# Algernon

## Nmap

```
sudo nmap 192.168.147.65 -p- -sV -sS    

PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
80/tcp    open  http          Microsoft IIS httpd 10.0
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
9998/tcp  open  http          Microsoft IIS httpd 10.0
17001/tcp open  remoting      MS .NET Remoting services
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
```

Port 80 redirects to the default IIS page.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-ed1ddd933d329725619743ee36ebb6538f8b3541%2Fimage.png?alt=media)

Port 9998 directs us to the following login page for SmarterMail.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-83d60ceed589cc1f0ebce62e309bb2e34eac6855%2Fimage.png?alt=media)

Researching exploits for SmarterMail on Google we come across an interesting exploit:

{% embed url="<https://www.exploit-db.com/exploits/49216>" %}

Looking at the description for this is exploit we have the following:

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-668e4ca3cd994b7c92c522d9a0f9b3223cceee68%2Fimage.png?alt=media)

Looking at the `nmap` results from earlier we do have .NET remoting running on port 17001. As such this exploit should be applicable to the target machine.

I downloaded the exploit and edited the following portion to match my IP and to use the local port of 21.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-be386a4d5590c78bccb8fd248a8795bf1a2a934e%2Fimage.png?alt=media)

I then set up a `netcat` listener for port 21.

```
sudo nc -lvp 21
```

Then executed the exploit and received a reverse shell as SYSTEM.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-5a62069c495296f27430768b501a4015c7335b7b%2Fimage.png?alt=media)