XEN Guest - Ubuntu Trusty

Vuln Testbed

Ubuntu Trusty can be a nice testbed for vunlerabilities. However one should use the original install CD – and not the latest minor release of it – nor the network installer nor debootstrap, to get the unsafe software versions. Therefore the PV Full Install and the Debootstrap sections below do not fit. Rather use the HVM method for that purpose (and eventually switch back to PV if you wish).

That 3.13.0-24-generic kernel is recent enough to support hvc0 as a PV console. On other (maybe older?) systems you might find xvc0.

PV Full Install

dd if=/dev/zero of=trusty.disk bs=1G count=0 seek=10

lftp ru.archive.ubuntu.com:/ubuntu/dists/trusty/main/installer-amd64/current/images/netboot/xen/
ls
get initrd.gz
get vmlinuz
^D

vi trusty

#kernel = "/data/kernels/vmlinuz"
kernel = "/data/guests/trusty/vmlinuz"
ramdisk = "/data/guests/trusty/initrd.gz"
memory = 1024
name = "trusty"
vcpus = 16
maxvcpus = 16
disk = ['tap:tapdisk:aio:/data/guests/trusty/trusty.disk,xvda,w']
vif = [ 'bridge=pubbr0, vifname=trusty.0' ]

xl create trusty -c

[*] Basic Ubuntu server
[*] OpenSSH server

and once the installation finished

xl des trusty
reset
vi trusty

#ramdisk = "/data/guests/trusty/initrd.gz"

root = "/dev/xvda1 ro ipv6.disable=1"
#console=hvc0 xencons=hvc0

xl create trusty -c

USER
sudo su -
passwd

vi /etc/init/hvc0.conf

exec /sbin/getty --noclear -L hvc0 9600 linux

reboot

xl console trusty

PV Debootstrap

Trusty seems to have some old ext4 implementation, hence build ext3 instead

wget http://ru.archive.ubuntu.com:/ubuntu/dists/trusty/main/installer-amd64/current/images/netboot/xen/vmlinuz
dd if=/dev/zero of=trusty.ext3 bs=1G count=0 seek=10
mkfs.ext3 trusty.ext3
mkdir lala/
mount trusty.ext3 lala/
time debootstrap --arch=amd64 trusty lala/ http://ru.archive.ubuntu.com/ubuntu/
du -sk lala/ # trustyx32 242M / x64 252M/258036

vi trusty

kernel = "/data/guests/trusty/vmlinuz"
root = "/dev/xvda ro ipv6.disable=1 console=hvc0"
memory = 1024
name = "trusty"
vcpus = 16
maxvcpus = 16
disk = ['tap:tapdisk:aio:/data/guests/trusty/trusty.ext3,xvda,w']
vif = [ 'bridge=pubbr0, vifname=trusty.0' ]

vi lala/etc/fstab

devpts /dev/pts devpts gid=5,mode=620 0 0
proc /proc proc defaults 0 0
/dev/xvda / ext3 defaults 0 1

ls -lkF lala/dev/hvc0
mknod lala/dev/hvc0 c 229 0
cp lala/etc/init/tty1.conf lala/etc/init/hvc0.conf
vi lala/etc/init/hvc0.conf

exec /sbin/getty --noclear -L hvc0 9600 linux

chroot lala/
init-checkconf /etc/init/hvc0.conf
passwd
^D

umount lala/
fsck.ext3 trusty.ext3

xl create trusty -c

HVM

as an HVM guest, you need this for the serial port / xl console to work,

serial = "pty"

and check you have something similar,

cat lala/etc/fstab

devpts /dev/pts devpts gid=5,mode=620 0 0

Network Setup

vi /etc/network/interfaces

auto eth0
iface eth0 inet static
        address x.x.x.x/24
        gateway x.x.x.x
        dns-search sne.lan
        dns-nameservers x.x.x.x

Apache2 & OpenSSL

apt install apache2
a2enmod ssl

openssl s_client -connect trusty:443
https://major.io/2012/02/07/using-openssls-s_client-command-with-web-servers-using-server-name-indication-sni/

/etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/ssl/private/ssl-cert-snakeoil.key

<VirtualHost *:443>
        SSLEngine On
        SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
        SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
        #SSLCACertificateFile /etc/ssl/certs/ca-certificates.crt

        #ServerAdmin hostmaster@trusty.sne.lan
        ServerName trusty.sne.lan
        ServerAlias trusty
        DocumentRoot /var/www/html/
        ErrorLog /var/log/apache2/trusty.error.log
        CustomLog /var/log/apache2/trusty.access.log combined
</VirtualHost>

mv /var/www/html/index.html /var/www/html/index.html.dist
echo '<p>trusty' > /var/www/html/index.html

service apache2 restart
netstat -lntupe

#apt-get install sysv-rc-conf
#sysv-rc-conf

Dirty Init

in case you just need to get it up and running in the most dirty possible way

extra = "init=/bin/bash"

mount -o remount,rw /
mount proc /proc -t proc
mkdir /dev/pts
mount devpts /dev/pts -t devpts
export HOME=/root
export TERM=xterm
export PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:$HOME/bin

and proceed e.g.

apt update
apt install git build-essential

the only problem is

bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell

Resources

hvc0

upstart


Nethence | Pub | Lab | Pbraun | SNE Russia | xhtml