Metasploitable 2 is a test environment that provides a secure place to perform penetration testing and security research. For your test environment, you need a Metasploit instance that can access a vulnerable target. The following sections describe the requirements and instructions for setting up a vulnerable target.
0 . Starting Target Machine:
“We fire up the target machine on our local and we log in with msfadmin@msfadmin as User & Password.
We use ifconfig to discover the target IP ”
1 . Scanning with Nmap:
“We will employ Nmap to uncover the active services running on the target machine. ”
nmap 192.168.194.130 -sC -sV -Pn -o scan.txt 
2 . FTP Exploit :
“Based on our Nmap Scan, it appears that numerous ports are currently open. We noticed that ftp-anon is enabled.”
“We will try to check what we can find with that info.”
“seems useless for us, so we will try to brute-force FTP credentials using Hydra with Seclists Wordlist”
“Our Output file “Hydra.txt” shows us the successful login credentials which are msfadmin@msfadmin ”
“Let’s log in to FTP now:”
“Using ls -la we found a bunch of files and directories and we noticed a juicy dir named .ssh so we navigate to it. We downloaded the files to our local machine to analyze them.”
“In our Nmap Scan, We have observed something noteworthy. The FTP software on our target machine is vulnerable to vsftpd 2.3.4 | CVE-2011-2523 . After a quick search in exploit DB. We found exploit/unix/ftp/vsftpd_234_backdoor ”
“We configured the payload usingshow options command to discover the parameters,set to edit them. RHOST ref to remote host.”
“We received a successful session response in our console. As you can see we have the root privilege”
3 . SSH Exploit:
“Nmap shows us that we have SSH service active on port 22 so let’s try to mess with him”
“After a quick search in exploit DB, we found CVE-1999–0502 “SSH — User Code Execution (Metasploit)””
“So we used auxiliary/scanner/ssh/ssh_login. As you can see below we used a custom User and Password list. We configured PASS_FILE | USER_FILE with the lists full path using set PASS_FILE & set USER_FILE ”
bingo!!
4 . Privilege escalation:
“After obtaining our session, we can proceed to navigate within it.”
“So we are identified as “msfadmin” but we don’t have the root privilege so we will try to discover the “SUID Binaries” with find / -prem -u=s -type f 2>/dev/null ”
“We have su“switch user” so let’s check GTFOBins su”
“Let’s try “sudo su”
“and it worked perfectly and we switched to root.”
