IR 312: Vulnerability Scanning with Nuclei (15 pts + 30 extra)

What You Need for This Project

A Debian Linux machine.

Purpose

To practice using the Nuclei vulnerability scanner. Nuclei is very fast and configurable. In this project, we'll use Nuclei to search for known vulnerabilities in thousands of software packages people are currently using. To find vulnerabilities in custom software, you need to fuzz, which we will do in a separate project.

Making a Debian Virtual Machine

Make a virtual machine with at least 40 GB of storage. You can use either ARM or Intel processors. I used Debian 12. You can use these instructions.

Installing Go

Nuciei is written in Go. On your Linux machine, execute the appropriate commands below, depending on your processor type:

On an ARM Processor

wget https://go.dev/dl/go1.24.4.linux-arm64.tar.gz sudo tar -C /usr/local -xzf go1.24.4.linux-arm64.tar.gz

On an Intel (or AMD) Processor

wget https://go.dev/dl/go1.24.4.linux-amd64.tar.gz sudo tar -C /usr/local -xzf go1.24.4.linux-amd64.tar.gz

Then execute this command:

nano .bashrc

Add this line to the bottom, as shown below:

export PATH=$PATH:/usr/local/go/bin

Save the file with Ctrl+x, y, Enter.

Then execute these commands:

source .bashrc go version

You see a Go version number, as shown below.

Installing Nuclei

On your Linux machine, execute these commands:

go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest nano .bashrc

Add this line to the bottom, as shown below:

export PATH=$PATH:~/go/bin

Save the file with Ctrl+x, y, Enter.

Then execute these commands:

source .bashrc nuclei

You see a "nuclei" banner, as shown below:

Installing Docker

We'll use Docker to run vulnerable servers.

On your Linux machine, execute these commands:

sudo apt update sudo apt install docker.io -y sudo apt install docker-compose -y sudo usermod -aG docker $USER newgrp docker sudo reboot

When your machine reboots, log in as usual, and then execute this command:

docker -v

You see a Docker version number, as shown below.

Installing Nuclei Templates Labs

These labs demonstrate how Nuclei works.

On your Linux machine, execute these commands:

sudo apt install git -y git clone https://github.com/projectdiscovery/nuclei-templates-labs.git cd nuclei-templates-labs ls -l

There are several categories, including "http", as shown below.

Running a Server with the CVE-2025-3116 Vulnerability

On your Linux machine, execute these commands:

cd http/cves/2025/CVE-2025-31161 less README.md

You see a description of this vulnerability. It's an authentication bypass in CrushFTP Server, as shown below.

Press q to exit from "less".

To start the server, execute this command:

docker-compose up -d

The server starts, as shown below.

Viewing Listening Ports

On your Linux machine, execute this command:

sudo ss -pntl

You see docker-proxy listening on port 8081 (and other ports), as shown below.

Viewing the Login Page

If you don't know your Linux machine's IP address, execute the ip a command to find it.

Then, in a Web browser on your host system, open this URL, replacing the IP address with the correct address of your Linux machine:

http://192.168.121.188:8081/WebInterface/login.html

You see a CrushFTP login page, as shown below.

Flag 312.1: Scanning the Vulnerable Server with Nuclei (15 pts)
On your Linux machine, execute the commands below.
The "-es info,low" switch tells Nuclei not to bother with unimportant findings.
Nuclei runs thousands of tests very quickly.
cd nuclei -u http://localhost:8081 -es info,low
The flag is covered by a green rectangle in the image below.

Deleting the Vulnerable Server

On your Linux machine, execute this command:

docker ps

Find your container ID, highlighted in the image below.

Execute these commands, replacing the ID number with the correct ID for your container:

docker stop d2f1c924dd64 docker rm d2f1c924dd64

RoundCube (10 pts extra)

Navigate to the directory shown below, and start the container as you did above.

(Note that the README.md file has an incorrect command to start the container.)

Find the listening port, as you did above.

View the Web page, as shown below.

Flag 312.2: Scan the RoundCube Server (10 pts extra)
Scan the server, as you did above.
The flag is covered by a green rectangle in the image below.
Delete the server when you are done with it.

Flag 312.3: Deprecated TLS (10 pts extra)
Use this container:
~/nuclei-templates-labs/ssl/deprecated-tls
Follow the README file. You need to create a directory and a SSL certificate.
You don't need to write a template.
Scan the server. Don't exclude info results.
The flag is covered by a green rectangle in the image below.
Delete the server when you are done with it.

Flag 312.4: Default Login (10 pts extra)
Use this container:
~/nuclei-templates-labs/javascript/default-logins/postgres-default-logins
Follow the README file.
You don't need to write a template.
Scan the server.
The flag is covered by a green rectangle in the image below.
Delete the server when you are done with it.

References

Introducing Nuclei Templates Labs: A Hands-on Security Testing Playground

Learn Nuclei in 30 minutes - DEF CON Nuclei Demo

Posted 7-5-25