# Exploit

## Host:

```
192.168.219.140
```

## Nmap

```
Nmap scan report for 192.168.179.140
Host is up, received user-set (0.064s latency).
Scanned at 2024-07-24 19:35:46 IST for 626s
Not shown: 65513 closed tcp ports (reset)
PORT      STATE SERVICE        REASON          VERSION
25/tcp    open  smtp           syn-ack ttl 125 Mercury/32 smtpd (Mail server account Maiser)
|_smtp-commands: localhost Hello nmap.scanme.org; ESMTPs are:, TIME
79/tcp    open  finger         syn-ack ttl 125 Mercury/32 fingerd
| finger: Login: Admin         Name: Mail System Administrator\x0D
| \x0D
|_[No profile information]\x0D
105/tcp   open  ph-addressbook syn-ack ttl 125 Mercury/32 PH addressbook server
106/tcp   open  pop3pw         syn-ack ttl 125 Mercury/32 poppass service
110/tcp   open  pop3           syn-ack ttl 125 Mercury/32 pop3d
|_pop3-capabilities: UIDL TOP APOP EXPIRE(NEVER) USER
135/tcp   open  msrpc          syn-ack ttl 125 Microsoft Windows RPC
139/tcp   open  netbios-ssn    syn-ack ttl 125 Microsoft Windows netbios-ssn
143/tcp   open  imap           syn-ack ttl 125 Mercury/32 imapd 4.62
|_imap-capabilities: IMAP4rev1 OK CAPABILITY AUTH=PLAIN complete X-MERCURY-1A0001
443/tcp   open  ssl/http       syn-ack ttl 125 Apache httpd 2.4.46 
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.3.23
445/tcp   open  microsoft-ds?  syn-ack ttl 125
2224/tcp  open  http           syn-ack ttl 125 Mercury/32 httpd
|_http-title: Mercury HTTP Services
| http-methods: 
|_  Supported Methods: GET HEAD
5040/tcp  open  unknown        syn-ack ttl 125
8000/tcp  open  http           syn-ack ttl 125 Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.3.23)
|_http-title: Time Travel Company Page
| http-methods: 
|   Supported Methods: POST OPTIONS HEAD GET TRACE
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.3.23
11100/tcp open  vnc            syn-ack ttl 125 VNC (protocol 3.8)
| vnc-info: 
|   Protocol version: 3.8
|   Security types: 
|_    Unknown security type (40)
20001/tcp open  ftp            syn-ack ttl 125 FileZilla ftpd 0.9.41 beta
| ftp-syst: 
|_  SYST: UNIX emulated by FileZilla
|_ftp-bounce: bounce working!
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -r--r--r-- 1 ftp ftp            312 Oct 20  2020 .babelrc
| -r--r--r-- 1 ftp ftp            147 Oct 20  2020 .editorconfig
| -r--r--r-- 1 ftp ftp             23 Oct 20  2020 .eslintignore
| -r--r--r-- 1 ftp ftp            779 Oct 20  2020 .eslintrc.js
| -r--r--r-- 1 ftp ftp            167 Oct 20  2020 .gitignore
| -r--r--r-- 1 ftp ftp            228 Oct 20  2020 .postcssrc.js
| -r--r--r-- 1 ftp ftp            346 Oct 20  2020 .tern-project
| drwxr-xr-x 1 ftp ftp              0 Oct 20  2020 build
| drwxr-xr-x 1 ftp ftp              0 Oct 20  2020 config
| -r--r--r-- 1 ftp ftp           1376 Oct 20  2020 index.html
| -r--r--r-- 1 ftp ftp         425010 Oct 20  2020 package-lock.json
| -r--r--r-- 1 ftp ftp           2454 Oct 20  2020 package.json
| -r--r--r-- 1 ftp ftp           1100 Oct 20  2020 README.md
| drwxr-xr-x 1 ftp ftp              0 Oct 20  2020 src
| drwxr-xr-x 1 ftp ftp              0 Oct 20  2020 static
|_-r--r--r-- 1 ftp ftp            127 Oct 20  2020 _redirects
33006/tcp open  unknown        syn-ack ttl 125
| fingerprint-strings: 
|   NULL, SharpTV, TLSSessionReq, TerminalServer, ms-sql-s, pcworx: 
|_    Host '192.168.45.181' is not allowed to connect to this MariaDB server
49664/tcp open  msrpc          syn-ack ttl 125 Microsoft Windows RPC
49665/tcp open  msrpc          syn-ack ttl 125 Microsoft Windows RPC
49666/tcp open  msrpc          syn-ack ttl 125 Microsoft Windows RPC
49667/tcp open  msrpc          syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open  msrpc          syn-ack ttl 125 Microsoft Windows RPC
49669/tcp open  msrpc          syn-ack ttl 125 Microsoft Windows RPC
```

UDP?

* Got access to jonas from webpage on 8000/443 from his one-liner description(could have done with cewl too)
* Then checked the imap inbox of jonas and found that we can send a mail to mailadmin\@localhost with a .odt attachment
* Created .odt payload and got access as Ela
* Privesc using Veyon unquoted service path.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://aditya-3.gitbook.io/oscp/readme/walkthroughs/pg-practice/hepet/exploit.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.