Vagrant up with ssh time out or hangs in "Configuring and enabling network interfaces" indefinitely for specific boxes

[gubertoli]

Hi all,

I am currently working in a testbed for security research. I created a private network considering 2 subnets (10.10.10.x and 172.16.0.x) and two router between those two subnets.

Private Network infrastructure:

attacker <-> router1 <-> router0 <-> target_subnet with server2, server1, target

When the vagrant up is used with vanilla boxes of Debian (debian/jessie64) and Ubuntu (ubuntu/xenial64) the system goes up and running smoothly.

But when I use two boxes for security purpose, the vagrant do not goes up:

• rapid7/metasploitable3-ub1404 -> the vagrant up hangs on trying to connect through ssh
• kalilinux/rolling -> the vagrant up hangs on Configuring and enabling network interfaces

Current host configuration:

• Ubuntu Linux 18.04.4 LTS
• Vagrant 2.2.7
• Virtualbox 6.1.6

What I already tried to make it work:

• comment out any VM provision command
• increase boot timeout
• increase VM RAM memory
• multiples vagrant destroy -f; vagrant up
• use auto_config: false for network
• updated Virtualbox from 5.1 to 6.1.6

Follows the working Vagrantfile (with the metasploitable and kali boxes commented out)

# _*_ mode: ruby _*_
# vi: set ft=ruby :

Vagrant.configure("2") do |config|

  config.vm.synced_folder '.', '/vagrant', disabled: true
  config.vm.boot_timeout = 600

  # a server2 machine (target subnet)
  config.vm.define "server2" do |server2|
    server2.vm.box = "ubuntu/xenial64"
    server2.vm.hostname = "server2"
    server2.vm.network "private_network", ip: "10.10.10.12/24", virtualbox__intnet: "internal", nic_type: "virtio"
    server2.vm.provision "shell", run: "always", inline: "sudo ip route del default"
    server2.vm.provision "shell", run: "always", inline: "sudo ip route add default via 10.10.10.254"

    server2.vm.provider "virtualbox" do |vb|
      vb.name = "server2"
      vb.gui = false
      vb.memory = "512"
    end
  end

  # a server1 machine (target subnet)
  config.vm.define "server1" do |server1|
    server1.vm.box = "ubuntu/xenial64" 
    server1.vm.hostname = "server1"
    server1.vm.network "private_network", ip: "10.10.10.11/24", virtualbox__intnet: "internal", nic_type: "virtio"
    server1.vm.provision "shell", run: "always", inline: "sudo ip route del default"
    server1.vm.provision "shell", run: "always", inline: "sudo ip route add default via 10.10.10.254"

    server1.vm.provider "virtualbox" do |vb|
      vb.name = "server1"
      vb.gui = false
      vb.memory = "512"
    end
  end

  # the vuln machine (target subnet)
  config.vm.define "target" do |target|
    target.vm.box = "ubuntu/xenial64" #"rapid7/metasploitable3-ub1404"
    target.vm.hostname = "target"
    
    target.vm.network "private_network", ip: "10.10.10.10/24", virtualbox__intnet: "internal", nic_type: "virtio"
    target.vm.provision "shell", run: "always", inline: "sudo ip route del default"
    target.vm.provision "shell", run: "always", inline: "sudo ip route add default via 10.10.10.254"

    target.vm.provider "virtualbox" do |vb|
      vb.name = "target"
      vb.gui = false
      vb.memory = "1024"
    end
  end

  # the router 0 (between target subnet and router1)
  config.vm.define "router0"  do |router0|
    router0.vm.box = "debian/jessie64"
    router0.vm.hostname = "router0" 
    router0.vm.network "private_network", ip: "10.10.10.254/24", virtualbox__intnet: "internal", nic_type: "virtio"
    router0.vm.network "private_network", ip: "10.20.10.254/24", virtualbox__intnet: "routers", nic_type: "virtio"

    router0.vm.provision "shell", run: "always", inline: "sudo ip route add 172.16.0.0/24 via 10.20.10.253"
    router0.vm.provision "shell", inline: "sudo sysctl -w net.ipv4.ip_forward=1"
    router0.vm.provision "shell", inline: "echo [Router] Configuration done!"

    router0.vm.provider "virtualbox" do |vb|
      vb.name = "router0"
      vb.gui = false
      vb.memory = "512"
    end
  end

  # the router 1 (between attacker and router0)
  config.vm.define "router1"  do |router1|
    router1.vm.box = "debian/jessie64"
    router1.vm.hostname = "router1" 
    router1.vm.network "private_network", ip: "10.20.10.253/24", virtualbox__intnet: "routers", nic_type: "virtio"
    router1.vm.network "private_network", ip: "172.16.0.254/24", virtualbox__intnet: "external", nic_type: "virtio"

    router1.vm.provision "shell", run: "always", inline: "sudo ip route add 10.10.10.0/24 via 10.20.10.254"
    router1.vm.provision "shell", inline: "sudo sysctl -w net.ipv4.ip_forward=1"
    router1.vm.provision "shell", inline: "echo [Router] Configuration done!"

    router1.vm.provider "virtualbox" do |vb|
      vb.name = "router1"
      vb.gui = false
      vb.memory = "512"
    end
  end

  # the attacker machine
  config.vm.define "attacker" do |attacker|
    attacker.vm.box = "ubuntu/xenial64" #"kalilinux/rolling"
    attacker.vm.hostname = "attacker" 
    attacker.vm.network "private_network", ip: "172.16.0.2/24", virtualbox__intnet: "external", nic_type: "virtio"
    
    attacker.vm.provision "shell", run: "always", inline: "sudo ip route del default"
    attacker.vm.provision "shell", run: "always", inline: "sudo ip route add default via 172.16.0.254"

    config.vm.provider "virtualbox" do |vb|
      vb.gui = false
      vb.name = "attacker" 
      vb.memory = "1024"
    end
  end

end

Gist for the debug output:
https://gist.github.com/gubertoli/13567938d89818105347c3127f9f666e

Containing:

• vagrant_kali.log - with the Kali box in Vagrantfile
• vagrant_metasploitable.log - with the Metasploitable box in Vagrantfile

Please, someone could help me to understand the issue when using the boxes Kali and/or Metasploitable ?

[gubertoli]

Just a heads-up for Kali box, I just commented out the

, nic_type: "virtio"

and now Kali box is working.