Proving Grounds: Algernon [OSCP Prep 2025 — Practice 4]
Introduction
This is my fourth writeup in the Proving Grounds series, which is part of my learning roadmap before taking the OSCP exam. This machine is called Algernon, categorized as Easy, and runs on the Windows operating system.
Target IP:
192.168.*.65
Tools:
- Rustscan (https://github.com/RustScan/RustScan)
- AutoRecon (https://github.com/Tib3rius/AutoRecon)
- SmarterMail 6919 Exploit CVE-2019–7214 (https://www.exploit-db.com/exploits/49216)
Reconnaissance:
The first and most important step in penetration testing is information gathering/reconnaissance. Here, I started with port scanning using Rustscan. For a more effective reconnaissance process, I also utilize AutoRecon, which runs if the results of the basic recon are not helpful.
Command: rustscan -a 192.168.125.65 — -sV -oN nmap.txt
The port scanning results reveal several interesting open ports on the Windows machine: 21, 80, 9998, and 170001.
- Port 21: FTP
- Ports 80 & 9998: HTTP
- Port 170001: MS .NET Remoting Services
Initially, I attempted to access FTP (port 21) and logged in using an anonymous user. The login was successful, but there was no useful information available on the FTP server.
Next, I tested port 80 (HTTP). After accessing it, the web server only displayed the default IIS page.
Then, I tried accessing port 9998 (HTTP) via http://192.168.125.65:9998/. Upon access, the website redirected me to http://192.168.125.65:9998/interface/root#/login.
Since no email or password was known for login, and the SmarterMail version was also unknown, I inspected the webpage elements and found that the SmarterMail version in use was 100.0.6919 (build 6919).
After searching online for an exploit targeting SmarterMail 6919, I found a relevant entry on ExploitDB. According to the information, SmarterMail versions before build 6985 expose a .NET remoting endpoint, which is vulnerable to a .NET deserialization attack. This aligns with port 170001 (MS .NET Remoting Services) being open.
Initial Access:
I downloaded the public exploit from ExploitDB and modified the HOST and LHOST parameters. The LPORT parameter was optional, but I left it at its default value, port 4444, for the reverse shell listener.
After saving the changes, I started the reverse shell listener using Netcat.
Command: nc -lvnp 4444
After that, I executed the exploit.
Command: python3 CVE-2019–7214.py
Upon checking the Netcat listener, I successfully obtained a reverse shell.
Booom!!! After run the whoami i got nt authority\system. This means I immediately gained the highest level of access (SYSTEM privileges) on the server.
Post Exploitation:
Read proof.txt: 624c2b61a37213faa00d1fb83b1d21d2
This machine only have proof.txt and after submitted in portal the progress will 100% done.
Closing Remarks:
Thank you for reading my writeup. I hope it is helpful to all of you. I apologize for any mistakes in my writing. I appreciate any feedback or suggestions to help me improve in the future.
- Instagram: @muhammad.iwn
- Portfolio: https://banuaa.github.io/
- LinkedIn: https://www.linkedin.com/in/muhammad-ichwan-banua/
