Metasploitable VM is vulnerable by design Linux box provided by Rapid7 to practice Metasploit framework. You can download it from vulnhub. I used Kali box and VMWare Player for this exercise also made sure that both VMs are set to host-only.
Now the purpose of Metasploitable is to find a way to root the box, and there are number of ways to do that, but it depends on your approach. It took me 3 exploits to r00t the box and am gona go thru all of them in the following section.
Fire up nmap to see what we have here.
Well, you can see there is a lot you can go after over here but am gona go with the easiest just because I’m lazy.
I’ll go after distccd v1 even though I don’t really know what it does. so I fired metasploit and searched for distccd and I was able to get shell with daemon privilege.
However, we’re shooitng for r00t.
Next, I looked for postgres exploits and found one with excellent rating but you’d have to have username n password so I fired up Metasploit postgres login scanner and got hit on postgres:postgres, and then used it to exploit.
Again no rØØt shell. On to the next one.
Looked for all Samba exploits with excellent and Linux filter which lead me to usermap_script and BOOM! I got r00t shell.
Finally decided to copy shadow and passwd hashes and give it a try, below are the list of usernames and passwords that John the Ripper cracked.