A10: Setting Up VMs (20 pts)

You need to set up these three virtual machines:
  1. Kali Linux
  2. Windows Server 2008 with several vulnerable software packages
  3. Metasploitable 2

Downloading VMs

Download the VMs shown below. Each of them is a 7-zip archive.

Download Metasploitable 2

Download Win2008-124
      Size: 2,180,234,212
      SHA-256: dc496623ef74fe1dac1dfb3053acea312350f02d83189bd15d2b48d6eb49be22

You should already have Kali linux, but if you don't, get it here:

Download Kali Linux 64 bit VM

Using VirtualBox

If you prefer to use VirtualBox. If you want to do that, these links should help:

How to Download and Install Metasploitable in VirtualBox

Download Kali Linux VirtualBox Images

10.1: Windows 2008 with Vulnerable Software (10 pts)

Unzip the Win2008-124.7z file you downloaded above. Launch the VM. It will automatically log in, but for future reference the default username is Administrator and the default password is P@ssw0rd

VirtualBox Instructions

If you prefer to use VirtualBox, download this file:
Win2008-124-ovf.7z Size: 3,839,642,200
      SHA-256: b4ac58beba22561845ab09153d7fa5c22600561a3b61c9626020c1138a6c5c77

Unzip it. Then open VirtualBox and click File, "Import Appliance". Navigate to the Win2008-124.ovf file, and click Continue.

In the "Appliance settings" box, make these adjustments:

  • Name: Win2008-124
  • Guest OS Type: Windows 2008 (32-bit)
  • Video Memory: 128 MB
  • Storage: Remove the 102 MB disk
Click Import.

The new VM appears in the list, and you can start it normally.

If it won't start up, check the settings: if there are two hard disks, remove the 102 MB one.

Viewing Listening Ports

In Windows Server 2008, open a Command Prompt window, maximize it, and execute this command:
netstat -banp tcp
Find the name of the process listening on port 3306, which is covered by a green box in the image below.

That process name is the flag.

10.2: Metasploitable 2 (10 pts)

Unzip the metasploitable file you downloaded above and launch the VM. Log in with the default credentials: username and password both msfadmin

VirtualBox Instructions

If you prefer to use VirtualBox, download this file:
Metasploitable2-vbox.7z Size: 692,100,274
      SHA-256: 02b128198cb9db2304f0cf45061f186abf326350e6d3dc6da1cebae66027d59d

Unzip it to create a Metasploitable2-Linux.vdi file.

Then open VirtualBox and click Machine, New.

In the "Name and operating system" box, make these entries:

  • Name: Metasploitable2
  • Type: Linux
  • Version: Ubuntu (32-bit)
Click Continue.

In the "Memory size" box, accept the default selection and click Continue.

In the "Hard disk" box, click the "Use an existing virtual hard disk file" button, click the little folder icon, and navigate to the Metasploitable2-Linux.vdi file. Click Open. Click Create.

The new VM appears in the list, and you can start it normally.

Execute this command:
sudo ss -pant | more
Find the name of the process listening on port 6697, which is covered by a green box in the image below.

That process name is the flag.

Posted 4-5-19
Revised 5-20-19 for WCIL