Vagrant Hack Box

For about a year I’ve been using Vagrant for web development and was thinking if it was possible to weaponize a Vagrant box. Below is my attempt to explain my process of building this “Vagrant Hack Box”.

Requirements

My host OS is Fedora 26, a Linux distribution. I have used Vagrant before on Windows and it works, this guide is however focused on a Linux host.

Setup

After installing all the required tools we can start by setting up the “vagrant hacker box”. First thing to do is add the debian/jessie64 vagrant box. I will use this as base for the hack box.


[[email protected] ~]$ vagrant box add debian/jessie64
==> box: Loading metadata for box 'debian/jessie64'
    box: URL: https://vagrantcloud.com/debian/jessie64
==> box: Adding box 'debian/jessie64' (v8.10.0) for provider: virtualbox
    box: Downloading: https://vagrantcloud.com/debian/boxes/jessie64/versions/8.10.0/providers/virtualbox.box
==> box: Successfully added box 'debian/jessie64' (v8.10.0) for 'virtualbox'!

It might take a while depending on your internet connection, this is a one time process. When this is done create a new directory to host the files needed.


[[email protected] ~]$ mkdir -p debian-jessie
[[email protected] ~]$ cd debian-jessie/

Run the following vagrant command in the directory we created:


[[email protected] debian-jessie]$ vagrant init debian/jessie64
A `Vagrantfile` has been placed in this directory. You are now
ready to `vagrant up` your first virtual environment! Please read
the comments in the Vagrantfile as well as documentation on
`vagrantup.com` for more information on using Vagrant.

This will create the Vagrantfile, containing configuration information for the VM. This includes the type of VM software used and the amount of RAM assigned to this machine.

When this file is created you can bring the machine to life with the command vagrant up


[[email protected] debian-jessie]$ vagrant up
Bringing machine 'default' up with 'virtualbox' provider...
==> default: Importing base box 'debian/jessie64'...
==> default: Matching MAC address for NAT networking...
==> default: Checking if box 'debian/jessie64' is up to date...
==> default: Setting the name of the VM: debian-jessie_default_1520693574644_70052
==> default: Clearing any previously set network interfaces...
==> default: Preparing network interfaces based on configuration...
    default: Adapter 1: nat
==> default: Forwarding ports...
    default: 22 (guest) => 2222 (host) (adapter 1)
==> default: Running 'pre-boot' VM customizations...
==> default: Booting VM...
==> default: Waiting for machine to boot. This may take a few minutes...
    default: SSH address: 127.0.0.1:2222
    default: SSH username: vagrant
    default: SSH auth method: private key
    default: 
    default: Vagrant insecure key detected. Vagrant will automatically replace
    default: this with a newly generated keypair for better security.
    default: 
    default: Inserting generated public key within guest...
    default: Removing insecure key from the guest if it's present...
    default: Key inserted! Disconnecting and reconnecting using new SSH key...
==> default: Machine booted and ready!
==> default: Checking for guest additions in VM...
    default: No guest additions were detected on the base box for this VM! Guest
    default: additions are required for forwarded ports, shared folders, host only
    default: networking, and more. If SSH fails on this machine, please install
    default: the guest additions and repackage the box to continue.
    default: 
    default: This is not an error message; everything may continue to work properly,
    default: in which case you may ignore this message.
==> default: Installing rsync to the VM...
==> default: Rsyncing folder: /home/x1m/debian-jessie/ => /vagrant

==> default: Machine 'default' has a post `vagrant up` message. This is a message
==> default: from the creator of the Vagrantfile, and not from Vagrant itself:
==> default: 
==> default: Vanilla Debian box. See https://app.vagrantup.com/debian for help and bug reports
[[email protected] debian-jessie]$


The VM is up and running, now it’s time to login using the vagrant ssh command.


[[email protected] debian-jessie]$ vagrant ssh

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
[email protected]:~$ ls
[email protected]:~$ id
uid=1000(vagrant) gid=1000(vagrant) groups=1000(vagrant),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev)
[email protected]:~$ whoami
vagrant
[email protected]:~$ uname -a
Linux jessie 3.16.0-4-amd64 #1 SMP Debian 3.16.51-2 (2017-12-03) x86_64 GNU/Linux

Change the user password (optional)


[email protected]:~$ passwd
Changing password for vagrant.
(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
[email protected]:~$

Enable root account by setting passwd.

sudo passwd root


[email protected]:~$ sudo passwd root
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully

Then execute: sudo passwd -u root


[email protected]:~$ sudo passwd -u root
passwd: password expiry information changed.


Now we have acccess to the root account.


[email protected]:~$ sudo su
[email protected]:/home/vagrant# cd ~
[email protected]:~# id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:~#


The root account is ready, let’s get some tools.

@ZephrFish made a nice .sh script that sets up a lot of tools used for pentesting.

I’m using the git version of his one-liner (install git first: apt install git):


git clone https://github.com/ZephrFish/AttackDeploy.git && cd AttackDeploy && chmod +x AttackDeploy.sh && ./AttackDeploy.sh

This is a long process and every now and then it requires some user interaction. My advice is to check in every few minutes to see if all is still running.

When all the updates are done and tools are installed we can use this box just like you would use a headless Kali machine.

It’s fairly easy to use and everything can be done from the command line.

A few commands to make life easier:

  • vagrant up: cd inside the debian-jessie directory and execute vagrant up to start up the hack box.

  • vagrant halt: Gracefully shuts down the hack box and saves it’s state.

  • vagrant ssh: ssh into the hack box to use it.

The tools are installed in: /usr/share/tools

Sublist3r Hack Box

If you like my work you can buy me a coffee :)