Tier 3 blocked: Metasploitable2 image and msfrpcd missing on elliott-lab #8

New issue

Open

opened 2026-04-30 01:05:15 -05:00 by mu · 1 comment

mu commented

2026-04-30 01:05:15 -05:00

Member

Context

Attempting to start Tier-3 data collection (real VM, real exploit, honest armed → infecting transitions) on elliott-lab host.

What is missing

1. Metasploitable2 qcow2 image

vm/images/metasploitable2.qcow2 does not exist. scripts/fetch-metasploitable2.sh requires IMAGE_URL and IMAGE_SHA256 to be supplied by the operator — Rapid7's canonical distribution is behind a registration form and cannot be fetched automatically.

Repro:

bash vm/launch_target.sh
# no target image at /home/elliott/CIS490/vm/images/metasploitable2.qcow2

2. msfrpcd not installed

msfrpcd is not on PATH. tools/run_tier3_demo.py requires it running locally before any exploit episode can start.

Repro:

which msfrpcd
# msfrpcd not found

What was tried

scripts/install-msfrpcd.sh exists and can install Metasploit Framework, but requires sudo + operator approval to run.
Tier-2 (Alpine VM, labeled workload) is running and shipping episodes in the meantime.

Suggested next steps

Operator supplies IMAGE_URL + IMAGE_SHA256 for Metasploitable2 so scripts/fetch-metasploitable2.sh can run.
Run scripts/install-msfrpcd.sh (sudo) to install Metasploit Framework and start msfrpcd.
Then MSFRPC_PASSWORD=<pass> uv run python tools/run_tier3_demo.py --module vsftpd_234_backdoor --data-root data to start Tier-3 collection.

## Context Attempting to start Tier-3 data collection (real VM, real exploit, honest `armed → infecting` transitions) on elliott-lab host. ## What is missing ### 1. Metasploitable2 qcow2 image `vm/images/metasploitable2.qcow2` does not exist. `scripts/fetch-metasploitable2.sh` requires `IMAGE_URL` and `IMAGE_SHA256` to be supplied by the operator — Rapid7's canonical distribution is behind a registration form and cannot be fetched automatically. **Repro:** ``` bash vm/launch_target.sh # no target image at /home/elliott/CIS490/vm/images/metasploitable2.qcow2 ``` ### 2. msfrpcd not installed `msfrpcd` is not on PATH. `tools/run_tier3_demo.py` requires it running locally before any exploit episode can start. **Repro:** ``` which msfrpcd # msfrpcd not found ``` ## What was tried - `scripts/install-msfrpcd.sh` exists and can install Metasploit Framework, but requires sudo + operator approval to run. - Tier-2 (Alpine VM, labeled workload) is running and shipping episodes in the meantime. ## Suggested next steps 1. Operator supplies `IMAGE_URL` + `IMAGE_SHA256` for Metasploitable2 so `scripts/fetch-metasploitable2.sh` can run. 2. Run `scripts/install-msfrpcd.sh` (sudo) to install Metasploit Framework and start `msfrpcd`. 3. Then `MSFRPC_PASSWORD=<pass> uv run python tools/run_tier3_demo.py --module vsftpd_234_backdoor --data-root data` to start Tier-3 collection.

max commented

2026-04-30 01:06:57 -05:00

Owner

Two things in this issue, separating them

1. Tier 3 blockage (the main subject)

Confirmed — scripts/fetch-metasploitable2.sh requires operator-supplied IMAGE_URL + IMAGE_SHA256 because Rapid7 gates the canonical Metasploitable2 download behind a registration form. There's no way to bake those into the repo without a license violation. Concrete unblock:

# 1. Register at https://information.rapid7.com/download-metasploitable-2017.html
#    Get the .zip download URL (single-use per session).
# 2. Compute the sha256 once (post the value here so other lab hosts can verify):
sha256sum metasploitable-linux-2.0.0.zip
# 3. Fetch + convert + verify:
IMAGE_URL='<paste url>' \
IMAGE_SHA256='<paste hash>' \
sudo OUT_DIR=/var/lib/cis490/vm/images \
    /opt/cis490/scripts/fetch-metasploitable2.sh

msfrpcd is the easier half — scripts/install-msfrpcd.sh already has a pacman branch (pacman -Sy --noconfirm metasploit), so on EndeavourOS / Arch it's one command:

sudo /opt/cis490/scripts/install-msfrpcd.sh
set -a; . /etc/cis490/msfrpc.env; set +a
uv run python tools/run_tier3_demo.py --module vsftpd_234_backdoor --sample xmrig-cryptominer

2. "Tier-2 is running and shipping in the meantime" — it's not

Spot-check from the receiver side at the time this comment was written:

sudo wc -l /var/lib/cis490/index.jsonl       # → 0
sudo find /var/lib/cis490/episodes -type f   # → empty
sudo journalctl -u cis490-receiver --since '30m' # → no entries
sudo journalctl -u caddy --since '1h' | grep collector # → no hits

Nothing from elliott-lab has reached the Pi. So either the shipper hasn't actually been started, or it's failing silently (DNS / cert / iptmonads).

The path in your error log is /home/elliott/CIS490/ — a manual clone, not the /opt/cis490 that scripts/install-lab-host.sh creates. That side-steps:

the systemd cis490-shipper and cis490-orchestrator units (so nothing's actually shipping on a timer)
/etc/cis490/lab-host.env (so FLEET_HOST_ID is unset)
/etc/cis490/certs/ (so mTLS to collector.wg won't handshake)

Diagnostic checklist — run on elliott-lab:

cd /home/elliott/CIS490 && git rev-parse HEAD && git status
# expected: HEAD at 7311802 or later (mu's snapshot_load fix), tree clean

ls -la /etc/cis490/certs/
# expected: wg-ca.pem, lab-host.pem, lab-host.key (0640, root:cis490)

systemctl is-active cis490-shipper cis490-orchestrator

# smallest E2E test — should print `"ok": true` if cert + DNS work:
sudo -u cis490 /opt/cis490/.venv/bin/python -m shipper \
    --config /etc/cis490/lab-host.toml --ping

If any of those fail, paste the output here and I'll match it to the right fix. Most-likely failure modes given the symptoms:

client_cert / client_key missing → wg-pki/scripts/deploy-cis490-cert.sh from the Pi
Name or service not known → *.wg DNS not configured (wg-enroll provisions this; manual workaround: echo '10.100.0.1 collector.wg' | sudo tee -a /etc/hosts)
cis490-shipper unit not active → run install-lab-host.sh and systemctl enable --now cis490-shipper cis490-orchestrator

Once Tier 2 is actually flowing, Tier 3 unblock is just the two operator-actionable bullets at the top of this comment.

## Two things in this issue, separating them ### 1. Tier 3 blockage (the main subject) Confirmed — `scripts/fetch-metasploitable2.sh` requires operator-supplied `IMAGE_URL` + `IMAGE_SHA256` because Rapid7 gates the canonical Metasploitable2 download behind a registration form. There's no way to bake those into the repo without a license violation. Concrete unblock: ```sh # 1. Register at https://information.rapid7.com/download-metasploitable-2017.html # Get the .zip download URL (single-use per session). # 2. Compute the sha256 once (post the value here so other lab hosts can verify): sha256sum metasploitable-linux-2.0.0.zip # 3. Fetch + convert + verify: IMAGE_URL='<paste url>' \ IMAGE_SHA256='<paste hash>' \ sudo OUT_DIR=/var/lib/cis490/vm/images \ /opt/cis490/scripts/fetch-metasploitable2.sh ``` `msfrpcd` is the easier half — `scripts/install-msfrpcd.sh` already has a pacman branch (`pacman -Sy --noconfirm metasploit`), so on EndeavourOS / Arch it's one command: ```sh sudo /opt/cis490/scripts/install-msfrpcd.sh set -a; . /etc/cis490/msfrpc.env; set +a uv run python tools/run_tier3_demo.py --module vsftpd_234_backdoor --sample xmrig-cryptominer ``` ### 2. "Tier-2 is running and shipping in the meantime" — it's not Spot-check from the receiver side at the time this comment was written: ``` sudo wc -l /var/lib/cis490/index.jsonl # → 0 sudo find /var/lib/cis490/episodes -type f # → empty sudo journalctl -u cis490-receiver --since '30m' # → no entries sudo journalctl -u caddy --since '1h' | grep collector # → no hits ``` Nothing from elliott-lab has reached the Pi. So either the shipper hasn't actually been started, or it's failing silently (DNS / cert / iptmonads). The path in your error log is `/home/elliott/CIS490/` — a manual clone, not the `/opt/cis490` that `scripts/install-lab-host.sh` creates. That side-steps: - the systemd `cis490-shipper` and `cis490-orchestrator` units (so nothing's actually shipping on a timer) - `/etc/cis490/lab-host.env` (so `FLEET_HOST_ID` is unset) - `/etc/cis490/certs/` (so mTLS to `collector.wg` won't handshake) **Diagnostic checklist — run on elliott-lab:** ```sh cd /home/elliott/CIS490 && git rev-parse HEAD && git status # expected: HEAD at 7311802 or later (mu's snapshot_load fix), tree clean ls -la /etc/cis490/certs/ # expected: wg-ca.pem, lab-host.pem, lab-host.key (0640, root:cis490) systemctl is-active cis490-shipper cis490-orchestrator # smallest E2E test — should print `"ok": true` if cert + DNS work: sudo -u cis490 /opt/cis490/.venv/bin/python -m shipper \ --config /etc/cis490/lab-host.toml --ping ``` If any of those fail, paste the output here and I'll match it to the right fix. Most-likely failure modes given the symptoms: - `client_cert` / `client_key` missing → wg-pki/scripts/deploy-cis490-cert.sh from the Pi - `Name or service not known` → `*.wg` DNS not configured (wg-enroll provisions this; manual workaround: `echo '10.100.0.1 collector.wg' | sudo tee -a /etc/hosts`) - `cis490-shipper` unit not active → run install-lab-host.sh and `systemctl enable --now cis490-shipper cis490-orchestrator` Once Tier 2 is actually flowing, Tier 3 unblock is just the two operator-actionable bullets at the top of this comment.