Share
## https://sploitus.com/exploit?id=B3AA53A0-8EAE-5155-8522-10639CF382EF
# Internal Host VAPT Assessment | Kali Linux + Metasploitable2

This repository documents a full vulnerability assessment and penetration testing project conducted against a simulated internal Linux host in an isolated virtual lab environment. The project was designed to demonstrate structured security assessment methodology, practical vulnerability validation, controlled exploitation, post-exploitation impact analysis, and remediation planning.

## Disclaimer

This project was performed in a private lab against intentionally vulnerable software for educational and portfolio purposes only. No production systems, public assets, or unauthorized targets were accessed. All testing was conducted within an isolated virtual environment.

## Project Overview

The objective of this assessment was to evaluate the security posture of a simulated internal corporate asset and determine whether exposed services, weak authentication, legacy software, and insecure configurations could be leveraged for practical compromise.

The assessment followed a PTES-inspired workflow:
1. Pre-engagement planning
2. Reconnaissance
3. Enumeration
4. Vulnerability discovery
5. Exploitation
6. Post-exploitation validation
7. Reporting and remediation

## Lab Environment

- **Attacker Host:** Kali Linux
- **Attacker IP:** 192.168.1.16
- **Target Host:** Metasploitable2
- **Target IP:** 192.168.1.20
- **Lab Network:** 192.168.1.0/24
- **Environment Type:** Isolated host-only virtual lab

## Tools Used

### Reconnaissance and Enumeration
- Nmap
- enum4linux
- smbclient
- showmount
- smtp-user-enum
- FTP client
- MySQL client
- Gobuster
- Nikto
- manual HTTP validation

### Vulnerability Discovery
- Nessus Essentials Plus
- manual CVE mapping and validation

### Exploitation
- Metasploit Framework

### Post-Exploitation
- native Linux shell commands
- Meterpreter session commands

## Key Findings

### Primary Validated Findings
- Anonymous FTP access
- MySQL root access with a blank password
- Exposed phpMyAdmin interface
- Exposed phpinfo page
- Directory indexing and test content exposure
- HTTP TRACE enabled
- Samba remote code execution exposure
- UnrealIRCd backdoor exposure
- distcc exposure
- Legacy vsftpd exposure

### Supporting Scanner-Confirmed Findings
- Ubuntu 8.04 end of life
- VNC weak or default password
- SSL v2 and SSL v3 protocol support
- multiple SSL weaknesses
- rlogin service exposure
- Apache Tomcat AJP request injection
- bind shell backdoor detection
- NFS shares world readable
- Samba Badlock vulnerability

## Successful Exploitation Paths

### 1. Samba usermap_script
The Samba service was successfully exploited using the `usermap_script` attack path. This resulted in a root-level command shell on the target host and confirmed full remote code execution.

### 2. UnrealIRCd Backdoor
The exposed UnrealIRCd service was successfully exploited, resulting in a Meterpreter session followed by root shell access. This confirmed a second unauthenticated remote code execution path.

## Attempted but Unsuccessful Exploitation Paths

### vsftpd 2.3.4
The target was identified as running a vulnerable legacy vsftpd version, but practical exploitation through the selected Metasploit module did not return a session in this environment.

### distcc
The distcc service responded to the exploitation attempt, but the reverse shell payload failed to establish a working session in the current setup.

## Post-Exploitation Impact

Post-exploitation validation from successful root-level access confirmed:
- host identity and operating system details
- network interface and IP configuration
- local account visibility
- user home directory enumeration
- process visibility
- access to sensitive system files such as `/etc/passwd`

This demonstrated high impact and confirmed that a successful attacker could gain broad control and visibility over the compromised host.

## Findings Summary

### Nessus Scan Summary
- Critical: 9
- High: 6
- Medium: 23
- Low: 9
- Informational: 134

## Repository Structure

```text
metasploitable2-vapt/
โ”œโ”€โ”€ README.md
โ”œโ”€โ”€ report/
โ”‚   โ””โ”€โ”€ VAPT_Report_MS2_v1.0.md
โ”œโ”€โ”€ evidence/
โ”‚   โ”œโ”€โ”€ 01_recon/
โ”‚   โ”œโ”€โ”€ 02_enumeration/
โ”‚   โ”œโ”€โ”€ 03_vuln_discovery/
โ”‚   โ”œโ”€โ”€ 04_exploitation/
โ”‚   โ””โ”€โ”€ 05_post_exploitation/
โ”œโ”€โ”€ methodology/
โ”œโ”€โ”€ diagrams/
โ””โ”€โ”€ remediation/
```

## Evidence Included

This repository includes:

* reconnaissance outputs
* enumeration outputs
* Nessus screenshots and reports
* exploitation screenshots and command outputs
* post-exploitation validation evidence
* final report content
* remediation guidance

## Remediation Themes

The highest-priority remediation actions identified during the assessment were:

* remove or isolate legacy vulnerable services
* eliminate weak or blank-password administrative access
* disable insecure and unnecessary remote services
* restrict NFS, SMB, and administrative service exposure
* upgrade or retire end-of-life operating system and application components
* remove obsolete SSL protocol support and unsafe web exposures

## Lessons Learned

This project reinforced several important assessment principles:

* scanner output alone is not enough; manual validation matters
* not every vulnerable service produces a reliable exploit path in practice
* multiple independent exploit paths can exist on the same host
* root-level access must be proven with controlled evidence, not just claimed
* good documentation is what turns a lab exercise into a portfolio-grade assessment

## Report

The full assessment write-up is available in the `report/` directory.

## Author

**Aravind Gopal**