Metasploitable 2 – Compromise: Root Shell

Remember our Nmap results? (

One of the entries in there was listed as follows:

1524/tcp  open  shell       Metasploitable root shell

This is probably one of the simplest Metasploitable vulns. There is a root shell open on the box, lets see if we can connect to it with telnet

telnet 1524

  • Telnet <dest_IP> <dest_Port>


Metasploitable root login

Surprisingly we are connected to the shell without being prompted for credentials.

A quick check with ‘whoami’ and ‘hostname’ commands confirms we are root and on the metasploitable box.



Metasploitable 2 – Compromise: UnrealIRC

Lets take a look at this Nmap result in more detail:

6667/tcp  open  irc         UnrealIRCd

Nessus results also show some details here:

Critical (10.0) 46882 UnrealIRCd Backdoor Detection

Worth checking to see if Metasploit has a module we can use here. Fire up Metasploit with:


And lets do a search for any hits on ‘unrealirc’:

search unrealirc


Great we have a hit, lets choose this exploit:

use exploit/unix/irc/unreal_ircd_3281_backdoor


We now need to configure it. To see what’s required, use:

show options


Lets set our target (using our Metasploitable IP address) with:


Once done you can run ‘show options’ again to confirm it looks good:


Now lets see if it works by typing ‘run’



Be aware that you may not get much feedback even if the exploit is successful.

Try typing ‘hostname’ as above and see what comes back. As you can see the exploit was successful, we have root access to the metasploitable box once more.