Enumeration

Nmap

Initial Nmap scan revealed HTTP, SMB and some common windows ports were open. Moreover, it revealed that target was vulnerable to Eternal Blue.

00 - nmap 1

00 - nmap 2

However, because target was x86 the MS17_010 exploit did not work.

01 - 0 not working

Web Enumeration

So I checked the website and found it was HP Power Manager website.

01 - web hp

The credentials were left default so I simply logged in with admin:admin credentials.

02 - admin admin logged in

Then I checked the Help tab and found out it was HP Power Manager 4.2 (Build 7)

03 - version

Exploitation (Directly SYSTEM)

CVE-2009-3999

Stack-based buffer overflow in goform/formExportDataLogs in HP Power Manager before 4.2.10 allows remote attackers to execute arbitrary code via a long fileName parameter.

The target was vulnerable to RCE. So I simply used msfconsole module named exploit/windows/http/hp_power_manager_filename and obtained SYSTEM Shell.

root

<
Previous Post
Heist - Proving Grounds Practice
>
Next Post
Vault - Proving Grounds Practice