After my OffSec PWK lab time ran out, I’m working on exploiting vulnerabilities without using Metasploit beyond use of exploit/multi/handler in preparation for the OSCP exam.
Port 22, SSH:
Debian OpenSSL – Predictable PRNG Bruteforce SSH Exploit https://www.exploit-db.com/exploits/5720/
Note: I had to run this exploit multiple times before it found the right key. I found a blog post that gave Metasploitable2’s root key that worked. That key was in the key directory, it works to login, but the exploit wasn’t finding it. After some searching I read a blog post about pwnos by g0tM1lk that says sometimes it fails to find the key.
After running this exploit for the third time if finally finds the key and prints the command to run to ssh to Metasploitable2 as root without password.