Metasploitable2 Exploitation Walkthrough

Daniel-Caleb RonohDaniel-Caleb Ronoh
3 min read

Introduction

What is Metasploitable 2?

It’s a deliberately vulnerable virtual machine designed to help you practice your skills in a safe environment. Recently, I completed my first hands-on practice with Metasploitable 2, and today, I’m sharing my experience with FTP exploitation.

Step 1: Setting Up the Lab

Before diving into exploitation, I set up my lab environment. I used VirtualBox to run both Metasploitable 2 and Kali Linux. Kali Linux is the go-to operating system for penetration testers, packed with tools for every step of the hacking process. The crucial part was the network configuration (in which I’ll write another article about it) and here are some of the reasons for my setup:

  • Isolation: Using a host-only network isolates the VMs from your physical network, making it safer to practice penetration testing.

  • Communication: The host-only network allows Kali Linux and Metasploitable 2 to communicate with each other without exposing them to the external network.

  • Internet Access: NAT allows Kali Linux to access the internet for updates and additional tools, while Metasploitable 2 remains isolated.

After which I checked the IP address of my Metaspoitable machine using ifconfig .

Step 2: Scanning the Target

As any ethical hacker knows, reconnaissance is the first step to understanding a system’s vulnerabilities. To analyze Metasploitable 2, I used Nmap -basically helps you map out the target’s network and identify open ports and services.

I run the following command to give the service scan :
nmap -sV <Metasploitable_IP>

The scan revealed the services that are running . "This is going to be interesting," I thought.

We can now proceed and the real fun begins…

FTP Exploitation (Port 21):

First I decided to go the manual way - without the Metasploit Console.

I was able to login with the default credentials was able to access the machine.

Here We Go! using the Metasploit Framework.

Yes we can!

I searched for an exploit related to ‘vsftpd ’ and found one: exploit/unix/ftp/vsftpd_234_backdoor .

I loaded the exploit:

proceeded to set the target IP:
set RHOSTS <Metasploitable_IP>

and then ran

‘exploit’ or ‘run’.

And just like that, I had a shell on the target machine. We’ve gained access to the system!

Step 4: Post-Exploitation

With access to the system, I could now explore the files and directories. I found sensitive files, user credentials, and even a few scripts lying around. This is where the real danger lies—once an attacker gains access, they can do anything from stealing data to planting malware.

Conclusion

FTP exploitation on Metasploitable 2 was an eye-opening experience. It taught me how simple misconfigurations can lead to serious security breaches. As I continue my journey into ethical hacking, I’m reminded of the importance of staying vigilant and continuously learning.

What’s next? In my next blog, I’ll dive into a different service and show you how to exploit it. Stay tuned, and as always, Remember to be Ethical! or else these guys will be at your doorstep.

#ftpexploitation #metasloitable2 #

0
Subscribe to my newsletter

Read articles from Daniel-Caleb Ronoh directly inside your inbox. Subscribe to the newsletter, and don't miss out.

metasploitable2ftpnmapmetasploit frameworkmetasploitMsfconsole

Written by

Daniel-Caleb Ronoh
Daniel-Caleb Ronoh