Proving Grounds: Kevin [OSCP Prep 2025 — Practice 3]
Introduction
This is my third writeup in the Proving Grounds series, which is part of my learning roadmap before taking the OSCP exam. This machine is called Kevin, categorized as Easy, and runs on the Windows operating system.
Target IP:
192.168.*.45
Tools:
- Rustscan (https://github.com/RustScan/RustScan)
- AutoRecon (https://github.com/Tib3rius/AutoRecon)
- HP Power Manager (CVE-2009–2685) Exploit (https://github.com/Muhammd/HP-Power-Manager)
Reconnaissance:
The first and most important step in penetration testing is information gathering/reconnaissance. Here, I started with port scanning using Rustscan. For a more effective reconnaissance process, I also utilize AutoRecon, which runs if the results of the basic recon are not helpful.
Command: rustscan -a 192.168.156.45 — -sV -oN nmap.txt
The port scanning results show that port 80 is open, indicating that a web service is running on the server.
I accessed http://192.168.156.45/ and found a login page for HP Power Management.
A username and password are required to log in. I attempted to use default credentials, such as admin:admin, and successfully gained access to the application.
After exploring the features within the web application, nothing seemed particularly interesting for escalating privileges further on the server.
I conducted research on HP Power Manager 4.2 Exploit and found an article from Tenable stating that HP Power Manager versions below 4.2.10 are vulnerable to arbitrary code execution as SYSTEM (CVE-2009–2685).
Initial Access:
While searching for a public exploit for CVE-2009–2685, I found an exploit developed by Muhammd.
I downloaded hpm_exploit.py and modified the shellcode in the script using msfvenom, following the instructions in the code.
Additionally, I changed time.sleep(30) to 60 seconds to optimize the process of obtaining a shell.
After saving the changes, I executed the exploit.
Command: python2 hpm_exploit.py 192.168.156.45
Booom!!! After run the whoami i got nt authority\system. This means I immediately gained the highest level of access (SYSTEM privileges) on the server.
Post Exploitation:
Read proof.txt: 064b77bc37a335d7f9d848d761a69177
This machine only have proof.txt and after submitted in portal the progress will 100% done.
Closing Remarks:
Thank you for reading my writeup. I hope it is helpful to all of you. I apologize for any mistakes in my writing. I appreciate any feedback or suggestions to help me improve in the future.
- Instagram: @muhammad.iwn
- Portfolio: https://banuaa.github.io/
- LinkedIn: https://www.linkedin.com/in/muhammad-ichwan-banua/
