This is a walkthrough of the machine Algernon from OffSec's Proving Grounds Play labs.
Machine information:
- Level: Easy
- Community rating: Easy
- Flags: 1
- OS: Windows
- Vector: SmarterMail
Nmap
sudo nmap -A --open -sV -sC -v -p- <IP>
Starting off with an Nmap scan, we discover the following interesting ports open:
- 21 - FTP
- 80 - HTTP
- 9998 - HTTP
SmarterMail
Navigating to http://<IP>:9998 reveals a login page for SmarterMail:
Attempting default credentials on this page does not succeed, so instead, we attempt to find which version of SmarterMail is running, which can be discovered in the page's source code:
The source code reveals SmarterMail build 6919.
Exploiting SmarterMail
A search for SmarterMail build 6919 points us to multiple articles (such as https://www.rapid7.com/db/modules/exploit/windows/http/smartermail_rce/) discussing CVE-2019-7214 which affects SmarterMail builds < 6985, and allows for remote code execution under SYSTEM context.
This seems promising, especially given our discovery of port 17001 being open in the initial Nmap scan:
17001/tcp open remoting MS .NET Remoting services
To continue, in OSCP fashion (without using Metasploit modules), we can find an exploit using searchsploit:
searchsploit SmarterMail 6985
We copy the exploit and take a look:
searchsploit -m 49216
For this to work, we will need to edit the HOST, PORT, LHOST and LPORT variables.
Next, we will start a listener to catch the shell:
nc -lvnp 4444
And run the exploit:
python3 49216.py
Shortly after, we receive a shell as NT AUTHORITY\SYSTEM, and we can obtain the proof.txt flag.
