Share
## https://sploitus.com/exploit?id=8CF13E33-51D3-5F36-AD18-C851C5733B2D
# Network / System Penetration Test โ Metasploitable 2





A full **system/host penetration test** of **Metasploitable 2**, taken end-to-end:
reconnaissance โ exploitation (real root shells) โ post-exploitation โ professional reporting with
prioritized remediation **and blue-team detection rules**.
> **Authorized & ethical.** All testing was performed against a **self-hosted Metasploitable 2
> container** deployed specifically for this assessment. No third-party or production system was
> touched. Metasploitable 2 is a deliberately-insecure host built for exactly this purpose.
---
## What is Metasploitable 2?
[Metasploitable 2](https://docs.rapid7.com/metasploit/metasploitable-2/) is Rapid7's intentionally
vulnerable Linux host, the standard lab for practising **network and system exploitation** โ old
services, default credentials, and backdoors that allow full root compromise. Where the
[Juice Shop engagement](https://github.com/dkeeno/web-app-pentest-juice-shop) focuses on the *web*
layer, this one covers the *host / network service* layer.
---
## Engagement overview
| | |
|---|---|
| **Target** | Metasploitable 2 (self-hosted container) |
| **Type** | Network / system penetration test (full exploitation) |
| **Scope** | Single in-scope host (strictly enforced โ out-of-scope targets auto-refused) |
| **Authorization** | Self-owned lab |
| **Conduct** | Every active action scope-gated and recorded to a tamper-evident audit log |
| **Result** | **Root compromise achieved 3 independent ways** + unauthenticated control of 2 databases |
---
## Attack path
```mermaid
flowchart LR
K[Attacker / Kali] --> R["Reconnmap -sV ยท 19+ services"]
R --> S["Samba usermap_scriptCVE-2007-2447"]
R --> I["ingreslock 1524root bind shell"]
R --> MY["MySQL rootblank password"]
R --> PG["PostgreSQLpostgres:postgres"]
S --> ROOT[("ROOT shell")]
I --> ROOT
MY --> DB[("All databases")]
PG --> DB
ROOT --> EX["/etc/shadowroot hash exfiltrated"]
```
---
## Findings
| # | Severity | Finding | Mapping |
|---|---|---|---|
| 1 | ๐ด Critical | **Samba `usermap_script` RCE โ Metasploit root shell** | CVE-2007-2447 ยท [01](./findings/01-samba-usermap-rce.md) |
| 2 | ๐ด Critical | **ingreslock (1524) root bind shell** | CWE-1188 ยท [02](./findings/02-ingreslock-root.md) |
| 3 | ๐ด Critical | **MySQL root, blank password** (all DBs) | CWE-1188 ยท [03](./findings/03-mysql-blank-root.md) |
| 4 | ๐ด Critical | **PostgreSQL default creds** (postgres:postgres) | CWE-1392 ยท [04](./findings/04-postgres-default-creds.md) |
| 5 | ๐ High | End-of-life services with known backdoors (vsftpd 2.3.4, UnrealIRCd, โฆ) | CVE-2011-2523 ยท [05](./findings/05-eol-services.md) |
| 6 | ๐ High | Vulnerable web apps + WebDAV exposed (DVWA, phpMyAdmin, โฆ) | A05/A06 ยท [06](./findings/06-exposed-webapps.md) |
| 7 | ๐ High | Post-ex: root password hash exfiltrated (offline-crackable) | CWE-916 |
| 8 | ๐ก Medium | Cleartext/legacy services (telnet, r-services, VNC) | CWE-319 |
| 9 | ๐ก Medium | Tomcat manager interface exposed (8180) | CWE-1392 |
| 10 | โช Info | Excessive attack surface (19+ services) | โ |
### MITRE ATT&CK techniques observed
| Tactic | Technique |
|---|---|
| Initial Access / Execution | **T1190** Exploit Public-Facing Application (Samba, ingreslock) |
| Credential Access | **T1078** Valid Accounts (MySQL/PostgreSQL defaults) ยท **T1003** OS Credential Dumping (/etc/shadow) |
| Collection | **T1213** Data from Information Repositories (databases) |
| Discovery | **T1046/T1083** Network Service & File Discovery |
| Defense-relevant | **T1040** Network Sniffing (cleartext services) |
---
## Repository contents
```
.
โโโ README.md
โโโ reports/ # exploitation + recommendations PDFs
โโโ findings/ # per-vulnerability write-ups (root cause, CVSS, mappings, fix, detection)
โโโ evidence/ # sanitized proof-of-concept captures
โโโ detections/ # blue-team Sigma rules + SIEM queries for each exploit โ differentiator
```
- ๐ **[Exploitation Report (PDF)](./reports/Metasploitable2_Exploitation-Report.pdf)**
- ๐ **[Recommendations (PDF)](./reports/Metasploitable2_Recommendations.pdf)**
- ๐ **[findings/](./findings)** ยท ๐ **[evidence/](./evidence)** ยท ๐ **[detections/](./detections)**
---
## Blue-team detection (defense, not just offense)
Beyond offense, this repo ships **[detection content](./detections)** so a defender can *catch* each
attack: **Sigma rules** + SIEM/log queries for the Samba `usermap` exec, ingreslock root-shell
connections, and default-credential database logins. Every finding write-up also includes a
**Detection** section. Turning exploitation into actionable defense is the deliverable clients pay for.
---
## Key remediation themes
1. **Rebuild from a trusted, patched image** โ an end-of-life host with root backdoors is decommissioned, not patched.
2. **Eliminate default/blank credentials** โ MySQL/PostgreSQL/Tomcat; enforce strong unique secrets.
3. **Patch/replace end-of-life software** โ Samba, vsftpd, UnrealIRCd, Apache, OpenSSH.
4. **Minimize attack surface** โ run only required services; firewall + segment everything else.
5. **Drop cleartext services** โ SSH instead of telnet/r-services; VNC only over VPN.
---
## Skills demonstrated
- Full-kill-chain network/system penetration testing (recon โ exploit โ root โ post-ex)
- Real exploitation: **Metasploit sessions**, manual root shells, default-credential DB takeover, offline hash cracking
- MITRE ATT&CK / CVE / CVSS / OWASP-aligned analysis and reporting
- **Blue-team detection engineering** (Sigma + SIEM) as a paired deliverable
- Disciplined, scope-gated, auditable engagement conduct
---
## Legal & ethical note
Conducted on a **self-owned, deliberately-vulnerable** lab for educational/portfolio purposes.
**Never** test systems you do not own or lack **explicit written authorization** to test.