PWK-OSCP Prep, running the stock OffSec VMWare images in KVM for the Offensive Security Certified Professional Course

I started the journey into becoming a OSCP

Hello all, since last week I have decided to attempt to take the Penetration Testing with Kali Linux course and get my OSCP certification. The course starts at June 1st and I expect to pass by late August to early September.

Screenshot from 2019-05-22 19-21-09

Quirks with the official Offensive Security VMWare-only image files, and why you might consider converting it over to KVM

For those unfamiliar with the registration process, Offensive Security ultimately supplies you with their RECOMMENDED virtual machine images, which only comes in VMWare format. I personally tried out the VMWare Player 15 for Linux and found a annoying keymapping bug that kept it from being usable. Basically, a A becomes a /, or typing 2 returns a K and so on.

Another quirk, and the reason why I am writing this article, is that the VMWare images are multiple vmdk images and snapshots that are designed to be loaded specifically into VMWare Player via the vmx file. In order to create a compatible and bootable qcow2 image, you must recombine all these images and snapshots.

For that reason, I have opted to use KVM-QEMU as my preferred hypervisor instead of Offensive Security’s recommended VMWare Player 15.

The workaround

As a workaround, I managed to convert the multiple vmdk images into a simple KVM compatible qcow2 image. Documentation online was lacking until I realized how simple it is (and undocumented).

Basically, out of this entire list of vmdk files, there is a singular “index” file that will be the target of the qemu-img convert command. Ultimately what will happen, is that all of the other image files, which are simply snapshots and OffSec added updates, will get merged into a singular qcow2 image that is bootable in KVM.

First, unzip the official Penetration Testing with Kali Linux course file with 7zip.

Screenshot from 2019-05-22 19-06-31

Second, locate the index vmdk image and run this command on it

sudo qemu-img convert -f vmdk -O qcow2 OffsecVM-2018.3-20180821-cl2-000001.vmdk OffSecKVM.qcow2

Screenshot from 2019-05-22 19-08-52.png

This converts a vmdk format image file, pointing to the INDEX file, which automatically reads the files that it refers to in order to create the bootable KVM qcow2 image. This will take awhile as the image converter is taking into consideration every disk image referred to by the index file and every possible snapshot.

Third, load the qcow2 bootable image into KVM virt-manager GUI.

With the following parameters set. Assuming you have a quad-core processor with hyperthreading enabled, then you would have 8 logical cores, which means you can assign 2-4 logical cores into the VM. I recommend a minimum of 4096 MB of memory although I opted for 8192MB.

Take note of any special network interface changes in the linux distro

If you are in fact converting a very different VM instead), you will want to leave any

1. Customized /etc/network/interfaces settings
2. Network adapter settings
3. Other virtualized adapters detected

To DO NOT CONFIGURE. I seen this scenario happen in a vulnerable RedHat distribution that I downloaded on vulnhub. The only way to make the newly launched VM pingable was to ensure that any custom modifications on the VM’s networking settings and virtualized PCI devices for example, are left untouched.

However, the official OffSec VM for the course performs networking just fine. *Be mindful that any networking changes to do to the hypervisor or the guest should be done through virsh or otherwise they will not persist.

Note the architecture settings of the official OffSec VM

Screenshot from 2019-05-22 19-23-02

Now, you have the stock image to begin your Offensive Security courses with. Be mindful that the architecture in the image has been downgraded to i686 if you use the lscpu command, regardless of what parent architecture you selected via KVM. I believe the reasoning behind this is specifically for exploit code generation, specifically the buffer-overflow based vulnerabilities segment of the course.

Sure, you can write exploit code for x86_64/amd64 systems, but that involves using components such as the RIP pointer (instead of the EIP pointer), a RAX register (instead of a EAX register), and entirely diffierent instruction sets. For simplicity’s sake, I believe OffSec generated a i386 compatible VMWare image simply to better clarify and explain buffer overflow attacks using 32-bit instruction sets.

Enjoy your new KVM based Kali Linux image. Don’t forget to login to their private OpenVPN tunneled virtual labs to practice your penetration testing skills on.


If you are getting permission denied errors via the virt-manager GUI, please remember to chown to your current user (virt-manager is usually executed as your current logged in user if you pressed SUPER and typed in the search box virt-manager). You should have a centralized location for all of your qcow2 images. However, since I have two hard disks, one 256GB SSD and one 1TB hard disk, I elected to store all of my qcow2 images on the larger spinning hard disk instead of the standard /var/lib/libvirt/images directory.

be careful with the chown command, if you ran -R against / directory, you hosed your entire Linux install.

I recommend navigating directly to your folder containing your qcow2 images then running chmod -R user:user ./folder

chown -R ctlister:ctlister /$PATH/ofqcow2images

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s