Intentionally vulnerable machines
The Metasploitable virtual machines are intentionally vulnerable machines, designed by Rapid 7 - the company behind Metasploit Pro - for training offensive security skills and testing exploits.
Another good source of for such vulnerable virtual machine's are available on VulnHub as well. Some VM's on Vulnhub are special crafted CTF machines, which contains 'flags' to find. These flags represent the crown jewels of your target and are the ultimate goal to obtain. The downside of the these machines is that due to licensing reasons, these are almost exclusively linux machines. That's why I was very stoked that Metasploitable 3 is a Windows VM!
How to install Metasploitable 3 on Windows
Unfortunately, you can't just download en boot Metasploitable 3 in Virtualbox. You need to craft the virtual image yourself. The Metasploitable virtual machines are created with Vagrant and Packer, software products to create virtual development environments.
1. Install prerequisite software
First you need to download and install Vagrant. Pick your flavor (x86 or x64) here and install. Reboot afterwards.
Additionally, you need to install the Vagrant Reload Plugin. Simply run the following command in the Windows Command Line:
vagrant plugin install vagrant-reload
Next, download the ZIP-file of the Metasploit 3 GitHub. Extract on any location. My location was my Downloads folder.
Last, download Packer and extract in the same location as the contents of the Metasploit 3-zip file.
2. Tweaking config file
At my first try, I kept receiving the error "waiting for ssh..". After some research, I found the solution in increasing the _boot___wait time in the windows_2008_r2.json file - in the unzipped Metasploit 3 directory - from 2m to 10m. This gives the VM enough time to boot before SSH starts listening.
2. Run the install script
To run the install script, start Powershell as administrator, change directory to the unzipped Metasploit 3 directory and run the build_win2008.ps1 script. This will take approx 15-20 minutes.
Note: I forgot to move Packer to my working directory first, causing the red error in the screenshot above. You should not see this error.)
2. Vagrant Up
After the script is complete, simply type the following command:
This will cause Vagrant to kick in and run all scripts to make the machine vulnerable and fully configure the VM. When this process is complete your Metasploitable 3 machine is ready to exploit! This process could take up to 30 min.
Login details: vagrant
If you use a non-Querty keyboard, keep in mind that during the first boot, you will need the above password as it would be a Querty keyboard