Mastering Metasploitable 3: A Windows Exploitation Walkthrough

Metasploitable 3 is a intentionally vulnerable virtual machine designed for security professionals to sharpen their penetration testing skills. Unlike its predecessors, the Windows version offers a modern playground of misconfigurations and unpatched services. This walkthrough focuses on the Windows Server 2008 R2 version. 1. Reconnaissance and Scanning

Every successful exploit begins with information gathering. Using Nmap, we identify open ports and services running on the target. Command: nmap -sV -sC -Pn

Key Findings: You will likely see open ports for HTTP (80, 8282), SMB (445), MySQL (3306), and ManageEngine (8080). Each of these represents a potential entry point. 2. Exploiting Web Services: ManageEngine

One of the most reliable entry points on Metasploitable 3 is the ManageEngine Desktop Central 9 instance running on port 8080. It is vulnerable to a File Upload RCE (Remote Code Execution). Tool: Metasploit Framework

Module: exploit/windows/http/manageengine_connectionid_write Action: Set your RHOSTS to the target IP. Set PAYLOAD to windows/meterpreter/reverse_tcp. Execute exploit to gain a Meterpreter shell. 3. Exploiting SMB: EternalBlue (MS17-010)

While Metasploitable 3 is often patched against the basic EternalBlue, it remains a classic test case for checking legacy system security.

Check: Use the auxiliary module auxiliary/scanner/smb/smb_ms17_010 to see if the target is vulnerable.

Execution: If vulnerable, the exploit/windows/smb/ms17_010_eternalblue module can provide immediate SYSTEM level access, bypassing the need for further privilege escalation. 4. Privilege Escalation: From User to System

If you gained access as a low-privileged user (e.g., through the web server), you need to escalate your rights.

Technique: Use the multi/recon/local_exploit_suggester in Metasploit.

Common Vector: The AlwaysInstallElevated registry setting is often enabled on this VM. You can exploit this by generating a malicious .msi file that runs with elevated permissions. 5. Post-Exploitation: Database Access

Once inside, you can pivot to explore the databases. The MySQL service on port 3306 often contains sensitive credentials.

Access: Use mysql -h -u root (often there is no password by default).

Goal: Dump the users table from the web application database to find administrative credentials for other services on the network.

Prerequisites

  • Hyper-V (Windows Pro/Enterprise) or VirtualBox (less stable but works)
  • Vagrant (latest version)
  • Packer (latest version)
  • Git (to clone the repo)
  • At least 8GB RAM and 50GB free disk space

1. Host Discovery

Using Kali Linux, run a quick Nmap ping sweep to locate the host.

nmap -sn 192.168.X.0/24

Replace 192.168.X.0 with your specific subnet.

Mastering the Gray Terrain: A Comprehensive Metasploitable 3 Windows Walkthrough

You may also like

Metasploitable 3 Windows Walkthrough -

Mastering Metasploitable 3: A Windows Exploitation Walkthrough

Metasploitable 3 is a intentionally vulnerable virtual machine designed for security professionals to sharpen their penetration testing skills. Unlike its predecessors, the Windows version offers a modern playground of misconfigurations and unpatched services. This walkthrough focuses on the Windows Server 2008 R2 version. 1. Reconnaissance and Scanning

Every successful exploit begins with information gathering. Using Nmap, we identify open ports and services running on the target. Command: nmap -sV -sC -Pn

Key Findings: You will likely see open ports for HTTP (80, 8282), SMB (445), MySQL (3306), and ManageEngine (8080). Each of these represents a potential entry point. 2. Exploiting Web Services: ManageEngine

One of the most reliable entry points on Metasploitable 3 is the ManageEngine Desktop Central 9 instance running on port 8080. It is vulnerable to a File Upload RCE (Remote Code Execution). Tool: Metasploit Framework metasploitable 3 windows walkthrough

Module: exploit/windows/http/manageengine_connectionid_write Action: Set your RHOSTS to the target IP. Set PAYLOAD to windows/meterpreter/reverse_tcp. Execute exploit to gain a Meterpreter shell. 3. Exploiting SMB: EternalBlue (MS17-010)

While Metasploitable 3 is often patched against the basic EternalBlue, it remains a classic test case for checking legacy system security.

Check: Use the auxiliary module auxiliary/scanner/smb/smb_ms17_010 to see if the target is vulnerable.

Execution: If vulnerable, the exploit/windows/smb/ms17_010_eternalblue module can provide immediate SYSTEM level access, bypassing the need for further privilege escalation. 4. Privilege Escalation: From User to System Prerequisites

If you gained access as a low-privileged user (e.g., through the web server), you need to escalate your rights.

Technique: Use the multi/recon/local_exploit_suggester in Metasploit.

Common Vector: The AlwaysInstallElevated registry setting is often enabled on this VM. You can exploit this by generating a malicious .msi file that runs with elevated permissions. 5. Post-Exploitation: Database Access

Once inside, you can pivot to explore the databases. The MySQL service on port 3306 often contains sensitive credentials. 1. Host Discovery Using Kali Linux

Access: Use mysql -h -u root (often there is no password by default).

Goal: Dump the users table from the web application database to find administrative credentials for other services on the network.

Prerequisites

  • Hyper-V (Windows Pro/Enterprise) or VirtualBox (less stable but works)
  • Vagrant (latest version)
  • Packer (latest version)
  • Git (to clone the repo)
  • At least 8GB RAM and 50GB free disk space

1. Host Discovery

Using Kali Linux, run a quick Nmap ping sweep to locate the host.

nmap -sn 192.168.X.0/24

Replace 192.168.X.0 with your specific subnet.

Mastering the Gray Terrain: A Comprehensive Metasploitable 3 Windows Walkthrough

About the author

metasploitable 3 windows walkthrough

NyRecipe

I’m Ava, Here, you’ll find easy and delicious recipes designed to make cooking enjoyable for everyone.

View all posts

1 Comment

Leave a Comment