To download Metasploitable 2, go here and fill out the form from their link to download the VM. This is directly from the Rapid 7 website:
https://docs.rapid7.com/metasploit/metasploitable-2/

Same as the Kali VM, we are going to unzip the contents to a folder in your host machine. The important file to note is the .vmdk file

Go to VirtualBox and click on “New” configure as in the below screenshot and make sure to select the folder path where the active VM will reside on your host machine.

Keep hitting the next button, just keep the default settings until you get to this screen where you must select a .vmdk file, select the Metasploitable.vmdk file from previous screenshot and hit next until you finish.

You will now see both your Kali box and Metasploitable box on the VirtualBox list.

Same as previous, you must add Metasploitable 2 onto the same NatNetwork as your kali box in order for both to communicate with each other.

Now, save the settings and hit “Start” to run Metasploitable 2.

The login to access this box is msfadmin:msfadmin

You should now have access to the machine.

Next make sure to run ifconfig and get the target IP. We will be using this on our Kali machine to test access to the Metasploitable box.

NOTE: If the 192.* subnet does not appear, it’s possible you need to go to the network settings and disable any other network adaptors connected to the Metasploitable 2 machine.

Test Connection

Run the following ping command to see if you receive a response back and confirm you can now reach the Metasploitable machine:

ping -c 4 Metasploitable_IP_address