VulnLinux-Exploitation CVE-2004-2687

Name: VulnLinux-Exploitation CVE-2004-2687
Rating: 5 (6 reviews)
2026-06-07 | CVSS 9.3
## https://sploitus.com/exploit?id=CCC532AA-0515-56ED-85B3-ABECFA3454C4
# Lab 01: Vulnerable Linux Reconnaissance + Enumeration + Remote Code Execution
 
**Date:** June 6, 2026  
**Objective:** Exploit a vulnerable Linux target (Metasploitable) using network reconnaissance, service enumeration, and Metasploit framework to achieve remote code execution and system information gathering.

---

## Overview

This lab demonstrates a complete attack chain against a vulnerable Linux system (Metasploitable). The target was identified through network scanning, vulnerable services were enumerated, and the distcc service was exploited to gain remote code execution with root privileges. Post-exploitation included system reconnaissance and credential harvesting.

**Target:** Metasploitable 2  
**Vulnerability:** distcc Remote Code Execution (CVE-2004-2687)  
**Impact:** Complete system compromise with root access

---

## Folder Structure
Lab01-VulnLinux-FirstAttack/
├── README.md                 # This report
├── commands.txt              # All commands executed
├── notes.md                  # Lab notes and observations
├── outputs/                  # Command output logs
└── screenshots/              # Attack phase screenshots
---

## Reconnaissance

### Network Connectivity Test

Initial connectivity was verified to the target system.

![Ping](screenshots/01-ping.png)

### Lab Setup

Directories were created to organize the penetration test data and maintain structured documentation.

![Create Folders](screenshots/02-create-folders.png)

![Home Directory Listing](screenshots/03-home-directory-listing.png)

![CD into Lab Folder](screenshots/04-cd-into-lab-folder.png)

---

## Enumeration

### Initial Network Scan

A rapid Nmap scan was performed to identify open ports and running services on the target.

![Nmap Initial](screenshots/05-nmap-initial.png)

**Key Findings:**
- Multiple vulnerable services detected
- distcc service running on port 3632
- Multiple other exploitable services identified

### Full Service Enumeration

A comprehensive Nmap scan with version detection and script scanning was executed to gather detailed service information.

![Nmap Full](screenshots/06-nmap-full.png)

**Services Identified:**
- SSH (22)
- Telnet (23)
- SMTP (25)
- DNS (53)
- HTTP (80)
- POP3 (110)
- IMAP (143)
- distcc (3632) - **VULNERABLE**
- VNC (5900)

---

## Exploitation

### Vulnerability Research

The distcc service (distributed C compiler) was identified as vulnerable to remote code execution. A search in the Metasploit Framework located the appropriate exploit module.

![MSF Search distcc](screenshots/07-msf-search-distcc.png)

**Exploit Module:** `exploit/unix/misc/distcc_exec`  
**CVE:** CVE-2004-2687  
**Description:** distcc allows remote attackers to execute arbitrary commands via shell metacharacters

### Exploit Configuration

The exploit module was loaded and configured with the target IP address.

![MSF Use Exploit](screenshots/08-msf-use-exploit.png)

### Remote Code Execution

The exploit was successfully executed, yielding a remote shell with root privileges on the target system.

![MSF RCE ID](screenshots/09-msf-rce-id.png)

**Result:** Successful RCE as root (UID 0)

---

## Post-Exploitation Reconnaissance

### System Information Gathering

#### User Identification

![MSF whoami](screenshots/11-msf-whoami.png)

**User:** root

#### Operating System Details

![MSF uname](screenshots/10-msf-uname.png)

**Output:** Linux metasploitable 2.6.39-xenU #1 SMP Mon May 7 10:45:01 EDT 2012 i686 GNU/Linux

#### Current Working Directory

![MSF pwd](screenshots/15-msf-pwd.png)

**Directory:** /tmp/distccd

#### Root Directory Listing

![MSF ls root](screenshots/12-msf-ls-root.png)

#### Home Directory Contents

![MSF ls home](screenshots/16-msf-ls-home.png)

### Credential Harvesting

#### /etc/passwd File

![MSF etc passwd](screenshots/13-msf-etc-passwd.png)

**System Users Identified:**
- root
- daemon
- bin
- sys
- sync
- games
- man
- lp
- mail
- news
- uucp
- proxy
- www-data
- backup
- list
- irc
- gnats
- msfadmin
- mysql
- postgres
- tomcat
- distccd

### System State Analysis

#### Hostname Resolution

![MSF hostname](screenshots/14-msf-hostname.png)

**Target Hostname:** metasploitable

#### Running Processes

![MSF ps aux](screenshots/17-msf-ps-aux.png)

**Key Processes:**
- Apache web server
- PostgreSQL database
- MySQL database
- Samba file sharing
- vsftpd FTP server
- OpenSSH server

#### Network Connections

![MSF netstat](screenshots/18-msf-netstat.png)

**Listening Services:**
- TCP/22 (SSH)
- TCP/23 (Telnet)
- TCP/25 (SMTP)
- TCP/53 (DNS)
- TCP/80 (HTTP)
- TCP/110 (POP3)
- TCP/143 (IMAP)
- TCP/3632 (distcc) - EXPLOITED
- TCP/5900 (VNC)

#### Environment Variables

![MSF env](screenshots/19-msf-env.png)

**Notable Variables:**
- PATH configured for system binaries
- Shell environment accessible for command execution

---

## Attack Chain Summary
1. RECONNAISSANCE
   └─ Ping target to verify connectivity
2. ENUMERATION
   ├─ Initial nmap scan to identify open ports
   ├─ Full nmap scan with service version detection
   └─ Identified distcc service on port 3632
3. EXPLOITATION
   ├─ Searched Metasploit Framework for distcc exploits
   ├─ Located exploit/unix/misc/distcc_exec
   ├─ Configured exploit with target IP
   └─ Executed exploit → Remote shell as root
4. POST-EXPLOITATION
   ├─ System information gathering (id, uname, hostname)
   ├─ File system reconnaissance (ls, pwd)
   ├─ Credential harvesting (/etc/passwd)
   ├─ Process enumeration (ps aux)
   ├─ Network state analysis (netstat)
   └─ Environment variable inspection (env)
5. IMPACT
   └─ Complete system compromise with root privileges
   ---

## Lessons Learned

### What Worked
- **Service version enumeration** provided precise vulnerability identification
- **Metasploit Framework** simplified exploit development and delivery
- **Automated exploitation** reduced manual payload crafting requirements
- **Systematic post-exploitation** yielded comprehensive system intelligence

### Key Takeaways
1. **Outdated services are dangerous** — distcc had unpatched RCE vulnerabilities
2. **Version detection is critical** — enabled precise targeting of known CVEs
3. **Root execution is game-over** — immediate access to all system resources
4. **Post-exploitation intel** is valuable for lateral movement and persistence planning

### Detection Gaps
- No firewall rules prevented distcc access
- No intrusion detection system flagged exploit execution
- No logging captured RCE commands executed
- No host-based security monitored unauthorized root activity

---

## Next Steps - Lab 02

**Planned Progression:**

1. **Windows Server Exploitation** — Gain experience with Windows-based vulnerabilities and exploitation techniques
2. **Active Directory Enumeration** — Learn domain structure, user accounts, and privilege levels
3. **Privilege Escalation** — Advance from initial access to administrative privileges
4. **Lateral Movement** — Move between systems within the network
5. **Persistence Mechanisms** — Establish persistent access for long-term control
6. **Log Evasion** — Understand detection avoidance and forensic countermeasures

---

## Tools & Technologies

- **Kali Linux** - Penetration testing distribution
- **Nmap** - Network reconnaissance and port scanning
- **Metasploit Framework** - Exploitation framework and payload delivery
- **distcc** - Vulnerable target service
- **Bash/Shell** - Command execution and post-exploitation

---

## References

- **CVE-2004-2687** - distcc Remote Code Execution
- **Metasploitable 2** - Intentionally vulnerable Linux distribution for lab training
- **MITRE ATT&CK Framework** - Exploitation and post-exploitation techniques

---

**Lab Status:** ✅ Complete  
**Exploitation Success:** ✅ Root Access Achieved  
**Documentation:** ✅ Full Attack Chain Documented