It’s my favourite time of the year and not only because of all the Christmas cheer but also because of all the CTF’s that seem to come out around this time of the year. This year rapid 7 is holding a Metasploitable 3 CTF comp – there’s some info about that here (https://community.rapid7.com/community/metasploit/blog/2016/12/07/metasploitable3-capture-the-flags-competition). You’ll notice metasploitable 3 is a bit different to metasploitable 1 & 2. I’d recommend manually building it as I had a bit of trouble with the provided script and it seemed quicker and easier to just do it the “long” way. Make sure you have vagrant, packer (and of course vm virtualbox but get version 5.1.6 not the newer version) as well as a git client if using windows and make sure you install the vagrant reload plugin before anything! To get it working clone the files from here (https://github.com/rapid7/metasploitable3) by opening the git client and typing
git clone https://github.com/rapid7/metasploitable3.git
Then open powershell (with admin privileges by right clicking) and enter:
packer build windows_2008_r2.json
Once that finishes enter:
vagrant box add windows_2008_r2_virtualbox.box --name=metasploitable3
Then make sure you installed the vagrant reload plugin before entering:
Now go to vm virtualbox and metasploitable 3 can be booted. (password for user vagrant is “vagrant”).
If you’re unsure where to start there’s a list of metasploitable 3 vulns here (https://github.com/rapid7/metasploitable3/wiki/Vulnerabilities). Also keep in mind metasploitable 3 has a firewall (and lookout for tcpwrapped services 😉 ).
As for the SANS holiday hack that should be out by Monday!!! So excited!! From the clues on twitter it looks like there might be some Android apk reverse engineering which should be lots of fun. https://www.holidayhackchallenge.com/