📍Introduction Page
⭐Learning Process
🔠Fundamentals
🧰Tools
✍️Write Ups
- 🗃️Hack The Box Machines
- 🗃️Proving Grounds
  - 🐧Linux
    Stapler
    eLection
    Loly
    Blogger
    Potato
    Amaterasu
    Exfiltrated
    Pelican
    Astronaut
    Cockpit
    Levram
    Extplorer
    LaVita
    pc
    Scrutiny
    Zipper
    Flu
  - 🪟Windows
    Algernon
    AuthBy
📋Cheat Sheets
- Penetration Testing Cheat Sheet (In Progress)
🪪Certificates
- Penetration Tester (HTB CPTS)
🗄️Archive/Backup/Bin

Powered by GitBook

On this page

Enumeration & Reconnaissance
Gaining Initial Access
Privilege Escalation
Lessons Learned

✍️Write Ups

🗃️Proving Grounds

🪟Windows

Algernon

PreviousWindows NextAuthBy

Last updated 18 hours ago

Source: Proving Grounds OS: Windows Community Rating: Easy

Enumeration & Reconnaissance

I started by running autorecon, and it exposed many ports on the target: 135, 139, 21, 17001, 445, 49664, 49665, 49666, 49667, 49668, 49669, 5040, 80, 9998.
That’s a lot to deal with, luckily autorecon exposed port 80 and 9998 first, so I started with those two. Port 80 was just the default IIS page, while port 9998 was running an application called SmarterMail.

Gaining Initial Access

I searched for a CVE right away and found CVE-2019-7214. A PoC existed on Exploit-DB—I simply changed the IP addresses, and it worked perfectly.

Privilege Escalation

When I got the shell back, I was already NT AUTHORITY\SYSTEM, so there was no need for further privilege escalation. Such an easy box!

Lessons Learned

This is a hard one, Check for CVEs?, I guess.