Sign up Sign In

Search Medium Write

Proving Grounds -Algeron (Easy)

Windows Box -Walkthrough — A
Journey to Offensive Security
Brian · Follow
5 min read · Mar 1

Introduction:
The Algeron Windows Box is an easy-level machine that is designed to test
your skills in penetration testing and privilege escalation. It is a great
machine for beginners who want to learn more about offensive security and
gain experience solving real-world security challenges. In this walkthrough,
I will guide you through the steps that I took to solve the Algeron Windows
Box.

Getting Started:
The first step was to scan all TCP ports on the target machine using
Rustscan. The scan revealed several open ports, including FTP, HTTP,
MSRPC, NetBIOS-SSN, and Microsoft DS.

rustscan -a 192.168.114.65 --ulimit 5000

.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan

[~] The config file is expected to be at "/home/kali/.rustscan.toml"

[~] Automatically increasing ulimit value to 5000.
Open 192.168.114.65:21
Open 192.168.114.65:80
Open 192.168.114.65:135
Open 192.168.114.65:139
Open 192.168.114.65:445
Open 192.168.114.65:9998
Open 192.168.114.65:17001
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

[~] Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-10 02:49 EDT

Initiating Ping Scan at 02:49
Scanning 192.168.114.65 [2 ports]
Completed Ping Scan at 02:49, 0.13s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 02:49
Completed Parallel DNS resolution of 1 host. at 02:49, 0.01s elapsed
DNS resolution of 1 IPs took 0.15s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, T
Initiating Connect Scan at 02:49
Scanning 192.168.114.65 [7 ports]
Discovered open port 21/tcp on 192.168.114.65
Discovered open port 445/tcp on 192.168.114.65
Discovered open port 139/tcp on 192.168.114.65
Discovered open port 80/tcp on 192.168.114.65
Discovered open port 135/tcp on 192.168.114.65
Discovered open port 17001/tcp on 192.168.114.65
Discovered open port 9998/tcp on 192.168.114.65
Completed Connect Scan at 02:49, 0.09s elapsed (7 total ports)
Nmap scan report for 192.168.114.65
Host is up, received syn-ack (0.086s latency).
Scanned at 2022-07-10 02:49:10 EDT for 0s

PORT STATE SERVICE REASON

21/tcp open ftp syn-ack
80/tcp open http syn-ack
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
445/tcp open microsoft-ds syn-ack
9998/tcp open distinct32 syn-ack
17001/tcp open unknown syn-ack

Read data files from: /usr/bin/../share/nmap

Nmap done: 1 IP address (1 host up) scanned in 2.85 seconds

nmap -sC -sV -Pn -p 21,80,135,139,445,9998,17001 192.168.114.65

Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-10 02:50 EDT
Nmap scan report for 192.168.114.65
Host is up (0.077s latency).

PORT STATE SERVICE VERSION

21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows
| http-methods:
|_ Potentially risky methods: TRACE
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
9998/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| uptime-agent-info: HTTP/1.1 400 Bad Request\x0D
| Content-Type: text/html; charset=us-ascii\x0D
| Server: Microsoft-HTTPAPI/2.0\x0D
| Date: Sun, 10 Jul 2022 06:51:11 GMT\x0Df
| Connection: close\x0D
| Content-Length: 326\x0Df
| \x0D
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/stric
| <HTML><HEAD><TITLE>Bad Request</TITLE>\x0D
| <META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
| <BODY><h2>Bad Request - Invalid Verb</h2>\x0D
| <hr><p>HTTP Error 400. The request verb is invalid.</p>\x0D
|_</BODY></HTML>\x0D
| http-title: Site doesn't have a title (text/html; charset=utf-8).
|_Requested resource was /interface/root
17001/tcp open remoting MS .NET Remoting services
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:

| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-07-10T06:51:19
|_ start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org

Nmap done: 1 IP address (1 host up) scanned in 78.26 seconds

The scan revealed that the FTP server permitted anonymous login, but the
directory listing was unavailable due to a timeout. The HTTP server was
running Microsoft IIS 10.0.

We navigate to “http://192.168.114.65:9998'' and get directed to the following

login page running Smartermail:

SmarterMail Login Page

Following further investigation, we discover a CVE for SmarterMail and

decide to exploit it. We then find a python script online that could exploit the
vulnerability and ran it. The script was successful, and we are able to get a
netcat session running as NT Authority System.

We type “searchsploit smartermail” and find the following remote code

execution script:

Searchsploit Search

We google “windows/remote/49216.py” and find the following EDB exploit:

Google Exploit Sesarch

Exploit DB SmarterMail RCE Page

We google “2019–7214 github” and discover the following exploit with

improved comments:

Exploitation:
We download the CVE 2019–7214 script to a Python file called exploit.py on
our Kali machine (changing the IP addresses as needed).

We setup a listener on port 17001

We type “python3 exploit.py” on our Kali machine and received a reverse

shell running as nt authority\system

Conclusion:
In conclusion, we were able to successfully locate and exploit a vulnerability
in SmarterMail server and gain a netcat session as NT Authority System. This
was a great opportunity to practice reconnaissance, scanning, and
exploitation techniques.

Please feel free to reach out to me!

JavaScript is not available.

Edit description
twitter.com

Discord — A New Way to Chat with Friends & Communities

Discord is the easiest way to communicate over voice, video, and text. Chat, hang out, and
stay close with your friends…
discord.com

Technology Education Ethical Hacking Ctf Walkthrough Penetration Test

Written by Brian Follow

1 Follower

I'm a cybersecurity enthusiast with a passion for ethical hacking and penetration testing.
Currently, I'm studying for my OSCP.

More from Brian

Brian Brian

Proving Grounds -Hunit Proving Grounds -Heist (Hard)

(Intermediate) Linux Box -… Windows (Active Directory) Box -…
Walkthrough
Introduction: —A Journey to Walkthrough
Introduction: —A Journey to…
Offensive Security
9 min read · Jun 8 15 min read · May 23

2
 Brian Brian

Proving Grounds -Hetemit Proving Grounds -Hutch

(Intermediate) Linux Box -… (Intermediate) Windows Box -…
Walkthrough
Introduction: —A Journey to Walkthrough
Introduction: —A Journey to
Offensive Security Offensive Security
8 min read · Jun 1 8 min read · Jun 21

See all from Brian

Recommended from Medium

Onur Alp Akin Mohammad Awab Hassan Nizami

TryHackMe: Splunk 2 Walkthrough Active Directory; Inital Attack

(splunk2gcd5) Vectors. #2
Check out Splunk 2 room on TryHackMe Active Directory: Initial Attack Vectors

12 min read · Apr 13 2 min read · Aug 17

Lists

AI Regulation ChatGPT prompts

6 stories · 136 saves 24 stories · 433 saves

ChatGPT Generative AI Recommended

21 stories · 169 saves Reading
52 stories · 261 saves

Mr Jokar in System Weakness Daniel Kula in InfoSec Write-ups

“Inception” WriteUp | HackThebox | Proving Grounds Practice: “Squid”

Proxychain and Chisel to Pivot Walkthrough
Summary : This machine requires a known HARD as rated by community
software’s LFI exploit that leads to clear text…
credential to webdav exploit. Then we get a…
14 min read · Mar 30 5 min read · Apr 20

50 2 1

Angel Mercado in Learning CyberSecurity n000b3r

Proving Grounds: Heist PenTest Why Offsec should tRy HArDeR

Report (OSCP Review)
A report on Heist, a hard rated machine from On new year’s eve 2022, I bought the Learn
OffSec’s Proving Grounds One package which consists of PEN-200…
(OSCP) labs + exam attempt + re-attempt,
7 min read · Aug 27 8 · Jun 11
min read (OSWP)…
PEN-210

154 3

See more recommendations