Build Metasploitable 3 From Source With Qemu Kvm

by Sam Hadow

This blog post is a short guide to build from source a metasploitable3 disk image for qemu kvm (qcow2 format), and then how to use the built image.

Pre-requisite: packer and its plugins

On archlinux:

sudo pacman -S packer

then independently of your distribution:

packer plugins install github.com/hashicorp/qemu
packer plugins install github.com/hashicorp/chef

Steps:

1) Clone metasploitable3 repository

git clone https://github.com/rapid7/metasploitable3.git
cd metasploitable3

2) Disable Vagrant post-processor

The default template packages the build in a .box Vagrant file which is unnecessary. Backup the template and then edit it.

cp packer/templates/ubuntu_1404.json packer/templates/ubuntu_1404.json.bak

In packer/templates/ubuntu_1404.json remove the entire post-processors block.
You can check if the JSON file is valid with this command:

python3 -m json.tool packer/templates/ubuntu_1404.json >/dev/null && echo "OK"

If it doesn’t print OK the JSON is not valid

3) Docker fix

Modern docker is broken with metasploitable3.
Backup the original file:

cp chef/cookbooks/metasploitable/recipes/flags.rb chef/cookbooks/metasploitable/recipes/flags.rb.bak

Then remove the docker part from it:

sed -e "/^# 7 of Diamonds$/,/^end$/d" \
    -e "/^include_recipe 'metasploitable::docker'/d" \
    -e "/^directory '\/opt\/docker' do/,/^end$/d" \
    -e "/^cookbook_file '\/opt\/docker\/Dockerfile' do/,/^end$/d" \
    -e "/^cookbook_file '\/opt\/docker\/7_of_diamonds.zip' do/,/^end$/d" \
    -e "/^docker_image '7_of_diamonds' do/,/^end$/d" \
    -e "/^docker_container '7_of_diamonds' do/,/^end$/d" \
    -e "/^file '\/opt\/docker\/7_of_diamonds.zip' do/,/^end$/d" \
    chef/cookbooks/metasploitable/recipes/flags.rb > /tmp/flags.rb.$$ && mv /tmp/flags.rb.$$ chef/cookbooks/metasploitable/recipes/flags.rb

4) Build the image

packer build -only=qemu packer/templates/ubuntu_1404.json

It will open a GUI and start the installation, in the console you should see the installation process. It will connect to the virtual machine in SSH to install the vulnerable services.

5) Using the built image

You’ll find the built image in qcow2 format in output-qemu/, for example mine is output-qemu/metasploitable3-ub1404.
You can then import it in virt-manager.
Please note that the disk device bus type should be SATA, not VirtIO or the boot will fail as the initramfs inside the image does not have VirtIO drivers. Similarly the virtual network device model should be e1000e and not virtio. The default user and password will be vagrant.
Please also note that you should never connect this virtual machine to the internet as it’s intentionally made to have all sort of vulnerabilities. As such you should create an isolated network in virt-manager and connect it to this network only.
You can then study the vulnerabilities from an another virtual machine like a Kali linux or from your host using metasploit or other similar tools.