Environment Setup
II. Nessus Installation & Initial Vulnerability Scan
III. Exploitation and Verification of Critical Vulnerabilities
After running the nmap scan, I noticed several services in use that are now considered insecure, primarily because of the plaintext exchange of credentials or commands. However, keeping consistent with the priority to close the bindshell that Nessus detected, we can move on for the moment and we'll notice that Metasploitable has a root shell open on port 1524/tcp
Exploitability: Now that we have confirmed that the vulnerability exists, and have exploited it ourselves, we're now also able to confirm that an attacker could gain access through a bind shell and perform any action the compromised system permits. Including the installation of malware, data exfiltration, or creating persistent access on the system once entry was obtained.
Implications: Give that this is such a debilitating vulnerability, we'll want to begin remediation right away. Thankfully, in our hypothetical business environment, the remediation of this specific vulnerability shouldn't provide any user or service interruption, and should be a straightforward fix.
Now that we are aware of the specific service creating the backdoor, we can try and determine where this has been set. Checking the net.conf (under.etc/inetd.conf) we are able to find a line for Ingreslock set to send a bash shell back in response to connections established over port 1542 for the ingreslock service
To confirm that the bind shell vulnerability has been successfully mitigated, we initiate a follow-up vulnerability scan using Nessus. The goal is to verify that port 1524/tcp is no longer exposing a root shell.
Upon completion of the scan, the Bind Shell Backdoor Detection finding is no longer present in the report—validating that the change made to inetd.conf and the restart of xinetd were effective in removing the vulnerability.
Compliance Considerations:
NIST SP 800-53 RA-5 (Vulnerability Scanning): Requires organizations to verify and validate that vulnerabilities have been resolved
Vulnerability Name: VNC Password is "Password"
CVE ID: N/a
CVSS Score: 10 (critical)
Description: Our Metasploitable machine hosts a VNC service, but it is secured with weak authentication credentials. In this scenario, an attacker could easily gain access to the service, exploiting the vulnerability and gaining a remote shell
Initial Assessment: This vulnerability represents a severe breach in authentication control and highlights the risk ofusing default or weak credentials. The VNC service would be crack would be near-instance and provide unauthorized remote access to the system with a potential for privilege escalation.
Verification Steps taken:
Installed tigervnc-viewer on the Nessus machine
Used vncviewer 10.0.0.10:1 with a password value of 'password' and was able to access the metasploitable machine's desktop through tigervnc
Remediation
Compliance Considerations:
NIST SP 800-53 AC-2 (Account Management): strengthening authentication mechanisms and eliminating default credentials.
After updating the VNC server password and restarting the service, from the scanning machine we'll attempt to reconnect to the Metasploitable host. When prompted, we'll enter the previous default password. The subsequent connection attempt fails with an authentication error confirming that the password update was successful and the weak default credential is no longer valid
Although the VNC authentication failure confirmed that the default password had been changed, the vulnerability still appeared in the subsequent Nessus scan.
To investigate furtherl we'll return to the Metasploitable VM and attempt to reinitialize the VNC server using:
The output indicated that display :0 was already active, suggesting that an existing VNC session—possibly still using the old credentials—was running in the background and contributing to the continued detection of the vulnerability.
After confirming that display :0 was still active, the next step was to shut down the running VNC server instance:
However, metasploitable returned an error stating that the .pid file could not be found, indicating that the session could not be cleanly terminated using the standard method.
This suggests that either the VNC session was improperly initialized or a startup script was interfering with the way we'd normally kill this service.
Compliance Considerations:
This scenario highlights the importance of proper service lifecycle controls as addressed in:
NIST SP 800-53 CM-5 (Access Restrictions for Change): Ensuring administrators can reliably terminate or restart services when applying security updates.
I first attempted to kill the xtightvnc service by identifying its process ID with ps aux | grep "xtightvnc" and killed the corresponding PID. However, every time I would kill the service, it would restart itself, finding another entry each time running ps under a different PID.
First, I checked the init.d directory for a startup/logon script that could enable this, though that did not turn up any clues.
So I then redirected my attention to /etc/rc.local to attempt to find scripts that ran during startup, and it was there that I found my answer.
It seems that there is an added line to remove the .pid files within the .vnc directory. This would be the reason behind why I was unable to find the correct display in order to apply changes needed to the password. I began by commenting this line out of rc.local
Compliance Considerations:
NIST SP 800-53 CM-6 (Configuration Settings): Uncovering and correcting unauthorized or undocumented startup behavior that could obstruct system management and remediation efforts.
Without the PID, the process will have to be identified and killed manually. Ran 'ps aux | grep xtightvnc' but was met with no results. Further, searched for ps aux | grep vnc instead and received the following output. In that which, I can see that there are two processes shown. Te first seems to be the xtightvnc process associated with running display 0, while the second seems to be a startup script that could setup the desktop environment and any initial programs or settings for the session. In this case, we'll need to kill the first listed.
I was able to kill the associated process by PID with 'sudo kill 5511', and verified that the server was not running by simply restarting and killing the display that showed up to ensure that the vncserver kill command was successful.
I then recreated the display 0, and logged back onto the Nessus machine to test that the new password was required in order to connect, and I could see that 'password' was no longer accepted. Concluded remediation by closing the VNC session and rerunning the vulnerability scan to ensure that the vulnerability was no longer present.
After running the Nessus scan once again, we can see that the VNC password vulnerability is no longer present.
Vulnerability Name: Debian OpenSSH/OpenSSL Package Random Number Generator Weakness
CVE ID: N/a
CVSS Score: 10 (critical)
Discovered On: Metasploitable2 VM (10.0.0.10/28)
Description: Nessus has detected a bug in the random number generation resulting in a remote SSH key that an attacker could obtain the private part the the hotkey to decipher a remote session. This could result in the attacker gaining a remote shell, or setting up a On-path attack.
Initial Assessment: The vulnerability identified in this scenario is related to a well-documented flaw in Debian’s implementation of OpenSSL, in which a bug in the RNG results in predictable SSH key pairs.
This affects systems like Metasploitable2 that use the vulnerable Debian-based OpenSSH/OpenSSL package set.
Nessus has flagged this as a critical vulnerability, scoring 10.0 on the CVSS scale, due to its high exploitability and impact. An attacker with access to the network could use publicly available tools to generate the entire key space affected by the weak RNG, allowing them to:
Derive the private SSH host key.
Perform MITM attacks.
Decrypt traffic or impersonate the server to clients.
Establish remote access by impersonating trusted hosts or injecting themselves into SSH sessions.
This type of vulnerability poses severe risks to system confidentiality and integrity.
Remediation
This vulnerability is common with older Debian-based distributions running SSH as there is a lack of needed entropy when generating the cryptographic keys. Simply regenerating the keys may not be enough if the OpenSSL version isn't patched. To begin, we'll attempt to update the system
However, what we find instead is that we're unable to fetch the needed update files from
After killing the process, given that the vulnerability specifically mentions issues with the SSH host keys, we'll regenerate those using this command for the RSA and DSA host keys:
sudo ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ""
sudo ssh-keygen -t isa -f /etc/ssh/ssh_host_dsa_key _N ""
Where in:
-t represents the key type
-f represents the file name and location for the new keys
-N "" represents an empty passphrase
Compliance Considerations:
NIST SP 800-53 SC-12 (Cryptographic Key Management) - reestablishing the cryptographic integrity of the system using secure, non-predictable key material
Conclusion
Upon further scanning, this shows as being still present. This is because despite the keys being regenerated, the crypography is simply too vulnerable to resolve. This theoretically could be resolved by updating to a later, more secure version of SSH, but Metasploitable is not able to reach modern repositories (or even the older repositories at old-releases.ubuntu.com) to undergo that task. However, key regeneration, coupled with an update, would normally resolve this issue. However here it proves to be a bit of an "unpatchable problem child"
Outside of this particular vulnerability however, all of our criticals with high CVSS scores are resolved! I hope this project comes of some use to those who may read, as it was super interesting to work on, and Tenable was a great platform to learn within to garner hands-on vulnerability scanning experience.