Proving Grounds | Algernon

In this post, I demonstrate the steps taken to fully compromise the Algernon host on Offensive Security's Proving Grounds.

7 months ago   •   3 min read

By 0xBEN
Table of contents

Nmap Scan

# Nmap 7.92 scan initiated Sun Nov  7 23:34:29 2021 as: nmap -T4 -p- -A -oA scan-advanced
Nmap scan report for
Host is up (0.032s latency).
Not shown: 65528 filtered tcp ports (no-response)
21/tcp    open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows
| http-methods: 
|_  Potentially risky methods: TRACE
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
9998/tcp  open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-title: Site doesn't have a title (text/html; charset=utf-8).
|_Requested resource was /interface/root
| uptime-agent-info: HTTP/1.1 400 Bad Request\x0D
| Content-Type: text/html; charset=us-ascii\x0D
| Server: Microsoft-HTTPAPI/2.0\x0D
| Date: Mon, 08 Nov 2021 04:36:21 GMT\x0D
| Connection: close\x0D
| Content-Length: 326\x0D
| \x0D
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""">\x0D
| <HTML><HEAD><TITLE>Bad Request</TITLE>\x0D
| <META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>\x0D
| <BODY><h2>Bad Request - Invalid Verb</h2>\x0D
| <hr><p>HTTP Error 400. The request verb is invalid.</p>\x0D
17001/tcp open  remoting      MS .NET Remoting services
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows XP|7 (89%)
OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7
Aggressive OS guesses: Microsoft Windows XP SP3 (89%), Microsoft Windows XP SP2 (86%), Microsoft Windows 7 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-11-08T04:36:26
|_  start_date: N/A

TRACEROUTE (using port 21/tcp)
1   31.77 ms
2   31.82 ms

OS and Service detection performed. Please report any incorrect results at .
# Nmap done at Sun Nov  7 23:37:01 2021 -- 1 IP address (1 host up) scanned in 152.33 seconds

Service Enumeration


Looking at the nmap output, anonymous login appears to be enabled on this FTP server. I test the login and download all the files using mget *.


No anonymous share enumeration, access denied.


Looks like a default installation of Microsoft IIS web server. I test for any files or directories using gobuster, but find nothing.

HTTP (TCP/9998)

Looks like an alternative web service called, SmarterMail. I check Exploit DB for any vulnerabilities matching this service name using searchsploit. There appear to be some hits.

Default credentials found using Google search do not work here. Source code seems to reveal a version number.

.NET Remoting (TCP/17001)

Searching Google for information on this port, I see repeated mentions of remote code execution (RCE) coupled with SmarterMail.

  3. Confirm on Exploit DB:


Using the exploit found using searchsploit I copy to my current working directory. I edit the exploit variables as such:


I then, start a TCP listener on port 80 and run the exploit.



The SmarterMail service is being executed by the SYSTEM account, meaning I have fully compromised this host.


User: Spoiler Alert!


Root: Spoiler Alert!


Spread the word

Keep reading