Pentesting Vulnerabilities in Metasploitable (part 1)

In this series of articles we demonstrate how to discover & exploit some of the intentional vulnerabilities within the Metasploitable pentesting target.

In our previous article on How To install Metasploitable we covered the creation and configuration of a Penetration Testing Lab. This setup included an ‘attacker’ using Kali Linux and a ‘target’ using the Linux-based Metasploitable. Both operating systems were a Virtual Machine (VM) running under VirtualBox.

Using this environment we will demonstrate a selection of exploits using a variety of tools from within Kali Linux against Metasploitable V2. For further details beyond what is covered within this article, please check out the Metasploitable 2 Exploitability Guide.

Pentesting Lab

Here is a brief outline of the environment being used:

  • VirtualBox: version 6.1
  • Kali Linux:
    • VM version = Kali Linux 2020.4, AMD64
    • Kernel release = 5.9.0-kali1-amd64
    • IP address =
    • Login = kali/kali
  • Metasploitable:
    • VM version = Metasploitable 2, Ubuntu 64-bit
    • Kernel release = 2.6.24-16-server
    • IP address =
    • Login = msfadmin/msfadmin

NFS Service vulnerability

First we need to list what services are visible on the target:

Performing a port scan to discover the available services using the Network Mapper ‘nmap‘.

This shows that NFS (Network File System) uses port 2049 so next let’s determine what shares are being exported:

Showing the NFS server’s export list with the command ‘showmount’.

The ‘showmount’ command tells us that the root ‘/’ of the file system is being shared. Next we can mount the Metasploitable file system so that it is accessible from within Kali:

Creating a local folder, mounting the NFS share, then listing the folders & files on the target’s root file system.

This is an example of a configuration problem that allows a lot of valuable information to be disclosed to potential attackers.

FTP Server backdoor

The vulnerability being demonstrated here is how a backdoor was incorporated into the source code of a commonly used package, namely ‘vsftp’. The FTP server has since been fixed but here is how the affected version could be exploited:

The ‘telnet’ tool was not available on our Kali Linux VM so the package indexes had to be updated before ‘telnet’ could be installed.

In the previous section we identified that the FTP service was running on port 21, so let’s try to access it via ‘telnet’:

‘telnet’ is used to activate the backdoor. The made-up username needs to be followed by ‘:)’ and after inputting a made-up password press Enter then ‘^]’ ( control + ] ) followed by ‘quit’ to exit.
‘telnet’ can can be used to validate that the backdoor service has been opened on port 6200.
‘telnet’ is can now be used to access the target and Linux commands can be executed at will. Note that each command needs to be suffixed by the ‘;’ character. To exit use ^] then ‘quit’.

This vulnerability can also be exploited using the Metasploit framework using the VSFTPD v2.3.4 Backdoor Command Execution.

Web Application vulnerabilities

There are a number of intentionally vulnerable web applications included with Metasploitable. Here we examine Mutillidae which contains the OWASP Top Ten and more vulnerabilities.

Mutillidae has the following features:

  • Setting the Security Level from 0 (completely insecure) through to 5 (secure).
  • Setting 3 levels of hints from 0 (no hints) to 3 (maximum hints).
  • A ‘Reset DB’ button in case the application gets damaged during attacks and the database needs reinitializing.

Understanding Mutillidae

Let’s begin by pulling up the Mutillidae homepage:

The Mutillidae web application homepage in a Firefox browser on Kali Linux.

Notice that the Security Level is set to 0, Hints is also set to 0, and that the user is not Logged In. These are the default statuses which can be changed via the Toggle Security and Toggle Hints buttons.

Information about each OWASP vulnerability can be found under the menu on the left:

Vulnerabilities information via the OWASP Top 10 menu.

Attempting an exploit

For our first example we have Toggled Hints to ‘1’ and selected the ‘A1- Injection -> SQLi – Bypass Authentication -> Login’ vulnerability:

Hints on how to exploit the Login through the Bypassing Authentication method.

Trying the SSL Injection method of entering “‘ OR 1=1 — ” into the Name field, as described in the hints, gave the following errors:

Warning: Cannot modify header information - headers already sent by (output started at /var/www/mutillidae/process-login-attempt.php:97) in /var/www/mutillidae/index.php on line 148

Warning: Cannot modify header information - headers already sent by (output started at /var/www/mutillidae/process-login-attempt.php:97) in /var/www/mutillidae/index.php on line 254

Warning: Cannot modify header information - headers already sent by (output started at /var/www/mutillidae/process-login-attempt.php:97) in /var/www/mutillidae/index.php on line 255

Warning: Cannot modify header information - headers already sent by (output started at /var/www/mutillidae/process-login-attempt.php:97) in /var/www/mutillidae/index.php on line 256

This turns out to be due to a minor, yet crucial, configuration problem that impacts any database related functionality.

Fixing Mutillidae

Here is the resolution to this problem:

  • Within Metasploitable edit the following file via command:
    • sudo vi /var/www/mutillidae/
    • sudo nano /var/www/mutillidae/
  • Next change the following line then save the file:
    • $dbname = ‘metasploit’
    • $dbname = ‘owasp10’
  • In Kali Linux bring up the Mutillidae web application in the browser as before and click the ‘Reset DB’ button to re-initialize the database.
  • Restart the web server via the following command:
    • sudo /etc/init.d/apache2 restart

Back on the Login page try entering the following SQL Injection code with a trailing space into the Name field:

  • ‘ OR 1=1 —

The Login should now work successfully without having to input a password! This is Bypassing Authentication via SQL Injection. Effectively what happens is that the Name validation is made to always be true by closing off the field with a single quote and using the OR operator. The two dashes then comment out the remaining Password validation within the executed SQL statement.

Mutillidae has numerous different types of web application vulnerabilities to discover and with varying levels of difficulty to learn from and challenge budding Pentesters.

Note: Metasploitable comes with an early version of Mutillidae (v2.1.19) and reflects a rather out dated OWASP Top 10. For a more up-to-date version visit:

This version will not install on Metasploitable due to out-of-date packages so best to load it onto a Linux VM such as Kali or Ubuntu.

Have you used Metasploitable to practice Penetration Testing? Do you have any feedback on the above examples? If so please share your comments below.

Leave a Reply