Cybersecurity Lab

Metasploit Exploitation Lab

Exploited Metasploitable2 using Metasploit Framework — attempted VSFTPD 2.3.4 backdoor (unsuccessful) and successfully achieved root access via the Samba Usermap Script vulnerability.

Completed2026Intermediate

Objective

Practice controlled exploitation using Metasploit modules against an intentionally vulnerable target, document methodology, and understand why some exploits succeed while others fail.

Tools Used

Metasploit FrameworkKali LinuxMetasploitable2Nmap

Steps Performed

  • Ran Nmap service detection (`nmap -sV 192.168.128.2`) to identify 21 open ports including FTP (vsftpd 2.3.4) and SMB (Samba).
  • Launched Metasploit Framework and searched for the VSFTPD 2.3.4 backdoor module.
  • Selected `exploit/unix/ftp/vsftpd_234_backdoor`, set RHOSTS to 192.168.128.2, and ran the exploit — no shell was established.
  • Searched for Samba modules and selected `exploit/multi/samba/usermap_script`.
  • Set RHOSTS and LHOST (192.168.128.4), executed the exploit, and received a command shell session.
  • Performed post-exploitation: ran `whoami` (output: root), `uname -a`, and `cat /etc/passwd`.

Key Findings

  • VSFTPD 2.3.4 backdoor exploit did not establish a shell session against this target.
  • Samba Usermap Script (`exploit/multi/samba/usermap_script`) successfully provided unauthenticated root-level access.
  • Post-exploitation confirmed identity as root on Linux metasploitable 2.6.24-16-server.
  • 21 open ports identified via Nmap including legacy services: vsftpd 2.3.4, Apache 2.2.8, MySQL 5.0.51a, UnrealIRCd, and a bindshell on port 1524.

Screenshots

Nmap -sV scan — 21 open ports identified
Nmap -sV scan — 21 open ports identified
msfconsole launched
msfconsole launched
VSFTPD 2.3.4 — search and module setup
VSFTPD 2.3.4 — search and module setup
VSFTPD exploit — no session created
VSFTPD exploit — no session created
Samba usermap_script — shell session opened
Samba usermap_script — shell session opened
Post-exploitation: whoami=root, /etc/passwd
Post-exploitation: whoami=root, /etc/passwd

Evidence Files

Lessons Learned

  • Not every exploit succeeds — documenting failures is as important as documenting successes.
  • Samba Usermap Script demonstrates how misconfigured legacy services lead to full system compromise.
  • Post-exploitation steps (whoami, uname -a, /etc/passwd) establish evidence of access for reporting.

Future Improvements

  • Test additional Metasploitable2 service exploits (UnrealIRCd, ProFTPD, Java RMI).
  • Practice privilege escalation from a limited shell rather than starting with root.

References

  • Metasploit Unleashed documentation
  • CVE details for VSFTPD 2.3.4 and Samba Usermap Script
  • Rapid7 exploit database