3/7/25, 4:43 PM Metasploitable 3 Walkthrough: Advanced Penetration Testing

Home Services Resources Company Contact Us

Metasploitable 3 Walkthrough: Penetration Testing (Part 1)

Home  Penetration Testing  Metasploitable 3 Walkthrough: Penetration Testing (Part 1)

January 3, 2025

Metasploitable3 is an updated version of Metasploitable2, developed to provide a more realistic Table of contents
environment for practicing advanced penetration testing techniques. This version introduces new
1 Network Discovery
vulnerabilities and services, offering a broader range of challenges for ethical hackers and security
enthusiasts. Let’s explore what makes this version different and its key features! 2 The Exploitation process

3 Conclusion
Network Discovery
Let’s first start with the NMAP to scan the network first.

Nmap: is (a network mapper tool) used to discover hosts, services, and vulnerabilities and it’s one the
essential tools for hackers and security workers

sudo nmap -sV -sS 10.0.2.6

-sS: Stealth scan (SYN scan), detects open ports without completing the TCP handshake, making it
faster and stealthier

-sV: Detects the version of services running on open ports.

https://blog.securelayer7.net/metasploitable-3-walkthrough/ 1/8
3/7/25, 4:43 PM Metasploitable 3 Walkthrough: Advanced Penetration Testing
This command is a quick scan targeting 10.0.2.6 to identify open ports and service versions. It focuses
on commonly used ports, not all 65,535 ports.

Note: This quick scan does not cover all 65,535 ports. Since this is just a walkthrough and not an in-
depth exploitation, a more comprehensive scan might be explored in a future series.

The Exploitation process

Port 21 ProFTPD 1.3.5
So, the vulnerability is on port 21. By accessing this port, it was identified that ProFTPD 1.3.5 contains a
remote code execution (RCE) vulnerability via the mod_copy module, which allows attackers to execute
code on the server, as demonstrated below

Manual Exploitation
First, connect to the port via the telnet 10.0.2.6 21 tool which it’s a command-line interface for
communicating with remote devices or servers over a TCP/IP network and then site cpfr /etc/passwd

SITE: Initiates a server-specific command.

CPFR: Indicates the file to copy from (in this case, /etc/passwd).

So the structure of the command will be like this SITE CPTO /path/to/destination, site cpto
/var/www/html/test.php to overwrite the test.php file

The test.php has been overwritten with the content of the /etc/passwd file

As the picture below :

https://blog.securelayer7.net/metasploitable-3-walkthrough/ 2/8
3/7/25, 4:43 PM Metasploitable 3 Walkthrough: Advanced Penetration Testing

With the Metasploit

Setting the options as the below picture

And then, run the exploit

Apache httpd 2.4.7

https://blog.securelayer7.net/metasploitable-3-walkthrough/ 3/8
3/7/25, 4:43 PM Metasploitable 3 Walkthrough: Advanced Penetration Testing

Payroll_app
Payroll has SQL injection vulnerability type UNION SQL injection in the login page

As the below picture: by trying to manipulate the password parameters it shows it has SQL injection

so let’s pass it to Sqlmap and it’s and also so it’s specific the level and risk and the parameter by adding
(“*”) to the password which is the vulnerable parameter as seen in the burp suite Repeater

Using the Sqlmap tool

sqlmap -r req.txt –dbms=”MySQL” –level=1 –risk=1 –dump –output-dir=output –batch

As the following picture:

https://blog.securelayer7.net/metasploitable-3-walkthrough/ 4/8
3/7/25, 4:43 PM Metasploitable 3 Walkthrough: Advanced Penetration Testing

–dbms : This specifies the target DBMS (Database Management System). In this case, SQLMap is
instructed that the database is MySQL.

–level=1 : Defines the intensity of tests to perform. Level 1 is the lowest intensity, focusing on basic SQL
injection tests.

–risk=1 : This defines the risk factor associated with the tests SQLMap will conduct. Risk 1 is the least
aggressive and is generally used to avoid causing damage to the target system.

–dump : This option instructs SQLMap to dump (extract) the database content.

–output-dir=output : This specifies the directory where the results of the SQL injection tests will be
saved.

–batch: This option runs SQLMap in batch mode, meaning it will automatically answer any prompts
without requiring user interaction

The output result was users.csv and was contain the following

I have tried this user on SSH and it’s valid I have accounts on the server

some of them are valid users using hydra

https://blog.securelayer7.net/metasploitable-3-walkthrough/ 5/8
3/7/25, 4:43 PM Metasploitable 3 Walkthrough: Advanced Penetration Testing

Phpmyadmin
This vulnerability is an authentication vulnerability and the password of Phpmyadmin was provided in the
wiki

Explaining the bug

So setting the options to the port which was 80 and the TARGETURI /phpmyadmin/ with the password
and the username root:sploitme

As you see in the below picture and run the exploit As we see we got a meterpreter shell

Drupal
then the /drupal/

https://blog.securelayer7.net/metasploitable-3-walkthrough/ 6/8
3/7/25, 4:43 PM Metasploitable 3 Walkthrough: Advanced Penetration Testing

after running the directory fuzzing

file that contains the version of Drupal

I have tried all the modules that related to this version but I realized it was a rabbit hole it wasn’t 7.5
because when i have tried Nmap scanning it was the version before 7.5 it was vulnerable to CVE-2014-
3704 which affected only versions before 7.32

With The Metasploit, I have here found the drupageddon module for this CVE

https://blog.securelayer7.net/metasploitable-3-walkthrough/ 7/8
3/7/25, 4:43 PM Metasploitable 3 Walkthrough: Advanced Penetration Testing

After running the exploit we got the shell as below picture

Conclusion
This Metasploitable 3 walkthrough – Part 1 highlights practical penetration testing techniques. Using
tools like Nmap, Metasploit, Hydra, and SQLmap, we explored vulnerabilities in services like ProFTPD,
Apache, and the Payroll app. By exploiting issues such as remote code execution and SQL injection, we
demonstrated how attackers could gain access to systems. Tools like Telnet and Metasploit helped
automate the process, while Hydra was used to brute-force SSH passwords. Overall, this exercise shows
the importance of scanning for vulnerabilities and keeping software up to date to protect against
attacks.

Read: Metasploitable 3 Walkthrough: Penetration Testing (Part 2)

Quick Links Services Security Network Security General

Expertise
Home Application Security Telecom Security Assessment
Privacy Policy
IoT Device Security
About Network Security Server Hardening Disclaimer Agreement
ICO Security
Blog Mobile Application Security Wireless Security Assessment
Terms of Use
Web Malware Removal
News Thick Client Security Firewall Configuration ReviewUsage Agreement
Red Teaming Assessment
Contact Us VoIP Penetration Testing

© 2025 SecureLayer7. All Rights Reserved. 

https://blog.securelayer7.net/metasploitable-3-walkthrough/ 8/8