Metasploitable 2 – Compromise: rlogin

One of the simplest compromises of the Metasploitable box.

We can see from the nmap results:

513/tcp   open  login?

Nessus also detected the use of rlogin:

High (7.5) 10205 rlogin Service Detection

At this stage we don’t have any info on possible accounts on the Metasploitable box but it probably likely that there is a ‘root’ account.

As such we can try the following command and see what we get:

rlogin -l root
  • -l: user to login as


So we are prompted for a password – a good sign the root account is valid.

But there is actually more to this than the above suggests.

I am using a fresh install of Kali 2 and the rsh-client is not installed by default. So lets install it with:

apt-get install rsh-client


Now lets try that original rlogin command once more:

rlogin - compromise

Bingo… we’re in, and with root access no less.