Share
## https://sploitus.com/exploit?id=8CF13E33-51D3-5F36-AD18-C851C5733B2D
# Network / System Penetration Test โ€” Metasploitable 2

![Type](https://img.shields.io/badge/engagement-VAPT-7d1128)
![Target](https://img.shields.io/badge/target-Metasploitable%202-orange)
![Focus](https://img.shields.io/badge/focus-system%20%2F%20host%20exploitation-444)
![ATTACK](https://img.shields.io/badge/mapped-MITRE%20ATT%26CK-blue)
![License](https://img.shields.io/badge/license-MIT-green)

A full **system/host penetration test** of **Metasploitable 2**, taken end-to-end:
reconnaissance โ†’ exploitation (real root shells) โ†’ post-exploitation โ†’ professional reporting with
prioritized remediation **and blue-team detection rules**.

> **Authorized & ethical.** All testing was performed against a **self-hosted Metasploitable 2
> container** deployed specifically for this assessment. No third-party or production system was
> touched. Metasploitable 2 is a deliberately-insecure host built for exactly this purpose.

---

## What is Metasploitable 2?

[Metasploitable 2](https://docs.rapid7.com/metasploit/metasploitable-2/) is Rapid7's intentionally
vulnerable Linux host, the standard lab for practising **network and system exploitation** โ€” old
services, default credentials, and backdoors that allow full root compromise. Where the
[Juice Shop engagement](https://github.com/dkeeno/web-app-pentest-juice-shop) focuses on the *web*
layer, this one covers the *host / network service* layer.

---

## Engagement overview

| | |
|---|---|
| **Target** | Metasploitable 2 (self-hosted container) |
| **Type** | Network / system penetration test (full exploitation) |
| **Scope** | Single in-scope host (strictly enforced โ€” out-of-scope targets auto-refused) |
| **Authorization** | Self-owned lab |
| **Conduct** | Every active action scope-gated and recorded to a tamper-evident audit log |
| **Result** | **Root compromise achieved 3 independent ways** + unauthenticated control of 2 databases |

---

## Attack path

```mermaid
flowchart LR
  K[Attacker / Kali] --> R["Reconnmap -sV ยท 19+ services"]
  R --> S["Samba usermap_scriptCVE-2007-2447"]
  R --> I["ingreslock 1524root bind shell"]
  R --> MY["MySQL rootblank password"]
  R --> PG["PostgreSQLpostgres:postgres"]
  S --> ROOT[("ROOT shell")]
  I --> ROOT
  MY --> DB[("All databases")]
  PG --> DB
  ROOT --> EX["/etc/shadowroot hash exfiltrated"]
```

---

## Findings

| # | Severity | Finding | Mapping |
|---|---|---|---|
| 1 | ๐Ÿ”ด Critical | **Samba `usermap_script` RCE โ†’ Metasploit root shell** | CVE-2007-2447 ยท [01](./findings/01-samba-usermap-rce.md) |
| 2 | ๐Ÿ”ด Critical | **ingreslock (1524) root bind shell** | CWE-1188 ยท [02](./findings/02-ingreslock-root.md) |
| 3 | ๐Ÿ”ด Critical | **MySQL root, blank password** (all DBs) | CWE-1188 ยท [03](./findings/03-mysql-blank-root.md) |
| 4 | ๐Ÿ”ด Critical | **PostgreSQL default creds** (postgres:postgres) | CWE-1392 ยท [04](./findings/04-postgres-default-creds.md) |
| 5 | ๐ŸŸ  High | End-of-life services with known backdoors (vsftpd 2.3.4, UnrealIRCd, โ€ฆ) | CVE-2011-2523 ยท [05](./findings/05-eol-services.md) |
| 6 | ๐ŸŸ  High | Vulnerable web apps + WebDAV exposed (DVWA, phpMyAdmin, โ€ฆ) | A05/A06 ยท [06](./findings/06-exposed-webapps.md) |
| 7 | ๐ŸŸ  High | Post-ex: root password hash exfiltrated (offline-crackable) | CWE-916 |
| 8 | ๐ŸŸก Medium | Cleartext/legacy services (telnet, r-services, VNC) | CWE-319 |
| 9 | ๐ŸŸก Medium | Tomcat manager interface exposed (8180) | CWE-1392 |
| 10 | โšช Info | Excessive attack surface (19+ services) | โ€” |

### MITRE ATT&CK techniques observed

| Tactic | Technique |
|---|---|
| Initial Access / Execution | **T1190** Exploit Public-Facing Application (Samba, ingreslock) |
| Credential Access | **T1078** Valid Accounts (MySQL/PostgreSQL defaults) ยท **T1003** OS Credential Dumping (/etc/shadow) |
| Collection | **T1213** Data from Information Repositories (databases) |
| Discovery | **T1046/T1083** Network Service & File Discovery |
| Defense-relevant | **T1040** Network Sniffing (cleartext services) |

---

## Repository contents

```
.
โ”œโ”€โ”€ README.md
โ”œโ”€โ”€ reports/        # exploitation + recommendations PDFs
โ”œโ”€โ”€ findings/       # per-vulnerability write-ups (root cause, CVSS, mappings, fix, detection)
โ”œโ”€โ”€ evidence/       # sanitized proof-of-concept captures
โ””โ”€โ”€ detections/     # blue-team Sigma rules + SIEM queries for each exploit  โ† differentiator
```

- ๐Ÿ“„ **[Exploitation Report (PDF)](./reports/Metasploitable2_Exploitation-Report.pdf)**
- ๐Ÿ“„ **[Recommendations (PDF)](./reports/Metasploitable2_Recommendations.pdf)**
- ๐Ÿ“‚ **[findings/](./findings)** ยท ๐Ÿ“‚ **[evidence/](./evidence)** ยท ๐Ÿ“‚ **[detections/](./detections)**

---

## Blue-team detection (defense, not just offense)

Beyond offense, this repo ships **[detection content](./detections)** so a defender can *catch* each
attack: **Sigma rules** + SIEM/log queries for the Samba `usermap` exec, ingreslock root-shell
connections, and default-credential database logins. Every finding write-up also includes a
**Detection** section. Turning exploitation into actionable defense is the deliverable clients pay for.

---

## Key remediation themes

1. **Rebuild from a trusted, patched image** โ€” an end-of-life host with root backdoors is decommissioned, not patched.
2. **Eliminate default/blank credentials** โ€” MySQL/PostgreSQL/Tomcat; enforce strong unique secrets.
3. **Patch/replace end-of-life software** โ€” Samba, vsftpd, UnrealIRCd, Apache, OpenSSH.
4. **Minimize attack surface** โ€” run only required services; firewall + segment everything else.
5. **Drop cleartext services** โ€” SSH instead of telnet/r-services; VNC only over VPN.

---

## Skills demonstrated

- Full-kill-chain network/system penetration testing (recon โ†’ exploit โ†’ root โ†’ post-ex)
- Real exploitation: **Metasploit sessions**, manual root shells, default-credential DB takeover, offline hash cracking
- MITRE ATT&CK / CVE / CVSS / OWASP-aligned analysis and reporting
- **Blue-team detection engineering** (Sigma + SIEM) as a paired deliverable
- Disciplined, scope-gated, auditable engagement conduct

---

## Legal & ethical note

Conducted on a **self-owned, deliberately-vulnerable** lab for educational/portfolio purposes.
**Never** test systems you do not own or lack **explicit written authorization** to test.