Gladius Penetration Test Report

Port 1524 is running a root-level backdoor shell. The nmap service probe returned an interactive root shell prompt (root@d9d6daa95c1b:/#) with zero authentication required. Any attacker on the network can connect to this port with a basic TCP client (e.g. netcat) and receive a fully interactive root shell — total system compromise in a single step, with no credentials, no exploit code, and no privileges to escalate.

The vsftpd 2.3.4 FTP daemon running on port 21 contains a deliberately introduced backdoor (CVE-2011-2523, CVSS 9.8). Sending a smiley face ':)' in the FTP username field during authentication triggers the backdoor, which binds a root shell on port 6200/tcp. This provides unauthenticated remote code execution as root. The affected binary was distributed via official mirrors between June 30 and July 3, 2011.

Anonymous (null session) SMB login succeeds without any credentials — meaning anyone on the network can enumerate shares and read the 'tmp' share. Beyond data exposure, Samba 3.0.20 is vulnerable to CVE-2007-2447 (usermap_script), which allows an attacker to inject arbitrary shell commands via a specially crafted username during authentication, achieving remote code execution as root. This is one of Metasploitable2's most commonly exploited paths.

The SSH daemon on port 22 accepted the credential pair user/user, which is a default credential pair from the built-in 12-pair test list. Any attacker who attempts this trivially guessable combination gains an authenticated remote shell session. While the initial access level is an unprivileged user account, the age of the kernel and local privilege escalation vulnerabilities present on this system make full root escalation straightforward from this foothold.

The UnrealIRCd IRC server on port 6667 is version 3.2.8.1, which was distributed with a trojaned binary containing a backdoor (CVE-2010-2075, CVSS 7.5). The DEBUG3_DOLOG_SYSTEM macro was modified to execute arbitrary OS commands when an attacker sends a message prefixed with 'AB;'. This provides unauthenticated remote code execution on the server, typically running as the IRC server process user.

The Apache Tomcat Manager web interface (/manager/html) on port 8180 is reachable and protected only by HTTP Basic Authentication. Nikto confirmed that HTTP PUT and DELETE methods are enabled, and WebDAV is active at /webdav/. If default credentials (commonly tomcat:tomcat) are valid, an attacker can deploy a malicious WAR (web application archive) file through the Manager, resulting in remote code execution within the Tomcat process context. The Manager should never be exposed without IP restriction and strong credentials.

ProFTPD 1.3.1 on port 2121 is vulnerable to SQL injection via CVE-2009-0542 (CVSS 7.5). A percent character (%) in the FTP username is not properly sanitized before being passed to mod_sql's SQL query, introducing a single quote that breaks the SQL syntax. An attacker can craft a username to bypass FTP authentication entirely or, if mod_sql_mysql/postgres is configured, extract or modify database credentials.

The vsftpd FTP server on port 21 accepts anonymous logins without any credentials. The nmap scan confirmed 'Anonymous FTP login allowed (FTP code 230)' and logged in as the 'ftp' user. This allows any unauthenticated user to browse and potentially download files accessible to the FTP anonymous account, which may include sensitive configuration files or data depending on how the FTP root is configured.

Ports 512 (rexec) and 513 (rlogin) are open and represent ancient Unix remote execution services from the pre-SSH era. These services transmit all data including credentials in cleartext and rely on weak IP-based trust authentication rather than cryptographic keys or passwords. An attacker on the same network can perform IP spoofing or sniff credentials in transit, potentially gaining remote command execution without valid passwords.

The rpcbind service on port 111 advertises an NFS mountd service on port 50419/tcp and 2049/tcp (NFS). If NFS exports are configured without proper host restrictions (using '*' or broad CIDR ranges), any host on the network can mount exported filesystem paths without authentication. This could expose the entire filesystem or sensitive directories such as /home or /etc to read/write access.