Kevin — OSCP Proving Ground
#oscp #easybox #windows #provingground
Hello guys, Today I am writing a blog for kevin box from offsec proving ground.
Whenever We get any host machine We should always start with Nmap with basic service and version scan
Enumeration : Stage 1
nmap -Pn -sS -sV IP > nmapbasic.txt
- sS (syn scan)
- -sV (Service Version) flag
- -Pn (No ping Scan
Here We stored nmap scan results in the nmapbasic txt file using >
On completion of the nmap scan, we got some open ports.
PORT STATE SERVICE VERSION
80/tcp open http GoAhead WebServer
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 7–10 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
49160/tcp open msrpc Microsoft Windows RPC
Mindmap
Port 80 — Visit website > find login > try default credentials
Port 139/445 > nmap smb enum/vulnerability scan >find active share
Scan other ports for further enumeration.
So as per mind map we started with web application. Here we got HP Power Manager .
Web application step i follow
- Default credentials
- Sitemap
- Robots.txt
Surprisingly we logged into web application with default credentials admin/admin and we got to know that application is running hp power manager 4.2
We then just done google with hp manager 4.2 and got following github code for remote code execution. We also searched for exploit using searchengine .
https://github.com/Muhammd/HP-Power-Manager/blob/master/hpm_exploit.py
After executing exploit against our target we got, reverse shell with nt authority\system user which is system admin
That's all for this blog. :)