Proving Grounds - Algernon Writeup

May 22, 2026

ctf
windows

This lab demonstrates exploiting a remote code execution vulnerability in SmarterMail build 6985 to gain SYSTEM-level access on a Windows server. Learners will identify the application version, leverage an RCE exploit, and use a reverse shell payload to compromise the target. This lab emphasizes web application exploitation and highlights the risks of unpatched software.

This is a walkthrough of the machine Algernon from OffSec's Proving Grounds Play labs.

Machine information:

  • Level: Easy
  • Community rating: Easy
  • Flags: 1
  • OS: Windows
  • Vector: SmarterMail

Nmap

sudo nmap -A --open -sV -sC -v -p- <IP>

Starting off with an Nmap scan, we discover the following interesting ports open:

  • 21 - FTP
  • 80 - HTTP
  • 9998 - HTTP

SmarterMail

Navigating to http://<IP>:9998 reveals a login page for SmarterMail:

Attempting default credentials on this page does not succeed, so instead, we attempt to find which version of SmarterMail is running, which can be discovered in the page's source code:

The source code reveals SmarterMail build 6919.

Exploiting SmarterMail

A search for SmarterMail build 6919 points us to multiple articles (such as https://www.rapid7.com/db/modules/exploit/windows/http/smartermail_rce/) discussing CVE-2019-7214 which affects SmarterMail builds < 6985, and allows for remote code execution under SYSTEM context.

This seems promising, especially given our discovery of port 17001 being open in the initial Nmap scan:

17001/tcp open  remoting      MS .NET Remoting services

To continue, in OSCP fashion (without using Metasploit modules), we can find an exploit using searchsploit:

searchsploit SmarterMail 6985

We copy the exploit and take a look:

searchsploit -m 49216

For this to work, we will need to edit the HOST, PORT, LHOST and LPORT variables.

Next, we will start a listener to catch the shell:

nc -lvnp 4444

And run the exploit:

python3 49216.py

Shortly after, we receive a shell as NT AUTHORITY\SYSTEM, and we can obtain the proof.txt flag.

Related Articles
Hack The Box - Jerry Writeup
June 15, 2026
ctf
windows
An easy-rated Windows box involving default credentials for initial access into Apache Tomcat, and creating an application with a JSP webshell to obtain code execution as SYSTEM.
Hack The Box - Administrator Writeup
June 13, 2026
ctf
windows
active directory
A medium-rated active directory box which involves chaining rights abuses to compromise users, gain access to FTP to discover a Password Safe file and execute a targeted Kerberoast and DCSync attack to compromise the domain.
Hack The Box - Return Writeup
June 13, 2026
ctf
windows
active directory
An easy-rated active directory box involving LDAP and plaintext credentials for initial access, and abusing services to run a malicious image and obtain a SYSTEM shell.
Karam Chatra
Blog
Karam Chatra
Junior Threat Intelligence Analyst
Navigation
HomeBlogDisclaimer
© 2026 Karam Chatra.