Hands-on penetration testing labs documenting real exploitation workflows against intentionally vulnerable machines.
All activity was performed in an isolated lab environment for educational purposes.
| Lab | Target | Technique | Status |
|---|---|---|---|
| vsFTPd 2.3.4 Backdoor | Metasploitable 2 | Metasploit — CVE-2011-2523 | Complete |
| DVWA Brute Force | Metasploitable 2 | Hydra — HTTP form brute-force | Complete |
This lab identifies vsftpd 2.3.4 on Metasploitable 2, maps it to CVE-2011-2523, troubleshoots failed reverse callback behavior, and validates a root shell through Meterpreter.
A brute-force attack against the Damn Vulnerable Web Application (DVWA) login page using Hydra. Demonstrates weak credential discovery, session cookie injection, and the impact of missing rate-limiting controls.
labs/
├── machines/
│ └── metasploitable2/
│ ├── README.md
│ ├── vsftpd-2.3.4-backdoor/
│ └── dvwa-brute-force/
├── .gitignore
├── LICENSE
└── README.md
- Attacker: Linux penetration testing workstation
- Target: Metasploitable 2
- Network: Isolated
192.168.122.0/24virtual network - Tools: Nmap, Zenmap, Metasploit Framework, Meterpreter, Hydra, Netcat
- Network and service enumeration with Nmap
- Version-based vulnerability identification
- Metasploit module selection, configuration, and troubleshooting
- Web application brute-forcing with Hydra
- Session cookie injection for authenticated testing
- Post-exploitation validation (filesystem access, privilege verification)
- Professional lab documentation and Git workflow
The content in this repository is for authorized lab use only. Do not run these techniques against systems you do not own or do not have explicit permission to test.






