---
layout: post
author: Sam Hadow
tags: sysadmin virtualization cybersecurity
---

This blog post is a short guide to build from source a metasploitable3 disk image for qemu kvm (qcow2 format), and then how to use the built image.

## Pre-requisite: packer and its plugins

On archlinux:

```bash
sudo pacman -S packer
```

then independently of your distribution:

```bash
packer plugins install github.com/hashicorp/qemu
packer plugins install github.com/hashicorp/chef
```

## Steps:

### 1) Clone metasploitable3 repository

```bash
git clone https://github.com/rapid7/metasploitable3.git
cd metasploitable3
```

### 2) Disable Vagrant post-processor

The default template packages the build in a .box Vagrant file which is unnecessary. Backup the template and then edit it.

```bash
cp packer/templates/ubuntu_1404.json packer/templates/ubuntu_1404.json.bak
```

In `packer/templates/ubuntu_1404.json` remove the entire `post-processors` block.  
You can check if the JSON file is valid with this command:

```bash
python3 -m json.tool packer/templates/ubuntu_1404.json >/dev/null && echo "OK"
```

If it doesn't print `OK` the JSON is not valid

### 3) Docker fix

Modern docker is broken with metasploitable3.  
Backup the original file:

```bash
cp chef/cookbooks/metasploitable/recipes/flags.rb chef/cookbooks/metasploitable/recipes/flags.rb.bak
```

Then remove the docker part from it:

```bash
sed -e "/^# 7 of Diamonds$/,/^end$/d" \
    -e "/^include_recipe 'metasploitable::docker'/d" \
    -e "/^directory '\/opt\/docker' do/,/^end$/d" \
    -e "/^cookbook_file '\/opt\/docker\/Dockerfile' do/,/^end$/d" \
    -e "/^cookbook_file '\/opt\/docker\/7_of_diamonds.zip' do/,/^end$/d" \
    -e "/^docker_image '7_of_diamonds' do/,/^end$/d" \
    -e "/^docker_container '7_of_diamonds' do/,/^end$/d" \
    -e "/^file '\/opt\/docker\/7_of_diamonds.zip' do/,/^end$/d" \
    chef/cookbooks/metasploitable/recipes/flags.rb > /tmp/flags.rb.$$ && mv /tmp/flags.rb.$$ chef/cookbooks/metasploitable/recipes/flags.rb
```

### 4) Build the image

```bash
packer build -only=qemu packer/templates/ubuntu_1404.json
```

It will open a GUI and start the installation, in the console you should see the installation process. It will connect to the virtual machine in SSH to install the vulnerable services.


### 5) Using the built image

You'll find the built image in qcow2 format in `output-qemu/`, for example mine is `output-qemu/metasploitable3-ub1404`.  
You can then import it in virt-manager.  
Please note that the disk device bus type should be SATA, not VirtIO or the boot will fail as the initramfs inside the image does not have VirtIO drivers. Similarly the virtual network device model should be e1000e and not virtio. The default user and password will be `vagrant`.  
Please also note that you should never connect this virtual machine to the internet as it's intentionally made to have all sort of vulnerabilities. As such you should create an isolated network in virt-manager and connect it to this network only.  
You can then study the vulnerabilities from an another virtual machine like a Kali linux or from your host using metasploit or other similar tools.