metasploitable2 - Demonstrating Common Vulnerabilities


This article has no technical content, it is only used to demonstrate common vulnerabilities (I'm bored and organizing notes)

Regarding metasploitable2, Rapid 7 has not maintained it for a long time

So two guys designed their own metasploitable3 that cannot directly exploit vulnerabilities

I will also demonstrate it later, but such a classic target machine should leave some records even if it is not updated

Target machine download link

Reference article:

Demonstration of Common Vulnerabilities#

Metasploitable2 Vulnerability List:

  1. Weak password vulnerability (such as vnc, mysql, PostgreSQL, etc.)
  2. Samba MS-RPC Shell Command Injection Vulnerability
  3. Vsftpd Source Package Backdoor Vulnerability
  4. UnreallRCd Backdoor Vulnerability
  5. Linux NFS Shared Directory Configuration Vulnerability
  6. Java RMI SERVER Command Execution Vulnerability
  7. Tomcat Management Console Default Password Vulnerability
  8. Root User Weak Password Vulnerability (SSH Brute Force)
  9. Distcc Backdoor Vulnerability
  10. Samba sysmlink Default Configuration Directory Traversal Vulnerability
  11. PHP CGI Parameter Injection Execution Vulnerability
  12. Druby Remote Code Execution Vulnerability
  13. Ingreslock Backdoor Vulnerability
  14. Rlogin Backdoor Vulnerability

Samba MS-RPC Shell Command Injection Vulnerability#

Vulnerability Cause: Passing unfiltered user input provided through MS-RPC to call externally defined scripts using /bin/sh, in smb.conf, allowing remote command execution.

Use search usermap to search for attack modules


Set the rhosts parameter, which is the IP of the target machine

Here's a little trick, since the following vulnerabilities also require setting this parameter, we use setg

You can set global parameters within the same session of opening msf


After obtaining the shell, there will be no echo, just output the command



Vsftpd Source Package Backdoor Vulnerability#

Vulnerability Cause: In a specific version of the vsftpd server program, malicious code is maliciously implanted. When the username ends with ":)", the server will listen on port 6200 and can execute any malicious code.

Use search vsftp to search for available attack modules


Set the attack parameters



UnreallRCd Backdoor Vulnerability#

Vulnerability Cause: UNreallRCd distributed on certain mirror sites between November 2009 and June 2010 contains malicious code introduced externally in the DEBUG3_DOLOG_SYSTEM macro, allowing remote attackers to execute arbitrary code. Use search unreal to search for attack modules

Use search unreal to search for vulnerability modules



End of this article.

Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.