# Proving grounds Practice: Algernon

Proving grounds Practice - Algernon CTF writeup.

### Nmap

```sh
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd => Anonymous login
80/tcp    open  http          Microsoft IIS httpd 10.0
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
5040/tcp  open  unknown
9998/tcp  open  http          Microsoft IIS httpd 10.0
17001/tcp open  remoting      MS .NET Remoting services
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
```

### Directory Fuzzing

```
http://192.168.172.65/aspnet_client/
http://192.168.172.65:9998/interface/root#/login
```

### PORT: 9998

![img](/files/jZLs3RTeL3c0ZaEAWhv3)

#### Searchsploit

![img](/files/owYcJTtZ9kadlrtKx3qi)

Change the IP addressess and PORT in the exploit code and run netcat listener on the PORT specified.

![img](/files/XLwozKFHcu3dYyZp0CvV)

Run the python exploit.

![img](/files/g09Xc49udpZWUXL3nb5D)

**Shell Obtained**

Thanks for reading!

For more updates and insights, follow me on Twitter: [@thevillagehacker](https://twitter.com/thevillagehackr).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://thevillagehacker-security.gitbook.io/ctf-writeups/writeups/2023-08-26-proving_grounds_practice-algernon.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.