search
Read BlogpostsLet's Connect

windowsKevin

Use public Buffer Overflow exploit to gain elevated privilege

hashtag
Summary

  • HP Power Manager runs on port 80, allowing admins to log in using the default password.

  • A vulnerable version of HP Power Manager was discovered upon logging in, which can be exploited using a publicly available exploit.

  • On executing the exploit, we will get the NT SYSTEM shell.

hashtag
🧵Let's Unpack

hashtag
Enumeration

# NMAP
sudo nmap -sC -sN -A -oN nmapFull -p- -A 192.168.166.45

Nmap scan report for 192.168.166.45
Host is up (0.086s latency).

PORT     STATE SERVICE            VERSION
80/tcp   open  http               GoAhead WebServer
|_http-server-header: GoAhead-Webs
| http-title: HP Power Manager
|_Requested resource was http://192.168.166.45/index.asp
135/tcp  open  msrpc              Microsoft Windows RPC
139/tcp  open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds       Windows 7 Ultimate N 7600 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open  ssl/ms-wbt-server?
|_ssl-date: 2024-06-25T15:53:19+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=kevin
| Not valid before: 2024-03-22T01:47:18
|_Not valid after:  2024-09-21T01:47:18
| rdp-ntlm-info: 
|   Target_Name: KEVIN
|   NetBIOS_Domain_Name: KEVIN
|   NetBIOS_Computer_Name: KEVIN
|   DNS_Domain_Name: kevin
|   DNS_Computer_Name: kevin
|   Product_Version: 6.1.7600
|_  System_Time: 2024-06-25T15:53:10+00:00
3573/tcp open  tag-ups-1?

hashtag
Initial Foothold

Getting Shell without using Metasploit

Exploit used: https://github.com/CountablyInfinite/HP-Power-Manager-Buffer-Overflow-Python3/blob/master/README.mdarrow-up-right.

You can use the following exploit to get a shell using Metasploit

PreviousResourcedNextNara

Last updated