Building Custom Box Images for Vagrant

When I started working on Breaking Web App Security, I knew I was going to need a lab environment for the students to use. I considered using Docker images with instructions on how to set up the target sites. It didn’t take very long to decide to drop this idea due to the variances that would occur between each student’s system and my own. This brought me back to using virtual machines that will be large in size and use significant resources on each student system. The consistency of the environment made me decide to go that route.

I decided to create my own VM so that it would be completely in my control in what was installed on the system already, how it was configured, and to try to limit the size of the VM. However, I did want to manually rebuild the VM step by step every time I updated it. I decided to use Vagrant to automate the build process. Part of the build process is that Vagrant will download a base VM (or Box) for the core of the OS. Being paranoid, I didn’t like the idea of trusting someone else’s Box. It would probably be fine, but I didn’t like the idea. That meant a profile on VagrantUp and build a custom Box to upload. All that said, here is how I build my base Ubuntu image for Box.

Box Build Steps

# Vagrant docs can be found at:
# https://www.vagrantup.com/docs/boxes/base.html
# https://www.vagrantup.com/docs/vmware/boxes.html

# Perform a base installation of Ubuntu Desktop (in this case) with all apps and utilities

# Create a vagrant user
user: vagrant
password: vagrant

# Disable automatic updates to avoid breaking the later vagrant build process
sudo vi /etc/apt/apt.conf.d/20auto-upgrades

# Change the 1 to 0 in this line:
APT::Periodic::Update-Package-Lists "0";
APT::Periodic::Unattended-Upgrade "0";

# Install vmware tools (should be done by installer if using easy installer)
apt-get install open-vm-tools

# Setup the SSH server for Vagrant to connect to the VM
install openssh-server

# set root password to vagrant
sudo su -
passwd

# add the default insecure ssh public key to the vagrant user account
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key

# set permissions to 600 on authorized_keys
chmod 600 ~/.ssh/authorized_keys

# set vagrant to sudo without password.  add to end of sudoers
vagrant ALL=(ALL) NOPASSWD: ALL

# Change the %sudo entry to also require no password.  Apparently it takes precedence over the username...

# Create a mount point for Vagrant to copy resources from your host machine into the virtual machine
mkdir /mnt/hgfs

# Defrag and compress disks
# This assumes you are using VMware to do this
/Applications/VMware\ Fusion.app/Contents/Library/vmware-vdiskmanager -d ./Virtual\ Disk.vmdk
/Applications/VMware\ Fusion.app/Contents/Library/vmware-vdiskmanager -k ./Virtual\ Disk.vmdk

# Add metadata.json to vm directory
{
  "provider": "vmware_fusion"
}

# Delete the lck directory in the virtual machine directory
rm -rf *lck

# create box file
tar cvzf xenialdesktop.box ./*
mv xenialdesktop.box ~/

# Go to https://app.vagrantup.com/ and create a new box, create a new version, set the provider and then upload the .box file

Final Notes

With all that done, you are ready to start using your own Box for your Vagrant builds. I’ll follow up with my build scripts for the BWAS (Breaking Web App Security) virtual machine.

If you do use Vagrant to build a system be sure to take some steps to harden the system afterward. Like deleting the vagrant user account, changing the root password, and removing the SSH service (if it doesn’t need SSH) from the system. Otherwise, you are ready to get owned when you put your Vagrant built system on the internet.

Download the Penetration Testing Tool Checklist

Get the list of tools that you can use during penetration tests!

SPAM blows. Unsubscribe at any time. Powered by ConvertKit