Skip to main content

Kevin

Engage in leveraging default credentials and a public exploit against HP Power Manager. This process will include successfully exploiting the application using a public Metasploit module. This activity enhances your skills in exploiting vulnerabilities and utilizing available tools for effective system access.

Enumeration

  • nmap scan result
# Nmap 7.98 scan initiated Sat Mar 28 05:50:16 2026 as: /usr/lib/nmap/nmap --privileged -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -oN /home/kali/ctf/pvg/kevin/results/192.168.164.45/scans/_quick_tcp_nmap.txt -oX /home/kali/ctf/pvg/kevin/results/192.168.164.45/scans/xml/_quick_tcp_nmap.xml 192.168.164.45
Nmap scan report for 192.168.164.45
Host is up, received user-set (0.24s latency).
Scanned at 2026-03-28 05:50:17 UTC for 95s
Not shown: 989 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 125 GoAhead WebServer
|_http-server-header: GoAhead-Webs
| http-methods:
|_ Supported Methods: GET HEAD
| http-title: HP Power Manager
|_Requested resource was http://192.168.164.45/index.asp
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 125 Windows 7 Ultimate N 7600 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open tcpwrapped syn-ack ttl 125
| ssl-cert: Subject: commonName=kevin
| Issuer: commonName=kevin
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2026-03-27T05:41:56
| Not valid after: 2026-09-26T05:41:56
| MD5: 356e 5318 ddb0 f729 13b5 ae80 f3fe cf45
| SHA-1: dd67 140c 560b 7269 f76a 0c88 aa2d a8ca 2c92 cb8e
| SHA-256: f106 9933 6937 b3b9 778f e8ec d910 5696 3af2 524c 8623 a9b3 c38e 17b1 2040 5cb8
| -----BEGIN CERTIFICATE-----
| MIICzjCCAbagAwIBAgIQX/Prw0aBP7JDq3izGM8CjzANBgkqhkiG9w0BAQUFADAQ
| MQ4wDAYDVQQDEwVrZXZpbjAeFw0yNjAzMjcwNTQxNTZaFw0yNjA5MjYwNTQxNTZa
| MBAxDjAMBgNVBAMTBWtldmluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
| AQEAwTe5KwVeXNz0EZZbzMxp/iIAZ9d4G4lX/8Yq/7mdKSq3bZtJzC/G7+UdNgoW
| jsDLgVP2zYH6k1ZWeWZ3CZA53c5Vz+/J8YJ6Vk2C+BqFKmYETgQvZM+P+BElTE5n
| Xos38zhSTs8WwEkysc+4EeSV0Bx9HdYQhottM56jTOMkAc1Cfis66Cj1F89W19Ep
| a3xJxLe0/SARYR8/+6CuD4hHQtlIFYlLgqAwlQxrK0CkWXw1Q5vuPLbttnPJDqJX
| AQMWsv6oX1V71XZqgB2fg3rECRzi1XUpgkalTaSeSJ6ZtXT1T/sLXzTuolHqdhLv
| QB7Uclzlc2AUYmqot2LZslqGAQIDAQABoyQwIjATBgNVHSUEDDAKBggrBgEFBQcD
| ATALBgNVHQ8EBAMCBDAwDQYJKoZIhvcNAQEFBQADggEBADogqVYG3qjw5mAeVbnp
| w9MmInKH5UyCIgtnNylWAHP8UwPPyzvshTShJKG/Qd/JUWgXwwNEVnV3Mj7oIeJW
| hdB+lXEfEzWyNZm53sa1/vl654mXSl/pd5ZqJZ3qETXQ4jgLArX2TYRaI0eDf/pN
| FfViy7hVnLL0CxChp3PnHdldH0eB66oViN880p5vKh8BbX5VTJhE9EKIIg1b6AqE
| 6N3HkppDqfJw6s14txZ0aWYzNP/bkgF+IssLPFCqYoKCbpUYS5upW6DGVkJ8g0Xb
| XM0kx6uc02PgAJ9gmg4GRlxxpSaOvMztBgRI9Fo23s5nhCLTlmB8BZ4AEG7XM1KO
| Sqo=
|_-----END CERTIFICATE-----
| rdp-ntlm-info:
| Target_Name: KEVIN
| NetBIOS_Domain_Name: KEVIN
| NetBIOS_Computer_Name: KEVIN
| DNS_Domain_Name: kevin
| DNS_Computer_Name: kevin
| Product_Version: 6.1.7600
|_ System_Time: 2026-03-28T05:51:38+00:00
|_ssl-date: 2026-03-28T05:51:52+00:00; 0s from scanner time.
49152/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49153/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49154/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49155/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49158/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49160/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
Device type: general purpose
Running: Microsoft Windows 7|2008|8.1
OS CPE: cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP1 or Windows Server 2008 R2 or Windows 8.1
TCP/IP fingerprint:
OS:SCAN(V=7.98%E=4%D=3/28%OT=80%CT=1%CU=44261%PV=Y%DS=4%DC=T%G=Y%TM=69C76C7
OS:8%P=x86_64-pc-linux-gnu)SEQ(SP=FF%GCD=1%ISR=10A%CI=I%TS=7)OPS(O1=M578NW8
OS:ST11%O2=M578NW8ST11%O3=M578NW8NNT11%O4=M578NW8ST11%O5=M578NW8ST11%O6=M57
OS:8ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T
OS:=80%W=2000%O=M578NW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T
OS:2(R=N)T3(R=N)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=8
OS:0%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%
OS:Q=)T7(R=N)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=
OS:G)IE(R=N)

Uptime guess: 0.006 days (since Sat Mar 28 05:42:36 2026)
Network Distance: 4 hops
TCP Sequence Prediction: Difficulty=255 (Good luck!)
IP ID Sequence Generation: Busy server or unknown class
Service Info: Host: KEVIN; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery:
| OS: Windows 7 Ultimate N 7600 (Windows 7 Ultimate N 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::-
| Computer name: kevin
| NetBIOS computer name: KEVIN\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2026-03-27T22:51:37-07:00
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 62272/tcp): CLEAN (Couldn't connect)
| Check 2 (port 46177/tcp): CLEAN (Couldn't connect)
| Check 3 (port 26126/udp): CLEAN (Failed to receive data)
| Check 4 (port 26606/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 2.1:
|_ Message signing enabled but not required
| nbstat: NetBIOS name: KEVIN, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:ab:fe:db (VMware)
| Names:
| KEVIN<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1e> Flags: <group><active>
| KEVIN<20> Flags: <unique><active>
| WORKGROUP<1d> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| Statistics:
| 00 50 56 ab fe db 00 00 00 00 00 00 00 00 00 00 00
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_clock-skew: mean: 1h24m00s, deviation: 3h07m50s, median: 0s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2026-03-28T05:51:37
|_ start_date: 2026-03-28T05:42:44

TRACEROUTE (using port 995/tcp)
HOP RTT ADDRESS
1 267.83 ms 192.168.45.1
2 267.81 ms 192.168.45.254
3 267.88 ms 192.168.251.1
4 256.70 ms 192.168.164.45

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Mar 28 05:51:52 2026 -- 1 IP address (1 host up) scanned in 96.39 seconds
  • Port 80 contains HP Power Manager (login creds `admin:admin)

  • Searched exploit for HP Power Manager
──(kali㉿hd)-[~/ctf/pvg/kevin]
└─$ searchsploit HP Power Manager
------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------- ---------------------------------
Flying Dog Software Powerslave 4.3 Portalmanager - 'sql_id' Information Disclosure | php/webapps/23163.txt
Hewlett-Packard (HP) Power Manager Administration - Remote Buffer Overflow (Metasplo | windows/remote/16785.rb
Hewlett-Packard (HP) Power Manager Administration Power Manager Administration - Uni | windows/remote/10099.py
HP Power Manager - 'formExportDataLogs' Remote Buffer Overflow (Metasploit) | cgi/remote/18015.rb
------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Exploitation

  • Tried to execute this exploit but didn't work, however found the CVE#
Hewlett-Packard (HP) Power Manager Administration Power Manager Administration - Uni | windows/remote/10099.py
  • Searched alternative exploits for

C:\Users\Administrator\Desktop>type proof.txt
type proof.txt
548ae40c74bf93bdca0ebac4ac5858ea