Port 22, SSH:
Debian OpenSSL - Predictable PRNG Bruteforce SSH Exploit https://www.exploit-db.com/exploits/5720/
Note: I had to run this exploit multiple times before it found the right key. I found a blog post that gave Metasploitable2's root key that worked. That key was in the key directory, it works to login, but the exploit wasn't finding it. After some searching I read a blog post about pwnos by g0tM1lk that says sometimes it fails to find the key.
After running this exploit for the third time if finally finds the key and prints the command to run to ssh to Metasploitable2 as root without password.