🎯 Report Objective

This report documents all phases of the penetration testing process performed on the vulnerable machine Metasploitable 1. It includes:

🛠️ The tools and techniques used in each phase.
🔎 Analysis of the discovered vulnerabilities.
🔐 A breakdown of how root access was obtained.

🧾 General Information

Target Machine: Metasploitable-1
Operating System: Ubuntu 8.04
Difficulty Level: Beginner to Intermediate
Target IP:192.168.84.132
Attacker IP (Kali): 192.168.84.131
Network Setup: All machines are connected to the same NAT network (internal LAN).

🧰 Tools Used:

nmap, msfconsole, nikto , smbclint, searchsploit, enum4linux, telnet , etc.

First, let's make sure we're on the same network :

Since I put all the machines on one LAN network (NAT)
The IP of the Attack machines (Kail) :

IP Attacker

🧭 Phase 1: Discovery

🔹 Discover active devices:

sudo netdiscover -r 192.168.84.0/24

nmap -sn 192.168.84.0/24

-sn: Scan without port detection (Ping Scan only) 192.168.84.0/24 : Scan the entire Class C network (256 IP addresses)

📌 Results: 5 live devices confirmed:

192.168.84.1
192.168.84.2
192.168.84.132 ✅ Possible Target
192.168.84.131
192.168.84.254

Device 192.168.84.132 appears in both netdiscover and nmap, which makes it likely the target device.

Step 3: Scan for open services and ports on the target

🔹 Tool: nmap ✅ Command:

nmap -p- -sV -T5 -O IP-Target| tee Kiopxrix.txt

Analyzing open port scan results :

Port	Service	Version	Initial Notes
21	FTP	ProFTPD 1.3.1	Known for vulnerabilities
22	SSH	OpenSSH 4.7p1	Probably won't be exploited initially
23	Telnet	Linux telnetd	Open, can be tried with default privileges
25	SMTP	Postfix smtpd	Can be exploited or guessed
53	DNS	ISC BIND 9.4.2	Has old vulnerabilities
80	HTTP	Apache 2.2.8 + PHP 5.2.4	Very important web gateway
139/445	Samba	smbd 3.X - 4.X	Very exploitable
3306	MySQL	5.0.51a	Try connecting without a password
3632	distccd	v1	Contains a known vulnerability (CVE-2004-2687)
5432	PostgreSQL	8.3.x	Highly likely without a password
8009	AJP13	Apache JServ	Targeting it later with Tomcat
8180	HTTP	Tomcat/JSP engine	Vulnerable (sometimes very strongly)

Phase 2: Enumeration – Gathering Information from Open Services We'll start testing each open service one by one and see if we can benefit from it :

1 -We will start with FTP – Port 21 (ProFTPD 1.3.1) :

The FTP service does not allow anonymous login. ❌ This means that it is currently impossible to access files via FTP without actual privileges.

2- We will start with Telnet – Port 23 :

The service is operating normally on port 23.
I tried the password with the same username that I entered
The login is visible, and the user is prompted for a username and password.
The usernames I tried (anonymous, root, admin) did not work, and some caused the connection to be disconnected after incorrect attempts.

3. SMB (Samba) – Port 139, 445

✅ Check anonymous sharing :

🧾 Available sheers :

print$ => Disk Printer Driver => Mostly unimportant.
tmp => Disk Oh noes! => Very interesting
opt => Disk (uncommented) => We might find additional files in it.
IPC$ => IPC: Internal connection, usually without files => Sometimes used to execute commands.
ADMIN$ => IPC: Same as above, may request permissions => We probably won't be able to connect to it anonymously.

Let's start by reviewing the important shares, and we'll start with tmp because it contains an interesting comment: oh noes! :

Advanced Scan :

The workgroup name of the target machine is WORKGROUP. This is common in SMB setups, especially in older Windows/SMB environments.
grep "^user:": Displays all accounts/users present on the victim system.
rid is a relative identifier, used in Windows/Samba systems to identify a user within a domain (SID).

### ✅ Summary from enum4linux:

Domain Name : WORKGROUP
OS Info : Samba 3.0.20-Debian on Linux Ubuntu 8.04
Users Enumerated :
  - root => The highest-authority user on the system (key to control)
  - msfadmin => A user
  - mysql => Indicates the presence of a MySQL database
  - postgres
  - tomcat55
  - distccd
  - service
Samba Shares :
  - `tmp`: Listing OK, Write: No
  - `opt`: Access Denied
Password Policy
  - Minimum length: 5
  - Complexity: Disabled

4 . Website Analysis (HTTP) :

Apache/2.2.8 and PHP/5.2.4-2ubuntu5.10 => very old and outdated versions, containing known vulnerabilities => Excellent for exploitation
phpinfo.php exposed => allows the collection of sensitive information about the system such as paths and server environment => It can be used to collect information before exploitation.

Open in browser : You will find more valuable information that you can exploit this way :

🎯 Phase 3: Exploitation

We will begin by focusing on the most exploitable services, which are:

Use searchsploit :

The vulnerability is already present in Metasploit tools :

✅ Steps to exploit the vulnerability using Metasploit Open msfconsole

1- I wrote in msfconsole :

2 -Use the exploitation unit :

3 -Adjust basic settings :

4-Run the exploit :

Confirm the exploit. Change the root password :

Try logging in using root username and password :

username : root
pass : AS

So remember:

💬 "Control the code, and you control the world."
From a simple scan to full root access — it’s all about understanding the system deeply, step by step.

Abdelwahab Shandy "))

See You Soon

Metasploitable1-Penetration Test Report