In this post, I woud like to share a quick tutorial (I guess) on how to setup a VulnHub machine in your local network.
And I’ll assume that you are already familiar with software installation, know what Host OS-Guest OS is, and probably a basic networking. If you don’t, just follow along 😀!
What is VulnHub?
VulnHub is a website that provides vulnerable virtual machines (VMs) for those who wants to gain a practical experience in penetration testing. It similar with Hack The Box and TryHackMe, but with VulnHub you can practice locally. Because Windows machine requires a license, most VulnHub machines are Linux server.
There are a lot of things you can do with VulnHub machines after you get a root, such as:
- Analyzing the vulnerability, sometimes I patch it if it’s just an insecure code line.
- Learning how the author configure the server.
- Building a pentest lab that consist of VulnHub machines to practice network pivoting.
- DFIR, and many more!
01. Install your virtualization software
First thing first, you need a virtualization software such as VirtualBox or VMWare. Here are the links for both of them:
- VirtualBox — https://www.virtualbox.org/wiki/Downloads
- VMWare — https://www.vmware.com/products/workstation-player.html
In this post, I’ll be using VirtualBox on Windows because it’s easy to use (and of course, it’s free).
02. Download VM image / OVA
Assuming that you’ve downloaded and installed a VirtualBox, now get your VulnHub machine/VM image at VulnHub’s official site: https://www.vulnhub.com/.
For this example, I’ll be using symfonos: 2.
03. Import the image
For the image, if it’s on 7z
or zip
format make sure to decompress it first. In my case symfonos: 2 is on 7z
format, so I have to decompress it.
Here’s what I have after decompressing it.
Any .ovf
file should already be associated with VirtualBox, and we can just double click on that file. It'll take us straight to the import menu.
To do that manually, open up your VirtualBox then click on the File menu -> select “Import Appliance…”, it will pop a new window.
Click on the icon that I marked with a red box to browse your VM image.
Locate your VM image and then click on the Open button.
For now let’s leave all the settings to its default.
Click on the Import button and wait until it completed.
When the import is done, you will see the machine on the VM list section
04. Setup VM network
Here is the core part, we’ll be putting the VM in an isolated network.
Open the VM’s settings by right click and choose “Settings”.
Go to the Network section, and set the “Attached to” to Host-only Adapter
.
Click OK button.
Now open the adapter configuration on the File menu → select “Host Network Manager…”.
In the image below, the “VirtualBox Host-Only Ethernet Adapter” will be using a network range of 192.168.2.0/24
and has DHCP server enabled which is needed by VulnHub machines to obtain IP address automatically on boot.
192.168.2.2
is the IP address of the virtual adapter on the host side (my Windows machine).
Below is the configuration for the DHCP server where 192.168.2.1
is the IP address of the built-in DHCP server from VirtualBox.
I set my Lower Address Bound
to 192.168.2.100
and Upper Address Bound
to 192.168.2.254
, so that all machines will be assigned with an IP started from .100-254
, and no one gets 192.168.2.3-99
.
Can I configure it to 10.10.10.0/24
?
Yes, you can!
If we want to create a 10.10.10.0/24
network, it's better to create another adapter by clicking the Create menu then set the adapter's settings with
- IPv4 Address:
10.10.10.2
(Adapter on the host side) - IPv4 Network Mask:
255.255.255.0
Next, configure the DHCP server to:
- Server Address:
10.10.10.1
(VirtualBox's built-in DHCP server) - Server Mask:
255.255.255.0
- Lower Address Bound:
10.10.10.100
- Upper Address Bound:
10.10.10.254
Then, on the VM settings (symfonos: 2), change the adapter name with the new one we created before.
Lastly, we should also configure the attacking machine, in my case it’s Kali Linux, to use the same network adapter.
05. Boot it!
Boot your machines and we’re done!
Happy hacking!
Originally published at https://fahmifj.github.io on May 30, 2021.