Project Name
Full Penetration Testing & Vulnerability Assessment (Metasploitable2)
One-line Summary
Set up a virtual lab and ran a full penetration test against Metasploitable2, finding and exploiting a backdoor in the vsftpd 2.3.4 FTP service to get a root shell without needing any credentials.
Full Description
I set up a lab with two virtual machines, Parrot OS as the attacker and Metasploitable2 as the target. Metasploitable2 is a Linux VM that is intentionally full of vulnerabilities, which makes it great for practising penetration testing in a safe, isolated environment.
The goal was to go through the full pentest process from scratch, starting with scanning and enumeration, then finding a vulnerability, exploiting it, and verifying the result.
When I scanned the target with Nmap, I noticed the FTP server was running vsftpd 2.3.4. I looked it up and found it is actually a known backdoored version, CVE-2011-2523. The way it works is surprisingly simple. If you send a username that ends with a smiley face :) during login, it opens a backdoor listener on port 6200.
I confirmed the exploit was available through Searchsploit, then ran it through Metasploit. It worked first try and gave me a root shell on the target with no credentials required. It was a good reminder of how dangerous old, unpatched software can be even when the fix has been available for years.
Assessment Methodology
- Host Discovery & Connectivity Verification
- Port Scanning & Service Enumeration
- Vulnerability Identification
- Exploit Research & Validation
- Remote Exploitation
- Post-Exploitation Access Verification
- Risk Assessment & Mitigation Recommendations
Technical Findings
| Port | Service | Version | Risk Level |
|---|---|---|---|
| 21/tcp | FTP | vsftpd 2.3.4 | Critical |
| 22/tcp | SSH | OpenSSH 4.7p1 | Medium |
| 80/tcp | HTTP | Apache 2.2.8 | Medium |
Execution
I started by checking the two machines could communicate:
Then I ran an Nmap scan to see what services were running and which versions:
The scan came back with vsftpd 2.3.4 on port 21. Once I saw that, I knew it was worth looking into.
I checked Searchsploit to confirm the exploit existed:
I loaded the module in Metasploit and ran it. It triggered the backdoor and opened a shell listener on TCP port 6200.
I ran whoami to confirm the access level:
Which came back with:
Full root access, no username or password required.
Security Impact
This is about as bad as it gets. Unauthenticated remote code execution with full root access is a critical finding. If this were a real system, an attacker could:
- Read or modify sensitive system files including
/etc/shadow - Install persistence mechanisms or malware
- Move laterally to other internal systems
- Exfiltrate sensitive data
- Tamper with logs to hide their activity
The likelihood of this being exploited in the real world is also high. The exploit is publicly documented, takes almost no skill to run, requires no credentials, and works remotely.
Detection Opportunities
A few things defenders could look for:
- FTP login attempts containing the
:)smiley face trigger string - Unexpected listener activity on TCP port 6200
- Suspicious shell execution spawned from the vsftpd process
- Unauthorized root shell activity
Tools that could help detect this include:
- Wazuh SIEM
- Snort IDS
- Suricata IDS/IPS
- Zeek Network Security Monitor
Recommendations
- Patch the software — Upgrade vsftpd immediately. The backdoor was removed in later releases.
- Disable unused services — If FTP is not needed, turn it off entirely to reduce the attack surface.
- Network segmentation — Keep legacy or vulnerable systems isolated from production and restrict inbound access where possible.
- Firewall rules — Block unauthorized access to port 6200 and limit unnecessary service exposure.
- Deploy IDS monitoring — Set up rules to detect suspicious FTP patterns and unexpected shell listeners.
- Regular vulnerability scanning — Scan services regularly to catch outdated software before someone else does.
Tools & Technologies Used
- Metasploit Framework
- Nmap
- Searchsploit
- Parrot Security OS
- Metasploitable2
- vsftpd 2.3.4
- Bash
- VirtualBox
Key Skills Demonstrated
- Penetration Testing Methodology
- Service Enumeration
- Vulnerability Research
- Remote Exploitation
- Risk Assessment
- Threat Analysis
- Security Recommendations
- Defensive Security Awareness
This was a really eye-opening project. Going through the full pentest process showed me how quickly you can go from a basic scan to full root access when a service is unpatched. It also made me think a lot more about patch management and why keeping software up to date actually matters.
