Metasploitable 3 - Windows Walkthrough 'link'

Metasploitable 3 represents a significant evolution in vulnerable-by-design virtual machines, moving from the Linux-centric foundations of its predecessors to a modern, automated Windows Server 2012 R2 environment.

An essay-length walkthrough of this machine is not merely a list of commands, but a study in defense-in-depth failure

and the systematic exploitation of misconfigurations, outdated software, and weak administrative practices The Philosophy of Metasploitable 3

Unlike the original Metasploitable, which was a static "grab bag" of vulnerabilities, Metasploitable 3 is built using automation tools like

. This reflects the modern DevSecOps landscape; the vulnerabilities are not just accidental bugs but are often the result of intentional, scriptable misconfigurations that mirror real-world enterprise "technical debt." Phase I: Reconnaissance and Surface Analysis

The engagement begins with a comprehensive Nmap scan. On the Windows instance of Metasploitable 3, the attack surface is vast, typically revealing over 15 open ports. Standard Infrastructure:

DNS (53), HTTP (80), RPC (135), NetBIOS (139), and SMB (445). Application Layer:

Services like Jenkins (8080), GlassFish (4848), and Apache Struts often provide the initial foothold. The primary objective during reconnaissance is service fingerprinting

. Identifying that a web server is running "IIS 8.5" or "Apache 2.4.23" allows the attacker to cross-reference known CVEs (Common Vulnerabilities and Exposures). Phase II: The Initial Foothold (Web Exploitation) metasploitable 3 windows walkthrough

The Windows version of Metasploitable 3 is frequently breached through its web application stack. One of the most classic entry points is the Unauthenticated Access: Often, the Jenkins Script Console is left unprotected. Remote Code Execution (RCE): Since Jenkins runs as a high-privileged service (often

or a dedicated service account), an attacker can execute Groovy scripts to spawn a reverse shell. The Shell:

Using a PowerShell one-liner, the attacker initiates a connection back to their Kali Linux machine, transitioning from an external observer to an internal user. Alternatively, vulnerabilities in Apache Struts (CVE-2017-5638)

allow for similar RCE vectors, highlighting the danger of unpatched middleware in a Windows environment. Phase III: Post-Exploitation and Lateral Movement Once a shell is established, the focus shifts to Enumeration . In Windows, this involves identifying: User Context: whoami /priv to see enabled privileges like SeImpersonatePrivilege Network Connections: netstat -ano to find internal services not exposed to the outside. Stored Credentials: Searching for unattend.xml files or credentials stored in registry keys. Metasploitable 3 intentionally includes the ManageEngine Desktop Central

vulnerability. Exploiting this often leads to the discovery of cleartext passwords or hashes within the application's configuration files, which can be reused across other services—a hallmark of poor credential hygiene. Phase IV: Privilege Escalation The goal on a Windows target is always NT AUTHORITY\SYSTEM . Metasploitable 3 offers several paths: Insecure File Permissions:

Some services may have executable directories that are world-writable. By replacing a service binary with a malicious payload (like a Meterpreter

), an attacker can gain SYSTEM rights upon the next service restart. Kernel Exploits:

While modern Windows is more resilient, the 2012 R2 base allows for older exploits if updates are withheld. Token Impersonation: If the initial foothold is a service account, tools like can be used to steal tokens from logged-in administrators. Conclusion: Lessons in Modern Vulnerability Or manually upload and run JuicyPotato

A walkthrough of Metasploitable 3 Windows is a masterclass in the interconnectivity of weaknesses

. It proves that a single unpatched web plugin (like Jenkins) can lead to the total compromise of a Windows domain environment. For security professionals, the machine serves as a reminder that "hardening" is not a one-time event but a continuous process of auditing service permissions, enforcing least privilege, and maintaining a rigorous patching schedule.

The walkthrough for Metasploitable 3 (Windows) typically documents a comprehensive attack lifecycle, ranging from initial reconnaissance to full system compromise. Unlike its predecessor, Metasploitable 3 was built by Rapid7 to provide a more modern, automated environment for testing complex vulnerabilities.

Reports and walkthroughs for this target generally follow these key phases: 1. Reconnaissance and Information Gathering

The first step involves identifying the target's presence and open services on the network.

Network Discovery: Using tools like netdiscover or nmap to find the IP address and list active services.

Port Identification: A standard scan typically reveals several open ports, including FTP (21), SSH (22), HTTP (80), SMB (445), MySQL (3306), and RDP (3389). 2. Service Exploitation

Walkthroughs often highlight specific high-value services that serve as entry points: the attack surface is vast

SMB (Port 445): Many guides, such as those on Medium, focus on exploiting the MS17-010 (EternalBlue) vulnerability to gain immediate administrative access.

Web Services: Exploitation of application-layer vulnerabilities, such as unauthenticated access to Jenkins or misconfigured Tomcat servers, which can lead to privileged shell access.

Remote Management (Port 5985): Reports often demonstrate gaining access through Windows Remote Management (WinRM) using weak credentials or specific exploits.

RDP (Port 3389): Researchers like Kalash Kundaliya detail methods for gaining graphical access, including the exploitation of BlueKeep (CVE-2019-0708). 3. Post-Exploitation

Once a shell is established, the focus shifts to maintaining access and escalating privileges.

Learning Windows Server Exploitation - Metasploitable 3 : r/oscp

8. Privilege Escalation (once inside low-priv shell)

Check SeImpersonatePrivilege etc.

Use Metasploit getsystem – but may fail. Try Potato exploits:

msf6 > use exploit/windows/local/ms16_075_reflection_juicy

Or manually upload and run JuicyPotato.exe.

3.3 Elasticsearch (Port 9200)

Older Elasticsearch versions are vulnerable to CVE-2014-3120 (Remote Code Execution).

# Check version
curl http://192.168.56.102:9200
3. Vulnerability Scanning
# Use vulners script to find known CVEs
nmap --script vulners -sV -p 445,8080,8585,9200 192.168.1.100