Authorized Lab Environment

Metasploitable 2
Penetration Testing Lab

A comprehensive walkthrough of exploiting Metasploitable2 — an intentionally vulnerable Linux VM. Covers service enumeration, vulnerability exploitation, and privilege escalation across 9 attack surfaces.

Browse Modules View Nmap Results
9Services Exploited
4Root Shells Obtained
5CVEs Leveraged
6Tools Used

Environment

Lab Configuration

Target Machine
Metasploitable 2
Intentionally Vulnerable Linux VM
Attacker OS
Kali Linux
Host OS / Attacker Machine
VM Software
VirtualBox
Host-only Adapter Network
Network Isolation
Isolated Subnet
Attacker & Target on same subnet

Tools Used

Nmap Metasploit Framework Hydra Medusa Netcat Enum4linux Telnet

Reconnaissance

Nmap Full Port Scan

bash 
sudo nmap -sV -v -T5 -p- <target-ip>
Full Nmap Service Scan — Metasploitable 2
Full Nmap Scan
Open Ports — Metasploitable 2
PortProtocolServiceVersionStatus
21/tcpFTP vsftpd 2.3.4 Critical
22/tcpSSH OpenSSH 4.7p1 Debian High
23/tcpTelnet Linux telnetd High
25/tcpSMTP Postfix smtpd Medium
80/tcpHTTP Apache httpd 2.2.8 High
139/445SMB Samba smbd 3.0.20 Critical
3306/tcpMySQL MySQL 5.0.51a-3ubuntu5 High
5432/tcpPostgreSQL PostgreSQL 8.3.x Critical
3632/tcpdistccd GNU distccd Critical

Attack Surface

Service Modules

FTP
Critical
FTP — vsftpd 2.3.4
Port 21/tcp  ·  CVE-2011-2532
Backdoor injection in vsftpd triggers a root shell on port 6200 via a smiley-face username. No credentials needed.
⚡ Metasploit / Netcat
SSH
High
SSH — OpenSSH 4.7p1
Port 22/tcp  ·  Weak Credentials
Default credentials expose SSH access. Bruteforce via Medusa, then sudo privilege escalation to root.
⚡ Medusa / Hydra
TEL
High
Telnet — Linux telnetd
Port 23/tcp  ·  Default Credentials
Legacy plaintext protocol with default creds. Login as msfadmin and escalate to root via sudo.
⚡ Telnet / Hydra
SMTP
Medium
SMTP — Postfix smtpd
Port 25/tcp  ·  Info Disclosure
SMTP banner and VRFY/EXPN commands expose valid system usernames without authentication.
⚡ Netcat / Metasploit
SMB
Critical
SMB — Samba 3.0.20
Port 139/445  ·  CVE-2007-2447
Username map script vulnerability allows unauthenticated remote code execution via a crafted username.
⚡ Metasploit
SQL
High
MySQL — 5.0.51a
Port 3306/tcp  ·  Default Credentials
MySQL accessible with empty/default root password. Full database access, credential extraction possible.
⚡ Metasploit / mysql
PG
Critical
PostgreSQL — Trust Auth
Port 5432/tcp  ·  No-Password Auth
Trust authentication allows passwordless login. UDF exploitation via postgres_payload yields remote shell.
⚡ Metasploit
HTTP
High
HTTP — Apache 2.2.8
Port 80/tcp  ·  Web App Vulns
Apache hosts DVWA, Mutillidae, phpMyAdmin — vulnerable to SQLi, XSS, command injection, and more.
⚡ Nikto / Burp Suite
DCC
Critical
distccd — GNU Compiler Daemon
Port 3632/tcp  ·  CVE-2004-2687
Misconfigured distcc daemon executes arbitrary commands without validation, leading to remote shell access.
⚡ Metasploit

Project

About This Lab

This lab is a structured documentation platform for exploiting Metasploitable 2 — an intentionally vulnerable Linux machine designed for penetration testing practice. Every attack performed here was conducted in an isolated, controlled environment.

The documentation covers the full kill chain: reconnaissance → exploitation → privilege escalation, with screenshots, commands, and blue team mitigations for each service.

Ethical Disclaimer: All techniques demonstrated in this lab are performed on intentionally vulnerable systems in a controlled environment. This content is for educational purposes only. Never apply these techniques without explicit authorization.

Educational Use Only Isolated Lab Environment No Real Systems Targeted