Performed authorized exploitation testing against an intentionally vulnerable Metasploitable 2 system using Metasploit Framework in an isolated VirtualBox lab.
The assessment focused on the exposed DistCC service. After identifying the vulnerable service, I selected and configured the appropriate Metasploit exploit, executed it against the target, and successfully obtained command access.
All testing was performed against an intentionally vulnerable system in a controlled and authorized lab environment.
- Virtualization: Oracle VirtualBox
- Firewall and router: pfSense
- Attacker: Kali Linux
- Target: Metasploitable 2
- Exploitation tool: Metasploit Framework
- Vulnerable service: DistCC
- Target IP:
192.168.2.200
- Verify network connectivity to the vulnerable target
- Identify the exposed DistCC service
- Search for an appropriate Metasploit exploit
- Configure the target and exploit settings
- Execute the exploit
- Confirm successful command access
- Evaluate the security impact
- Document appropriate remediation
- Started Kali Linux, pfSense, and Metasploitable 2.
- Verified connectivity between Kali Linux and the target.
- Identified the exposed DistCC service during service enumeration.
- Opened Metasploit Framework.
- Selected the DistCC remote command-execution exploit.
- Configured the remote target address.
- Executed the exploit.
- Confirmed successful command access to the Metasploitable system.
- Documented the evidence, security impact, and remediation recommendations.
The exposed DistCC service allowed remote command execution from the attacking system.
Successful exploitation demonstrated that an attacker could execute unauthorized commands on the vulnerable server. Depending on the privileges of the affected service, this could lead to:
- Unauthorized system access
- Data theft or modification
- Malware installation
- Privilege escalation
- Lateral movement
- Complete compromise of the vulnerable system
The screenshot demonstrates successful exploitation of the vulnerable DistCC service and command access to the target system.
- Remove or disable DistCC when it is not operationally required
- Restrict access to the DistCC service using firewall rules
- Do not expose DistCC to untrusted networks
- Upgrade or replace vulnerable and outdated software
- Apply current security patches
- Use network segmentation to isolate vulnerable services
- Monitor systems for unauthorized command execution
- Perform follow-up vulnerability scans after remediation
- Metasploit Framework operation
- Exploit selection and configuration
- Vulnerability validation
- Network service enumeration
- Remote command execution testing
- Linux command-line usage
- Security-impact analysis
- Remediation planning
- Authorized penetration-testing methodology
This project was completed solely for educational and portfolio purposes in a controlled cybersecurity lab. No public systems or unauthorized targets were tested.
