Guide to Building Vulnerable VMs
I've had a few people ask me recently how I go about building vulnerable VMs, so I thought that I'd write up a little guide to help others who might be thinking of creating their own vulnerable CTF or boot2root.
I should point out that this is only my method - others will have their own - but this seems to work for me.
Having a plan or a guide keeps you on track with the entire process. I usually take a lot of notes, which will include details about the OS (usually Debian or Ubuntu) that I want to use, the method of gaining a foothold on the system (LFI, command injection, sql injection etc), whether there is a particular way that I want the vulnerability exploited (through a basic web app, or a Content Management System etc), the exploit itself, as well as the method (or methods) of privilege escalation to obtain root and the final (or only) flag.
I also tend to use a "script" (not a "scripting" script), about how things should work, specific exploits and the commands to use it, what someone is likely to do, any hints etc etc.
I also keep details of all the usernames and passwords that I use along the way, as well as any other important details.
I've found that no matter how clear the image is in my mind of what I want to achieve, at some point, something won't work as expected, and I may need to find other options.
This might be because something has been patched during the install process, or because I just can't get it to work.
One of the hardest things about building vulnerable VMs, is that if you want to exploit a particular vulnerability, you need to have access to it.
This may mean that you have to go searching for it on the Internet, in which case, you have to hope that it's still available, or you start building a collection ahead of time.
Because I've been using Debian for quite a long time, I've kept a lot of the old ISO images.
Unfortunately, many of these are the "net-install" ISO images, and not the preferred CD or DVD ISO images.
The "net-install" ISO images are effectively an image with the bare minimum to get you booted up so that you can install whatever software you need, over the Internet.
The reason why this is a bad choice, is because you'll end up with the security updated versions of software, which means that the vulnerability that you wanted to use, may no longer be able to be exploited.
For this reason, I try to use the old CD or DVD ISO images, and I also disable updates (or prevent access to the Internet so that they can't install updated versions).
I have managed to find older CD and DVD ISO images on Official Debian and Ubuntu sites, but this can be hit and miss and not all are available (especially in the case of Debian).
Once I've installed the OS (and any necessary software packages), I shut it down and take a backup copy of it, and name it to something relevant (i.e. DC-6-1-OS.rar).
Also, it pays to be aware of how certain recent changes in both Debian and Ubuntu can affect VMware.
I have seen cases of Predictable Network Interface Names causing problems when obtaining a DHCP address in VMware.
In VirtualBox, the interface is generally something like enp0s3 (this can be viewed by having a look at /etc/network/interfaces).
In VMware, I have seen the interface show up as ens33.
My understanding is that the network interface name is based on the MAC address, so when the MAC address changes (like when being imported into VMware, or vice versa), the network interface name will also change.
The workaround is to disable Predictable Network Interface Names and use eth0 (or something else) instead.
You might want to search for the solution to suit your Linux Distribution, but this worked for Debian.
Finding Vulnerable Software
Finding vulnerable software, such as WordPress or Drupal versions is easy, as they are still available on their respective websites.
However, finding vulnerable WordPress plugins, can be hit and miss at times.
If I already know what WordPress plugin I'm looking for, I generally go to the WordPress plugin page and search for it.
Often, you'll find one of two things: The plugin is no longer available (but the plugin page still remains), or the plugin has been updated to a newer version.
Thankfully, this isn't always a problem, and by playing around with the download link and the version number of the software, you'd be surprised at how many times I've been able to download vulnerable WordPress plugins, even ones that were released many years ago.
This isn't always successful (such as when the plugin doesn't include the version number), but it works often enough that I get to use them (or save them as part of my vulnerable WordPress plugin collection).
Take Regular Backups
Always take regular backups by shutting the VM down and taking a compressed copy that you can restore if needed. This can be a lifesaver (and has, on many occasions).
If you make a config change or install something, make a backup.
I prefer not to take snapshots, as this may possibly cause problems later when exporting the image as an OVA file (no idea if it actually does, but my current solution works quite nicely, so...).
Once I think the VM is completed, I'll take another backup of the VM's folder, and name it something similar to "DC-6-x-final.zip" (where x is the copy number).
Export as an OVA
Once I've taken a final backup, I'll export it from VirtualBox - File > Export Appliance - and then follow any prompts.
Test in VMware
Once I have the exported OVA file, I then import it into VMware Player and start it up.
From my Kali install, I'll check using netdiscover to see whether it has picked up a DHCP address.
If it has, I then perform a walkthrough on it, just as if it was a blackbox pentest.
Testing - Perform a Walkthrough
I like to treat the VM as if I was doing a blackbox pentest. I do absolutely everything as I normally would, including obtaining root and the final flag.
This is quite possibly the most important step, as it makes sure that everything works smoothly.
Once I'm happy with it, I upload a zipped version of the OVA file.
One question I've been asked is where is the best place to host it.
This is entirely up to you, but you need to take into account the size of the file, and depending on popularity, that there might be hundreds of GBs downloaded within a day or a few weeks.
You may have to pay for hosting, or use a free hosting service.
I'm also very interested in hearing how people go about solving these challenges, so if you're up for writing a walkthrough, please do so and send me a link, or alternatively, follow me on Twitter, and DM me (you can unfollow after you've DM'd me if you'd prefer).
I can be contacted via Twitter - @DCAU7