Web
Nmap discovered a Web server on the target port 80
The running service is GoAhead WebServer
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/kevin]
└─$ curl -I http://$IP/
HTTP/1.0 302 Redirect
Server: GoAhead-Webs
Date: Thu Feb 27 09:47:09 2025
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Location: http://192.168.221.45/index.asp
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/kevin]
└─$ curl -I http://$IP/index.asp
HTTP/1.0 200 OK
Date: Thu Feb 27 09:47:23 2025
Server: GoAhead-Webs
Pragma: no-cache
Cache-Control: no-cache
Content-type: text/html/Practice/Kevin/2-Enumeration/attachments/{9E40E822-59AF-4235-9087-D98AF86D292D}.png)
Redirected to the index.asp endpoint
Based on the extension alone, .asp, it would appears to be a classic ASP web application, HP Power Manager
/Practice/Kevin/2-Enumeration/attachments/Pasted-image-20250227200337.png)
/Practice/Kevin/2-Enumeration/attachments/{F7F1D99E-BCA0-4A37-B9E3-6EBD248119A0}.png)
Testing a default credential works; admin:admin
/Practice/Kevin/2-Enumeration/attachments/{0A92651E-DA6D-47CF-891D-5A086853891F}.png)
Checking the HELP section reveals the version information; 4.2 (Build 7)
Vulnerabilities
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/kevin]
└─$ searchsploit HP Power Manager
-------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------- ---------------------------------
Flying Dog Software Powerslave 4.3 Portalmanager - 'sql | php/webapps/23163.txt
Hewlett-Packard (HP) Power Manager Administration - Rem | windows/remote/16785.rb
Hewlett-Packard (HP) Power Manager Administration Power | windows/remote/10099.py
HP Power Manager - 'formExportDataLogs' Remote Buffer O | cgi/remote/18015.rb
-------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No ResultsChecking HP Power Manager on Exploit-DB for vulnerabilities reveals a RCE exploit; CVE-2009-2685