_firewall.bat"
        win2k8.vm.provision :shell, inline: "C:\\startup\\configure_firewall.bat"
    end

    # Insecure share from the Linux machine
    win2k8.vm.provision :shell, inline: "C:\\startup\\install_share_autorun.bat"
    win2k8.vm.provision :shell, inline: "C:\\startup\\setup_linux_share.bat"
    win2k8.vm.provision :shell, inline: "rm C:\\startup\\*" # Cleanup startup scripts
  end
end

虛擬機器登入的使用者名稱和密碼預設都是vagrant，至此ubuntu1404和windows2008全部構建完成！

#####################################分割線#########################################
使用vagrant up命令構建windows2008，到最後時可能有如下報錯資訊，還在研究原因，但目測不會影響使用

==> win2k8: Machine booted and ready!
[win2k8] GuestAdditions versions on your host (6.1.22) and guest (6.0.8) do not match.
Downloading VirtualBox Guest Additions ISO from https://download.virtualbox.org/virtualbox/6.1.22/VBoxGuestAdditions_6.1.22.iso
Copy iso file /root/.vagrant.d/tmp/VBoxGuestAdditions_6.1.22.iso into the box $env:TEMP/VBoxGuestAdditions.iso
The term 'Mount-DiskImage' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ Mount-DiskImage -ImagePath $env:TEMP/VBoxGuestAdditions.iso
+ ~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Mount-DiskImage:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
Unmounting Virtualbox Guest Additions ISO from: The term 'Get-DiskImage' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:2 char:11
+           Get-DiskImage -ImagePath $env:TEMP/VBoxGuestAdditions.iso
+           ~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Get-DiskImage:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
The term 'Dismount-DiskImage' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ Dismount-DiskImage -ImagePath $env:TEMP/VBoxGuestAdditions.iso
+ ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Dismount-DiskImage:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
==> win2k8: Checking for guest additions in VM...
    win2k8: The guest additions on this VM do not match the installed version of
    win2k8: VirtualBox! In most cases this is fine, but in rare cases it can
    win2k8: prevent things such as shared folders from working properly. If you see
    win2k8: shared folder errors, please make sure the guest additions within the
    win2k8: virtual machine match the version of VirtualBox you have installed on
    win2k8: your host and reload your VM.
    win2k8: 
    win2k8: Guest Additions Version: 6.0.8
    win2k8: VirtualBox Version: 6.1
The following WinRM command responded with a non-zero exit status.
Vagrant assumes that this means the command failed!

Dismount-DiskImage -ImagePath $env:TEMP/VBoxGuestAdditions.iso

Stdout from the command:

Stderr from the command:

The term 'Dismount-DiskImage' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ Dismount-DiskImage -ImagePath $env:TEMP/VBoxGuestAdditions.iso
+ ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Dismount-DiskImage:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

參考文件
https://github.com/rapid7/metasploitable3
https://www.kali.org/docs/virtualization/install-virtualbox-host/