Adding Vulnhub VMs to Our VirtualBox Cyber Range

In this module, we will look at two different ways, based on file type, to import VMs from Vulnhub into our home lab.
In: VirtualBox, Home Lab, CTF

This module is a part of a larger series of building a security lab in VirtualBox. Click here to be taken back to the series landing page.

Building a Security Lab in VirtualBox
In this post, we we will take a look at an in-detail process of setting up an entry-level cybersecurity lab using VirtualBox




Example 1: Metasploitable 2

With this method, we are going to download a VM from Vulnhub and import it using the .vmdk file from an archive.

VM Info on Vulnhub: https://vulnhub.com/entry/metasploitable-2,29/
Vulnhub Download Link: https://download.vulnhub.com/metasploitable/metasploitable-linux-2.0.0.zip

Once finished downloading, unzip this file to extract the virtual disk.

The .vmdk file is what we're after here.

Open VirtualBox and click New

Add a disk
Click the add disk icon
Go to the folder where you unzipped metasploitable2
Open the folder
Select the .vmdk file
Select choose

Click Next

Click Finish

DO NOT START THE VM

Right-click the Metasploitable2 VM and choose Settings

Open Metasploitable2's network settings

You can now start the VM.

If you wish, you can login with msfadmin:msfadmin to check that the system grabbed an IP from the DHCP server. I got the IP address 10.6.6.11 which is right what we want.



Ping Kali from Metasploitable2

Using the IP address
Using the local DNS suffix



Ping google.com from Metasploitable2

Ping test fails as it should



Ping Metasploitable2 from Kali

Ping test succeeds as it should
💡
Now that you've had a chance to power on and test the VM, power it back off and take a snapshot of it at its last known good state. That way you can roll back to the snapshot in case anything breaks during your penetration test.





Example 2: Mr. Robot

VM Info on Vulnhub: https://www.vulnhub.com/entry/mr-robot-1,151/
Vulnhub Download link: https://download.vulnhub.com/mrrobot/mrRobot.ova

With this method, we are going to download VM from Vulnhub and import it using the .ova file.

.OVA File

This is an Open Virtual Appliance file and is an open standard for packaging virtual machines for reuse with other hypervisors. The .ova format is directly compatible with VirtualBox.

You will notice in the directory where you downloaded the file, the file type is automatically associated with VirtualBox.





Import the VM

Double-click the mrRobot.ova file

Set the name to Mr. Robot

Set the MAC address policy

Click Finish





Adjust the VM Settings

Right click the Mr. Robot VM and choose Settings

Add the VM to the ISOLATED network
Click OK

Turn on the VM, it should get an IP address from pfSense in the Isolated LAN. If you configured your firewall correctly, Kali can route to this LAN.

💡
If the VM boots up and pulls a DHCP address, power it back off and take a snapshot of it in its last working state, so you can revert back to this snapshot in case anything breaks during the penetration test.





Continued Practice: OSCP-Like Boxes

Now, that I've shown you two examples of importing Vulnhub boxes into your cyber range, don't stop there. TJ Null and the folks at NetSecFocus have curated a list of OSCP-like boxes.

NetSecFocus Trophy Room - Google Drive

Among these boxes is a long list of Vulnhub targets. Follow along with the steps shown above and continue your Vulnhub adventures. You can find a list of any write-ups I've done from the list of targets linked above.

TJ Null OSCP Practice - 0xBEN
Write-ups from TJ Null’s OSCP-like boxes list



Next Step: Building the Active Directory Lab

Adding an Active Directory Forest to Our VirtualBox Lab
In this module, we will cover the steps to set up a small Active Directory forest in VirtualBox, including a domain controller and two client computers

More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.