📋 BRIEFING
⚠ AUTHORISED PENTEST — ENGAGEMENT BRIEF

MISSION BRIEFING

Module 4  |  Reconnaissance & Exploitation
Scenario
You have been contracted to perform a black-box penetration test against an Apex Systems Inc. server on an isolated lab network. Your client has provided only the network range. You must identify the target, enumerate its services, research any vulnerabilities, and exploit them to retrieve the flag.
Objectives
1
Discover the live host on the 10.10.10.0/24 network.
2
Run a service version scan to identify what is running on the target.
3
Perform a WHOIS lookup to gather intelligence on the target organisation.
4
Research any discovered services in VulnSearchDB for known CVEs.
5
Exploit the vulnerability to access the FTP server and retrieve flag.txt.
6
Submit the flag contents via the Incident Report.
Tools Available
💻
Terminal
nmap, whois, ftp, nslookup — your primary recon toolkit
🌐
Web Browser
VulnSearchDB for CVE research, target web portal
📋
Incident Report
Submit the recovered flag to complete the engagement
Scope
Network: 10.10.10.0/24
Display Mode
INCIDENT REPORT — SUBMISSION
🔐 Exploitation Report
Retrieve flag.txt from the FTP server, then paste the flag value below and submit.
Target IP
Vulnerability Exploited
Flag — paste the contents of flag.txt here
VIRTUAL PENETRATION TESTING ENVIRONMENT
MODULE 4 — RECONNAISSANCE & EXPLOITATION
Initializing kernel modules...

🎯 ASSIGNMENT GOALS

Run an Nmap scan and identify the FTP service and version on the target.
Run a WHOIS lookup on the target IP.
Look up the CVE for the discovered FTP version in VulnSearchDB.
Connect to the FTP server and download the file called flag.txt.
Submit the flag via the Incident Report.
PHASE 1 — RECONNAISSANCE
💻
Terminal
🌐
Web Browser
📝
Notepad
📋
Incident Report
⬡ LAB OS
Terminal
Browser
Notepad
Report
00:00:00
TERMINAL — STUDENT@LABVM
CyberSec Lab Terminal v3.1 — Type 'help' for commands
Target network: 10.10.10.0/24
 
student@labvm:~$
WEB BROWSER
🔍 VulnSearchDB
🏢 Target Corp
📄 CVE-2010-0218
LAB BROWSER
Use the bookmarks bar or type a URL above
🔍
VulnSearchDB
🏢
10.10.10.5
Browse
Recent
Statistics
API
Search the vulnerability database. Try: cerberus ftp · CVE-2010-0218 · anonymous ftp
247,893
Total CVEs
1,847
Added This Year
98.4%
With CVSS Score
← Back to Search
CVE-2010-0218
Cerberus FTP Server < 4.0.3.0 — Anonymous Login with Hidden File Disclosure
CVSS 7.5 — HIGH CWE-264 Permissions FTP
Description
Cerberus FTP Server before version 4.0.3.0 allows remote authenticated users to list hidden files and directories even when the "Display hidden files" option is disabled, via the MLSD or MLST FTP commands. Additionally, in version 3.0.0, the server ships with anonymous FTP access enabled by default with read permissions granted to the root share. An unauthenticated remote attacker can connect using the username anonymous with any string as the password (typically an email address) and browse the FTP directory structure, including directories and files that should not be publicly accessible.
CVE ID
CVE-2010-0218
Published
2010-01-08
Affected Product
Cerberus FTP Server < 4.0.3.0
Affected Version (Lab)
3.0.0
Attack Vector
Network
Authentication Required
None (Anonymous)
Exploit Details
# CVE-2010-0218 — Cerberus FTP Server 3.0.0 Anonymous Access Exploit
# Affected: Cerberus FTP Server < 4.0.3.0
# Platform: Windows Server 2003 (common deployment)
# Port: 21 (FTP)

STEP 1: Connect to the target FTP service
  ftp <target-ip>

STEP 2: Authenticate with anonymous credentials
  Username: anonymous
  Password: <any string, e.g. guest@lab.com>

STEP 3: Enumerate the directory structure
  ls        — list current directory
  dir       — alternative listing
  cd <dir>  — change directory

STEP 4: Retrieve target files
  get <filename>   — download a file
⚠ This vulnerability exists because Cerberus FTP 3.0.0 enables anonymous login by default with read access to all shared directories. No authentication bypass is needed — anonymous login is a built-in feature that was not disabled.
References
• NVD Entry: nvd.nist.gov/vuln/detail/CVE-2010-0218
• Vendor Advisory: cerberusftp.com/products/changelog (fixed in 4.0.3.0)
• OSVDB-61861: Open Source Vulnerability Database
• Reported by: Anonymous security researcher, January 2010
Home
Products
Support
Contact

APEX SYSTEMS INC.

Enterprise infrastructure solutions — Internal web portal

⚠ This is an internal network resource. Unauthorized access is prohibited.

SERVER INFO

Host: apex-srv-01
OS: Windows Server 2003
IP: 10.10.10.5
Domain: apexsystems.lab

ACTIVE SERVICES

HTTP :80 — Running
FTP :21 — Running
SMB :445 — Running
RDP :3389 — Disabled

CONTACT

IT Dept: it@apexsystems.lab
Admin: admin@apexsystems.lab
Helpdesk: ext. 1100

NOTEPAD — submission.txt
FileEditFormatView
Ln 1, Col 1UTF-8submission.txt