Algernon is one of the first Windows CTF challenges you will see in Offensive Security’s Proving Grounds Practice series of vulnerable machines.
Breaking from traditional scans, I will start of the box off with a quick top 1000 port scan to see what’s open.
The initial scan showed ports 21, 80, 135, 139, 445, and 9998 open.
Additional enumeration on the open ports revealed that this box is hosting a Microsoft IIS Server on port 80 and 9998.
Though the web services looked interesting, I decided to start checking out what’s on the FTP service first.
Gathered some files that looked interesting…
Found that ClamAV was being used… might be useful later…
Ended up leaving FTP after some manual enumeration.
Checked that IIS is active on port 80.
Then moved to the more interesting IIS on port 9998 service. Which I found a login page for “SmarterMail”.
Viewed the page source to see what version and build number of SmarterMail being used.
Quick search on ExploitDB and nada.
However, it looks like there’s a later build that is has a vulnerability that allows RCE. Perfect.
Downloaded the exploit and took a gander.
Removed unnecessary characters and modified HOST, LHOST, and LPORT to the current environment.
Got a Netcat listener ready to catch the connection.
Caught it! and it’s system too!
Navigated to the Administrator’s Desktop and found the proof.txt.