firsthacking is a Very Easy DockerLabs machine built around one of the most famous backdoors in Linux history: vsftpd 2.3.4. A malicious version of the popular FTP daemon was briefly distributed in 2011 with a hidden backdoor that opens a root shell on port 6200 when a username ending inDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/V0rt3xS0urc3/RedTeam-Portfolio/llms.txt
Use this file to discover all available pages before exploring further.
:) is submitted. This machine teaches you how to find and weaponise a known CVE using both Metasploit and a manual netcat approach — reinforcing the lesson that understanding the underlying mechanism is just as important as running the automated exploit.
Machine Info
| Field | Details |
|---|---|
| Difficulty | Very Easy (Muy Fácil / Súper Fácil) |
| Category | Hacking Infraestructura |
| OS | Linux |
| Key Techniques | Service enumeration, vsftpd 2.3.4 backdoor (CVE-2011-2523), Metasploit, netcat, searchsploit |
| Default Target IP | 172.17.0.2 |
Phase 0: Launch Kali Portable
Open a second terminal and start your Kali Portable environment:Phase 1: Deploy the Machine
Downloadfirsthacking.zip from DockerLabs. In your first terminal:
auto_deploy.sh— Deploys the vulnerable containerfirsthacking.tar— The Docker image
Phase 2: Reconnaissance
Nmap Service Scan
Scan all ports at an aggressive rate to identify open services:
Findings:
Only port 21 (FTP) is open, running vsftpd 2.3.4 — exactly the backdoored version. This is the entire attack surface.
| Argument | Meaning |
|---|---|
-sC | Default NSE scripts |
-sV | Service and version detection |
--min-rate 5000 | Fast scan suitable for local lab environments |
| Port | Service | Version |
|---|---|---|
| 21/tcp | FTP | vsftpd 2.3.4 |
Phase 3: Exploitation — Two Methods
The vsftpd 2.3.4 backdoor (CVE-2011-2523) works by detecting a smiley face (:)) at the end of the username during FTP authentication. When it detects this string, the daemon opens a bind shell on TCP port 6200 in the background. The attack can be carried out with Metasploit or entirely manually with netcat.
Method A: Metasploit (Automated)
Launch Metasploit and Find the Module
Open Metasploit and search for the vsftpd exploit:The module
exploit/unix/ftp/vsftpd_234_backdoor appears in the results.Load and Configure the Module
Select the exploit:Review the options:Set the target and your local hosts:
Method B: Manual Netcat Trigger (Recommended)
When Metasploit fails to establish the session cleanly, the manual approach is more reliable. This method also gives you a much deeper understanding of how the backdoor actually works.Trigger the Backdoor via FTP
Send a specially crafted FTP authentication sequence using netcat. The
In the background, vsftpd opens a root bind shell on port 6200.
:) at the end of the username is the trigger:| Part | Purpose |
|---|---|
echo "USER root:)" | Sends a username ending with :) to trigger the backdoor |
sleep 1 | Pauses to let vsftpd process the smiley and open port 6200 |
echo "PASS test" | Sends any password (the value does not matter) |
nc 172.17.0.2 21 | Connects to the FTP service on port 21 |
Method C: Python Exploit via Searchsploit
A third option uses the public Python exploit from ExploitDB:Phase 4: Verification and Flag
Regardless of which method you used, verify root access and capture the flag:Post-Lab Cleanup
Return to the deploy terminal and pressCtrl+C to stop the container. Type exit in your Kali Portable session.
Key Takeaways
CVE-2011-2523: A Real Backdoor
The vsftpd 2.3.4 backdoor is not a hypothetical scenario — it was a real supply-chain attack where a malicious version of the software was briefly served from the official download mirror. Always verify checksums of downloaded software.
Three Paths to the Same Root
This machine is an excellent exercise in tool flexibility. Metasploit automates the attack, manual netcat teaches the underlying mechanism, and the Python script shows how standalone PoC exploits work. Learn all three approaches.
Bind Shells vs Reverse Shells
The vsftpd backdoor opens a bind shell — it listens on the target for your incoming connection. A reverse shell is the opposite: the target connects back to you. Bind shells are blocked more often by firewalls; reverse shells are preferred in real engagements.
Keep Software Updated
The fix for CVE-2011-2523 was removing the backdoor in vsftpd 2.3.5. Outdated or unmaintained services in production environments are a leading cause of successful breaches. Always patch and verify software integrity.