What we tested: We conducted a full authorized penetration test against a single Linux host (172.18.0.26, Metasploitable2) on your homelab Docker network. The test covered all open network services using passive reconnaissance, active port scanning, service enumeration, safe vulnerability checks, and CVE correlation — spanning roughly 15 minutes of automated and guided testing. No destructive actions were taken; all findings are proof-of-vulnerability only.
What we found: This host is comprehensively compromised by design — it is an intentionally vulnerable training target. We identified 4 CRITICAL and 6 HIGH severity findings across 22 open services. Three separate backdoor root shells exist: one on port 1524 (requires only a TCP connection), one in vsftpd 2.3.4 (triggered by a malformed FTP login, CVE-2011-2523), and one in UnrealIRCd 3.2.8.1 (triggered via IRC message, CVE-2010-2075). Additionally, SSH accepted the default password user:user from our first credential check. Six distinct attack paths lead to full root access, the fastest requiring under 10 seconds and no specialist knowledge.
What this means: If this host were reachable beyond your Docker network — or if any other container on that network were compromised — an attacker would have instant, trivial, undetectable root access to this machine and a pivot point into your broader homelab. Keep this host strictly isolated on its dedicated Docker network, never expose its ports externally, and treat it purely as a controlled training environment. The findings here are expected for Metasploitable2 and represent the full taxonomy of vulnerability classes you can practice against.
Attack surface: Single Linux host (Metasploitable2) with 22 open TCP ports spanning FTP, SSH, Telnet, SMTP, HTTP/WebDAV, SMB, NFS, r-services, multiple database engines, Java/Ruby RMI, and IRC — every service running EOL software from 2008–2011.
Critical findings:
INSTANT ROOT — ZERO EFFORT: Any attacker on the Docker network connects to port 1524/tcp with a basic TCP client (netcat, telnet, etc.) and receives an immediate root shell prompt. No credentials, no exploit, no tools needed. Full OS compromise in under 10 seconds.
FTP BACKDOOR TO ROOT SHELL: Attacker sends a login attempt to vsftpd on port 21 with a username ending in ':)' (smiley face). vsftpd's backdoor code triggers and opens a root shell on port 6200/tcp. Attacker connects to port 6200 and has full root access. Two TCP connections = root.
SSH DEFAULT CREDS TO FOOTHOLD + PRIVILEGE ESCALATION: Attacker logs in via SSH with user:user. From the user shell, multiple local privilege escalation paths exist: kernel exploits (Linux 2.6.24 has dozens of public LPEs), SUID binary abuse, or simply connecting to port 1524 from localhost to get root.
IRC BACKDOOR TO RCE: Attacker connects to UnrealIRCd on port 6667, sends a message prefixed with 'AB' followed by a shell command. The backdoor macro executes the command as the ircd user. Combined with writable directories or SUID binaries, privilege escalation to root follows.
WEB PATH TO RCE: Attacker uploads a PHP webshell via WebDAV to /dav/, then browses to the uploaded file. Apache executes the PHP code as www-data. From the webshell, attacker connects internally to the port 1524 backdoor to escalate to root.
phpMyAdmin TO FILE WRITE TO RCE: Attacker authenticates to phpMyAdmin with MySQL credentials (default root with blank password is common on Metasploitable2), uses MySQL's SELECT INTO OUTFILE to write a PHP webshell into the Apache web root, then executes it via HTTP.
Port 1524/tcp presents a fully interactive root shell (root@d9d6daa95c1b:/#) to any connecting client with zero authentication. This is the classic Metasploitable2 ingreslock backdoor. Any host on the Docker network can connect with nc 172.18.0.26 1524 and immediately have unrestricted root access to the operating system — read any file, modify any configuration, install software, pivot to other network hosts, or destroy data. There is no higher severity finding possible.
vsftpd version 2.3.4 contains a deliberate backdoor introduced into the source tarball: when a username containing a smiley face (':)') is submitted, the daemon opens a root command shell on port 6200/tcp. This is a supply-chain compromise of the FTP daemon itself. No valid credentials are needed — the trigger is a malformed login attempt. CVE-2011-2523 carries a CVSS score of 9.8 (Critical).
UnrealIRCd 3.2.8.1, running on ports 6667 and 6697, contains a Trojan horse inserted into the official distribution between November 2009 and June 2010. The backdoor is triggered by sending a string beginning with 'AB' to the IRC server, causing arbitrary OS commands to execute as the ircd process user. This is another supply-chain backdoor — the software itself is malicious. Remote unauthenticated command execution is the result.
The SSH service on port 22 accepted the credential pair user:user from a 12-pair default-credential list. SSH (Secure Shell) is the primary encrypted remote administration protocol for Linux systems. A valid SSH login provides an interactive shell session on the machine. While user is a low-privilege account, the combination of this access with the age of the kernel and the availability of local privilege escalation vectors makes root access a near-certainty from this foothold.
The FTP service on port 21 accepts anonymous logins (username: anonymous, any password). FTP (File Transfer Protocol) transmits all data including credentials in cleartext. Anonymous access allows unauthenticated users to browse and potentially read files in the FTP root directory. Combined with CVE-2011-2523 on the same service version, this service is doubly dangerous.
Samba 3.0.20 on ports 139/445 permits null sessions (a null session = connecting to SMB without any username or password). The /tmp share is not only visible but fully readable to anonymous users, exposing runtime files, socket files, and any temporary data written by running processes. SMB signing is also disabled, which means traffic can potentially be intercepted and replayed by an attacker on the same network segment. This is the classic 'pass-the-hash' prerequisite condition.
The r-services suite (rexec, rlogin, rsh) dates from the 1980s and has no encryption, weak or no authentication (trust is based on source IP address), and no modern security controls. rsh/rlogin allow remote shell access based on host-trust relationships defined in ~/.rhosts files. If any user has a permissive .rhosts configuration, an attacker can log in without a password. These services should not exist on any network-connected system in any era.
Telnet provides a remote interactive shell with zero encryption. Every keystroke — including usernames, passwords, and commands — is transmitted in plaintext over the network and can be captured by any host on the same network segment with a packet sniffer. On a Docker network where containers share a bridge, this is a trivial interception opportunity.
The file /phpinfo.php is accessible without authentication and outputs the complete PHP runtime configuration: server paths, loaded modules, PHP version, compile-time options, environment variables, and HTTP request headers. This is a reconnaissance goldmine for an attacker — every detail needed to craft targeted exploits (exact path names, enabled functions, disabled safeguards) is presented on a single page. phpinfo() files should never be deployed on reachable systems.
WebDAV (Web Distributed Authoring and Versioning) is a protocol extension to HTTP that allows clients to create, modify, and delete files on a web server. The /dav/ endpoint is live and accessible. If write access is not restricted (common in default Metasploitable2 configs), an attacker can upload a PHP webshell — a small script that executes OS commands via the web browser — resulting in remote code execution as the Apache process user. Combined with PHP 5.2.4's lack of security restrictions, this is a reliable exploitation path.
phpMyAdmin is a web-based MySQL administration interface accessible at /phpMyAdmin/ with no IP-based access controls. With MySQL running on the same host and default or weak credentials in play, an attacker can use phpMyAdmin to dump all databases, read arbitrary files from the OS (via MySQL's LOAD_FILE function), or write files to the web root (via SELECT INTO OUTFILE) to achieve remote code execution.
ProFTPD 1.3.1 on port 2121 is vulnerable to SQL injection via a percent-encoded username. When mod_sql is enabled (used for database-backed authentication), a specially crafted username can inject arbitrary SQL commands into the backend database query, potentially allowing authentication bypass or data exfiltration.
MySQL 5.0.51a is vulnerable to multiple stack-based buffer overflows in the TaoCrypt/yaSSL component (CVE-2009-4484). A remote attacker can send a crafted certificate to trigger the overflow and execute arbitrary code as the MySQL process user. This is reachable from port 3306 without authentication if MySQL is configured to accept external connections.
Apache has the HTTP TRACE and DEBUG methods enabled. TRACE echoes back the full HTTP request including cookies and auth headers, enabling Cross-Site Tracing (XST) attacks where JavaScript can steal session cookies that would otherwise be protected by the HttpOnly flag. The DEBUG method can expose server internals. Both should be disabled in any production or internet-facing configuration.